2022 Biennial Performance Report

Advancing the Next Generation of Technology in Texas

Recommendations

Goal 1: Secure IT Service Delivery

1. Require local governments and school districts to report cybersecurity incidents to DIR within a minimum reporting timeframe.
Sharing information is essential for protecting public sector assets, personal or sensitive information, and critical infrastructure. State agencies and institutions of higher education are required to report certain types of security incidents to DIR within a minimum timeframe, preferably within 24 hours.

Currently, state agencies and institutions of higher education report suspected cybersecurity incidents, including breaches and ransomware attacks, to DIR. School districts report cybersecurity incidents to the Texas Education Agency and county election officials are required to notify the Secretary of State. Also, Texas law does not set a standard timeframe for local governments to report cyberattacks.

This incongruent reporting of cybersecurity incidents may hinder Texas in tracking trends and understanding the scope and complexity of cyberattacks as well as how they may be related to another cyberattack. By requiring municipalities, school districts, and counties to report cybersecurity incidents to DIR, the state will have a more complete picture of potential threats and may be able to prevent future attacks, avoiding costly response and recovery efforts.
2. Require government entities to use the standardized “.gov” domain suffix when establishing a new domain name to reduce website spoofing.
Cybercriminals are known to impersonate legitimate government websites, commonly called spoofing, to disseminate false information; harvest credentials; collect personal information; and spread malware. These activities can lead to system or account compromise and potential financial loss. There have been many examples of this in Texas and nationally. To stop these malicious actors from setting up websites impersonating government entities, the federal government and security industry experts recommend that government entities use the top-level domain “.gov” to enhance public trust while digitally interacting with their government.
Acquiring a .gov web domain requires that the domain applicant submit evidence to an official government entity confirming they are buying the domain name on behalf of a legitimate local, county, or state government entity.
The .gov domain is only available to US government entities including state agencies, cities, counties, towns, and independent school districts, so visitors to these sites can trust it is the entity it is reporting to be.
Requiring Texas government entities to use the .gov domain for their official websites could decrease the likelihood of Texans falling victim to online attempts to defraud or harm while attempting to digitally interact with their government.
3. Allow state agencies and institutions of higher education (IHEs) to designate a joint information security officer.
Information security officers (ISOs) play a vital role in protecting state government assets and information. A nationwide shortage of skilled cybersecurity professionals hinders the public sector’s ability to recruit and retain people with the specialized skills and certifications needed for the ISO role. This is particularly challenging for smaller government entities with few full-time equivalent (FTE) positions and limited resources.
Section 2054.136 of the Government Code requires each state agency and IHE to designate an ISO who reports to the agency's executive-level management; has authority over information security for the entire agency; possesses the training and experience required to perform the duties required by department rules; and to the extent feasible, has information security duties as the officer’s primary duties. Section 2054.136 does not permit agencies or IHEs to designate a joint ISO as a shared resource.
Permitting state agencies and IHEs to designate a joint ISO that is employed by one organization and simultaneously serves as the ISO for two or more designating entities will provide cost-effective, resource sharing that benefits smaller agencies and IHEs. This is also consistent with the provision for joint information resources managers (IRM) under Section 2054.071(b).

Goal 2: Advanced Data Management 

1. Establish a statewide Chief Privacy Officer to provide a central point of contact on data privacy matters.
To provide government information and services, the State of Texas collects, uses, and manages vast amounts of personal, financial, and health information from residents. Like every other state in the nation, Texas has a top cybersecurity official focused on identifying, preventing, detecting, and responding to information security and cyber threats. Now more than twenty states also have a statewide role to ensure the privacy of residents’ personal information is protected as well.
Establishing a state chief privacy officer role will provide a central point of contact for state agencies on legal and policy matters involving data privacy. The duties may include a biennial privacy review and resources for implementing best practices throughout Texas government.
Establishing a state privacy officer would help government employees improve practices for the collection, use, and storage of personal, sensitive, or regulated data. The role would also educate Texas consumers about the use of their personal information on mobile and digital networks and steps they can take to help protect this information.

Goal 3: Strategic Digital Transformation

1. Enable private-sector peer-to-peer (P2P) payment solutions commonly used by the public to provide additional payment methods for government services.
In 2020, the use of P2P payments escalated as consumers turned to digital solutions for making payments and receiving money. P2P payments are non-credit card systems for transferring cash from one party to another. Funds are debited from the user's bank account and credited to the recipient's account. Examples are Google Wallet, PayPal, Snapcash, and Venmo.
Currently, Texas government agencies can use Texas.gov’s payment services solution to allow their constituents to pay for government services via credit card, debit card, and eCheck (ACH) transactions online, at the point-of-sale, through a mobile device, interactive voice response (IVR), and on a recurring basis. The Texas.gov solution provides extensive financial reporting and integrates state government payments with the Texas Comptroller of Public Accounts’ (CPA) accounting system. At this time, P2P payments are not accepted by Texas.gov.
Expanding the sources of payments accepted by Texas.gov and other portals beyond credit cards or debit cards will enable Texans to make payments and complete government transaction in the user-friendly manner they are accustomed to in the private sector.
2. Enable broader access to digital government services, streamlined processes, and digitization by expanding the use of digital signatures.
Currently, a digital signature can be used to authenticate a written electronic communication sent by an individual to a state agency or local government if the signature complies with DIR’s rules as well as rules adopted by the state agency or local government.
Government Code Section 2054.060 details how a digital signature may be used for written electronic communications to state agencies and local government. DIR further defines requirements for the use of digital signatures by state agencies and institutions of higher education in 1 Texas Administrative Code Chapter 203 as authorized by DIR’s general rulemaking authority found at Government Code Section 2054.052(a).
Allowing more digital signatures in lieu of handwritten signatures, without additional rulemaking, could lead to improved administrative efficiency and reduced costs.

Goal 4: Proactive Approach to Emerging Technologies

1. Provide guidance for distributed ledger and blockchain technology best practices.
The term distributed ledger technology is an umbrella term used to refer to a variety of software implementations that keep a verifiable ledger of transactions. A blockchain protocol is a subset of distributed ledgers that uses a specific data structure. Using this specialized data structure, a blockchain protocol tracks transactions in a way that can be simultaneously used and shared within a large decentralized, publicly accessible network.
It is important for public-sector organizations to receive guidance on best practices and gain an understanding of the technology before considering its use and implementation.
The work group established under House Bill 1576 shall issue policy recommendations in connection with blockchain technology. Following best practices that align with the work group’s guidance for distributed ledger technology infrastructure will help public-sector organizations better understand how and when to leverage the technology. Best practices could include, but are not limited to, defining blockchain benefits, use cases, contractual language, development of a blockchain innovation/center of excellence, and education or curriculum development.