According to the Legislative Budget Board (LBB), the fiscal implications of HB 150 are substantial. Over the 2026–27 biennium, the bill is projected to have a negative net impact of approximately $135.5 million on General Revenue. This cost reflects the creation and ramp-up of the Texas Cyber Command (TCC), which would assume statewide cybersecurity responsibilities currently housed within the Department of Information Resources (DIR). While the bill does not appropriate funds directly, it would create a legal framework requiring future appropriations.

One of the most significant expenditures is the construction and outfitting of a new headquarters facility in San Antonio, including a Sensitive Compartmented Information Facility (SCIF), a Cyber Threat Intelligence Center, and a Digital Forensics Laboratory. These capital investments are estimated to cost $60.4 million, split between $25 million in FY 2026 and $35.4 million in FY 2027, which The University of Texas System intends to fund through allocations from the Permanent University Fund.

In terms of operational expenses, the bill envisions hiring 65 full-time equivalents (FTEs) in FY 2026, increasing to 130 FTEs by FY 2027, with staffing costs totaling $8.5 million in FY 2026 and $17 million in FY 2027. Additional startup and equipment-related costs—such as service contracts, subscriptions, training, and systems implementation—are projected at $12.7 million in FY 2026 and $4 million in FY 2027. Other recurring costs include travel and an anticipated $36–$43 million annually in contracted cybersecurity services, reflecting a broader and more advanced mission scope than what DIR currently manages.

While the Command is permitted to recover some costs through fees for technical assistance and services to covered entities, the fiscal note notes that revenue estimates are not known and thus not factored into this analysis. Lastly, no significant fiscal impact is expected for local governments, as their involvement with the Command would be voluntary or based on contractual arrangements. Overall, while the bill represents a major investment in Texas’s cybersecurity infrastructure, its fiscal footprint is significant and long-term.

HB 150 proposes the creation of the Texas Cyber Command (TCC), a new institution within The University of Texas System, tasked with assuming and expanding the cybersecurity responsibilities currently held by the Department of Information Resources (DIR). The command would be charged with protecting state and local government agencies, critical infrastructure, and certain private entities from cyber threats. It would also house and operate key cybersecurity programs such as a Cyber Threat Intelligence Center, an Incident Response Unit, and a Digital Forensics Laboratory. The goal is to create a centralized authority capable of proactively identifying, responding to, and mitigating cyber threats targeting Texas institutions.

While the bill reflects a serious and proactive response to the increasingly complex cybersecurity landscape, its broad expansion of governmental authority raises significant concerns when evaluated through the lens of core liberty principles. The TCC would have sweeping operational powers, including the ability to engage directly with private entities, collect and analyze sensitive cybersecurity data, and offer services that may overlap with those of the private sector. Without clearly defined limits, the risk of governmental overreach into private markets and digital domains becomes more than theoretical. These concerns suggest the need for statutory guardrails to prevent mission creep, ensure informed consent in engagements with private entities, and avoid undermining free-market competition.

Moreover, the bill creates a new government institution with independent facilities, staff, contracting authority, and a large operational budget. According to the Legislative Budget Board’s fiscal note, the bill is projected to cost over $135 million in General Revenue over the next biennium, along with an estimated $60.4 million in capital investments, primarily for facilities and equipment. Although the cybersecurity mission is critical, such an expansion in scope and cost contradicts the principle of limited government, particularly when many of these functions could be consolidated under or coordinated through existing agencies with proper reform.

The bill also presents challenges regarding individual liberty and privacy. While its intent is to defend against cyberattacks and protect sensitive data, it lacks statutory protections governing how data collected or shared through the TCC will be handled, stored, and disclosed. The absence of privacy impact assessments, public transparency measures, or restrictions on data sharing with third parties—including federal agencies—creates potential for misuse or unintended surveillance.

Although the bill contains some accountability mechanisms, such as a Sunset review provision and periodic reporting requirements, these are not sufficient to address the broader implications for liberty. Amendments could meaningfully improve the bill by narrowing its scope, enhancing legislative oversight, protecting market competition, and embedding privacy safeguards.

