(a) In this section, a term defined by § 33.01, Penal Code, has the meaning assigned by that section.
(b) The information security officer of a state agency shall prepare or have prepared a report, including an executive summary of the findings of the biennial report, not later than June 1 of each even-numbered year, assessing the extent to which a computer, a computer program, a computer network, a computer system, a printer, an interface to a computer system, including mobile and peripheral devices, computer software, or data processing of the agency or of a contractor of the agency is vulnerable to unauthorized access or harm, including the extent to which the agency’s or contractor’s electronically stored information is vulnerable to alteration, damage, erasure, or inappropriate use.

(c) Except as provided by this section, a vulnerability report and any information or communication prepared or maintained for use in the preparation of a vulnerability report is confidential and is not subject to disclosure under Chapter 552.
(d) The information security officer shall provide an electronic copy of the vulnerability report on its completion to:
(1) the department;
(2) the state auditor;
(3) the agency’s executive director;
(4) the agency’s designated information resources manager; and
(5) any other information technology security oversight group specifically authorized by the legislature to receive the report.
(e) Separate from the executive summary described by Subsection (b), a state agency shall prepare a summary of the agency’s vulnerability report that does not contain any information the release of which might compromise the security of the state agency’s or state agency contractor’s computers, computer programs, computer networks, computer systems, printers, interfaces to computer systems, including mobile and peripheral devices, computer software, data processing, or electronically stored information. The summary is available to the public on request.