Texas Proposes Sharing Information Security Expertise Across Higher Ed and State Agencies

• By Kristal Kuykendall
• 12/01/22

The Texas Department of Information Resources, in its newly released Biennial Performance Report, has asked the state legislature to make it easier for higher education institutions and other state agencies to have dedicated information security officers by allowing them to share ISOs regionally.

The report also requested legislative action to expand DIR's pilot program with Angelo State University in West Texas that established a Regional Security Operations Center to provide university students with hands-on cybersecurity experience and give boots-on-the-ground support to local taxpayer-funded agencies that need assistance with major cybersecurity incidents.

The BPR tracks state-funded agencies' technology progress in fiscal years 2021 and 2022; highlights their technology accomplishments; lists areas of concern; and recommends policy and legislative changes to improve the effectiveness of IT operations at state agencies. Texas counts nearly 200 state agencies, and over half of those are public institutions of higher education.

Challenges Filling the ISO Role

DIR Executive Director and Texas Chief Information Officer Amanda Crawford wrote in the BPR, released Nov. 16, that 76% of state agencies say their designated information security officer — Texas law requires every agency to designate one — also has other daily responsibilities. Surveys of state agencies indicate that less than half have an information security officer whose duties are primarily or solely related to data security, the report said.

"Information security officers play a vital role in protecting state government assets and information," the BPR said. "A nationwide shortage of skilled cybersecurity professionals hinders the public sector's ability to recruit and retain people with the specialized skills and certifications needed for the ISO role."

Texas law currently "does not permit state agencies or IHEs to designate a joint ISO as a shared resource," the report said. "Permitting state agencies and IHEs to designate a joint ISO that is employed by one organization and simultaneously serves as the ISO for two or more designating entities will provide cost-effective resource sharing that benefits smaller agencies and IHEs."

Expanded Regional SOC Pilot to Bolster Cyber Defenses

The BPR separately called on the Texas legislature to approve funding for the expansion of DIR's pilot program. The program started in April 2022 after the passage of Senate Bill 475, which authorized DIR to establish a Regional Security Operations Center in partnership with a Texas public university. "The RSOC may offer network security infrastructure that local governments can utilize and provide real-time network security monitoring; network security alerts; incident response; and cybersecurity educational services. Eligible customers of the RSOC include counties, local governments, school districts, water districts, and hospital districts," according to the BPR summary.

"DIR's vision for the RSOC initiative is to partner with additional public universities and establish RSOCs throughout the state to serve local entities and assist in protecting the state from cyber threats," Crawford said in the report. "This vision aligns with a whole-of-state approach to cybersecurity that increases the threat protection and cyber maturity of all of Texas through collaboration and partnerships. DIR is requesting funding from the 88th Legislature to establish two additional RSOCs including one in the Rio Grande Valley and one in central Texas."

Calls for More Digital Signatures and Blockchain Guidance

Another DIR recommendation that would impact higher education institutions, if lawmakers act, is for new legislation to enable broader access to digital government services, streamlined processes, and digitization by expanding the use of digital signatures.

"Currently, a digital signature can be used to authenticate a written electronic communication sent by an individual to a state agency or local government if the signature complies with DIR's rules as well as rules adopted by the state agency or local government," the BPR explained. "Allowing more digital signatures in lieu of handwritten signatures, without additional rulemaking, could lead to improved administrative efficiency and reduced costs."

A final recommendation for lawmakers spelled out in the BPR is to "provide guidance for distributed ledger and blockchain technology best practices."

Nationally, a handful of colleges and universities have piloted using blockchain technology to store and share digital credentials such as academic records; although widespread adoption of blockchain for academic records isn't seen as likely in the next year or two, the DIR noted that 10% of state agencies have said they're considering adopting distributed ledger-based systems.

View or download the full 2022 BPR at https://dir.texas.gov/strategic-planning-and-reporting/biennial-performance-report.