- Capriglione bill creates IT modernization fund to upgrade State’s software, hardware and Cloud IT to save tax dollars, enhance security -
AUSTIN – With outdated IT hardware and software among the cybersecurity and budgetary threats to state agency information technology (IT) and staffing, Representative Giovanni Capriglione (Southlake) today introduced legislation to modernize state IT. In 2017, Rep. Capriglione authored H.B. 8, the Texas Cybersecurity Act with Senator Jane Nelson.
HB1096 is modelled after the Modernizing Government Technology Act by Texas Congressman Will Hurd (San Antonio), a former CIA analyst and chair of the U.S. House IT Oversight Subcommittee. Hurd’s measure was signed into law in December 2017 as part of the National Defense Authorization Act. It establishes an IT modernization fund at federal agencies to upgrade their technology systems.
“Cyber-criminals love outdated IT hardware, software and systems, and unfortunately our state government has plenty of costly old IT,” said Rep. Capriglione. “Old IT costs more to maintain, makes it harder to attract the next generation of state government IT professionals, and is an obstacle improving web-based customer service for Texas residents and businesses.
“Modernizing state government IT is one of the simplest, most cost-effective ways for Texas to address cybersecurity threats. H.B. 1096 aims to incentivize cost savings in state IT, such as greater use of secure commercial cloud services, and would allow IT savings and related legislative appropriations to be used to modernize state government hardware and software.”
A Legislative Committee recently reported that, “Legacy systems operate with old, obsolete, unsecured, or inefficient hardware or software and are more difficult and costly to maintain, less resilient, and carry a higher degree of security risk.” According to Texas Department of Information Resources (DIR), a system is generally considered legacy when it contains components that are no longer being actively developed and may not yet be fully retired.
DIR’s Biennial Performance Report (BPR), published in November 2018, recommends the establishment of a Legacy Modernization Fund in the state treasury, stating that, “Establishing a fund dedicated to solely to legacy modernization distinguishes this strategic goal from other IT projects, allowing greater transparency and accountability, and encourages sustained investment in modernization by restricting the use of the fund for this one purpose.”
HB 1096 would create new funding and incentives for better cybersecurity through IT modernization, creating a dedicated State Technology Modernization account in the general revenue fund to close cybersecurity gaps and upgrade state government IT which may be used for:
• Replacing agency IT systems
• Transitioning agency legacy information technology systems to cost-effective and secure Cloud computing services
• Assisting agency efforts to provide adequate, risk-based, and cost-effective IT responses to security threats.
The Technology Modernization account can be funded by legislative appropriations, federal funds and agency unexpended-balance (UB) authority for costs-savings or unspent funds set aside for IT services or cybersecurity.
During the 2017-2018 interim, The House Select Committee on Cybersecurity and Senate Select Committee on Cybersecurity met and heard testimony. TDCJ told the Committee about a 40-year-old legacy system, running old software program that younger state workers want nothing to do with, leaving the IT department with a perpetual staffing shortage.
The Senate Select Committee on Cybersecurity interim report found, “Legacy systems operate with old, obsolete, unsecured, or inefficient hardware or software and are more difficult and costly to maintain, less resilient, and carry a higher degree of security risk. Ultimately, the Legislature decides which, if any, projects to fund… [h]owever, there is no dedicated funding mechanism or line item to track expenditures.”
State data breaches are costly and undermine public trust. In FY 2013, the Health and Human Services Commission reported $2.3 million for staffing costs to respond to and recover from 1,948 security incidents. In FY 2016, the Department of State Health Services reported an estimated cost of $1.9 million from security incidents.