Suggested Amendments:

• Fiscal Oversight and Cost Transparency:
  • Add a requirement for the Texas Cyber Command to submit an annual public report to the Legislative Budget Board (LBB) detailing all expenditures, including staffing costs, contracts, and capital projects, broken down by function (e.g., Threat Intelligence Center, Digital Forensics Lab).
  • Mandate a performance-based budgeting framework where continued funding is tied to measurable outcomes, such as incident response times, training completion rates, or system hardening metrics.
•  Sunset and Legislative Oversight:
  • Move the Sunset review date from September 1, 2031 to September 1, 2029, to ensure the command is evaluated earlier in its growth cycle.
  • Create a standing legislative oversight committee on cybersecurity to monitor the TCC’s implementation and make policy recommendations every biennium.
• Private Sector Competition Protections:
  • Add a provision requiring that all procurement for cybersecurity services follow a competitive bidding process unless exempted in a declared emergency. Ensure that the TCC cannot offer services to private or local entities in a manner that would crowd out private-sector cybersecurity providers.
  • Include language requiring a study of the impact of TCC operations on the cybersecurity services marketplace in Texas, with findings reported to the legislature within two years of launch.
• Civil Liberties and Data Privacy:
  • Explicitly require the TCC to develop and publish a data privacy and civil liberties policy, including limits on the collection, storage, and use of personally identifiable information and cybersecurity incident data.
  • Mandate that any sharing of data with federal agencies or third parties be subject to a privacy impact assessment and a notification process to the affected entities.
• Clarifying Scope and Role:
  • Clarify that the TCC’s authority over private “covered entities” is strictly voluntary and contractual and that participation does not create a regulatory obligation unless expressly stated.
  • Add language restricting the TCC from taking over any cybersecurity functions from local governments or other state agencies unless a formal agreement (MOU) is in place or unless explicitly directed by statute.
• Governance and Personnel Requirements:
  • Require that the chief of the Cyber Command be subject to Senate confirmation every 4 years, with a public report on qualifications, performance, and leadership outcomes.
  • Mandate that at least one public member with cybersecurity experience be added to any advisory boards or councils created under the command.
• Facility and Capital Expense Review:
  • Require all capital facility projects exceeding $10 million (e.g., SCIF, labs) be reviewed and approved by the Texas Higher Education Coordinating Board for alignment with statewide higher education infrastructure priorities.

In conclusion, while the threat landscape justifies state-level cybersecurity reform, the structure and breadth of HB 150, as written, raise too many unresolved issues that conflict with liberty-oriented policy principles. It should not proceed without substantial amendment. As such, Texas Policy Research recommends that lawmakers vote NO on HB 150 unless amended as described above to better align with fiscal responsibility, individual privacy, free enterprise, and the limited role of government.

The creation of a Texas Cyber Command is an emergency legislative priority of Texas Gov. Greg Abbott.

• Individual Liberty: The bill enhances individual liberty in the cybersecurity context by seeking to protect sensitive personal data and digital infrastructure from cyberattacks, including those by foreign adversaries. These protections are important for preserving digital autonomy and the confidentiality of private communications and records. However, the bill currently lacks explicit privacy safeguards around how cybersecurity data is collected, stored, and shared—particularly when involving third-party vendors, local governments, or federal agencies. Without clear guardrails, there's a risk that well-intentioned threat-monitoring functions could drift into surveillance. Strengthening statutory data handling and privacy policies would align the bill more closely with liberty protections.
• Personal Responsibility: The bill does not strongly encourage or discourage personal responsibility. It does require cybersecurity training for state employees and contractors with access to sensitive systems, which fosters an element of individual accountability in state digital operations. However, this training is mandated and managed from the top down, so it doesn’t expand voluntary responsibility as much as it imposes compliance obligations. If amended to include education initiatives for local governments and small agencies with opt-in support programs, it could better empower individual and organizational responsibility.
• Free Enterprise: This is where the bill raises the most concern from a liberty perspective. By allowing the Texas Cyber Command to offer direct services to local governments and private “covered entities,” the bill opens the door for government competition with private cybersecurity providers. Without specific language ensuring competitive neutrality, the command’s state-subsidized services could undercut the market. To protect free enterprise, the bill should be amended to require competitive bidding, prevent monopolistic practices, and limit non-governmental service offerings to clearly defined emergency or contractual situations.
• Private Property Rights: The bill gives the Texas Cyber Command substantial authority to engage with “covered entities,” which include private critical infrastructure operators. While the bill’s intent is to assist these entities during cyber incidents, the language is vague enough to raise questions about whether the state could intervene in private systems without explicit consent. Ensuring that engagement with private entities is strictly voluntary, opt-in, and contractual—with well-defined scopes—would better safeguard private property rights and avoid state overreach into digital infrastructure.
• Limited Government: The bill creates a new and expansive state agency—with its own leadership, facilities, workforce, contracting authority, and budget footprint—under the UT System. While the goals are valid, this clearly expands the scope and size of state government. The bill mitigates this somewhat by including Sunset provisions (set to 2031) and requiring periodic reporting. However, it would better reflect limited government values if it included more rigorous legislative oversight, a narrower scope of authority, a phased implementation plan tied to clear performance benchmarks, and private-sector partnership rules that prevent government overreach into competitive markets.

• SB 2176 (Same As)