Confused about new Texas Law, Title 10, Section 2059.060? Read the law itself.
February 24, 2011
By Al Potter

The state of Texas recently had a law go into effect (on Dec. 1, 2010) that impacts the security product testing industry, including ICSA Labs.  The law has attracted a significant amount of attention, some of which is inaccurate. 

The law—and the administrative code that provides rules on implementation—includes a section that clearly and succinctly defines terms.  I encourage you to read the law yourselves, quotations and links provided below. 

The law in question, Sec. 2059.060 of the Texas Government Code Title 10, directs the Texas Department of Information Resources as follows: 

“VULNERABILITY TESTING OF NETWORK HARDWARE AND SOFTWARE. (a) The department shall adopt rules requiring, in state agency contracts for network hardware and software, a statement by the vendor certifying that the network hardware or software, as applicable, has undergone independent certification testing for known and relevant vulnerabilities.

(b)  Rules adopted under Subsection (a) may:

(1)  provide for vendor exemptions; and

(2)  establish certification standards for testing network hardware and software for known and relevant vulnerabilities.

(c)  Unless otherwise provided by rule, the required certification testing must be conducted under maximum load conditions in accordance with published performance claims of a hardware or software manufacturer, as applicable.” 

THAT'S IT.  You can read it in full here.   

The Texas Department of Information Resources has adopted rules as required by the law in the form of Texas Administrative Code 212.17 (TAC 217.12)

TAC 217.12 requires new contracts written after Dec. 1 2010,  “to contain the following certification to be completed by vendors, including manufacturers and resellers: Vendor hereby certifies that the network hardware or software, as applicable, procured or leased under this contract, has undergone independent certification testing for known and relevant vulnerabilities in accordance with §2059.060, Texas Government Code.” 

There is a further requirement that “The required independent certification testing of network hardware or software for vulnerabilities must be conducted against established standards under maximum load conditions in accordance with published performance claims of a hardware or software manufacturer, as applicable." 

AGAIN, THAT'S IT. 

The law and rules are short and clear.  There is certainly no requirement in the law or the rules for the products to be tested by a particular vendor or laboratory, to a specific standard (like UL 2825), with a specific piece of equipment or with a specific methodology. 

For the record, ICSA Labs is accredited

  • Through ANSI to ISO 17025:2005 for Information Security Technology
  • Through Intertek to ISO 9001:2008
  • Through the National Voluntary Laboratory Accreditation Program (NVLAP) to ISO 17025 (General requirements for the competence of testing and calibration laboratories) for US government related testing (FIPS 140-2, etc.)  

 

And ICSA Labs has a testing laboratory and certification program that can meet the Texas requirements.

 

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.