What is Executive Order No. GA-48?
On November 19, 2024, Governor Greg Abbott issued Executive Order GA-48 – Hardening of State Government. The order requires state agencies and Texas institutions of higher education to harden state systems and protect critical infrastructure and information from being accessed by foreign adversaries. GA-48 specifically references countries, governments, and non-government persons pursuant to 15 CFR 791.4, Determination of foreign adversaries, and mandates restrictions on System and System member institutional and personnel activities related to such countries, governments, and non-government persons. System Regulation 15.05.04 was amended to include those countries, governments, and non-government persons for purposes of GA-48, collectively referred to as “Country of Concern” or “Countries of Concern.”
An executive order is a directive from a state’s governor (or the President of the United States) that manages the operations of the state’s government. Executive orders have the force of law and must be followed by the state’s agencies and their employees (including Texas public institutions of higher education and their faculty and staff employees).
The U.S. Secretary of Commerce determines “foreign adversaries” pursuant to 15 CFR 791.4 as “…foreign governments or foreign non-government persons..” that “…have engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons…” The Secretary’s determination is based upon multiple sources, and the Secretary periodically reviews and/or amends this list.
Critical infrastructure means a communication infrastructure system, cybersecurity system, electric grid system, hazardous waste treatment system, or water treatment facility as per Texas Business & Commerce Code, section 117.001(2) (formerly 113.001). Cybersecurity is referenced to mean the measures taken to protect a computer, computer network, computer system, or other technology infrastructure against unauthorized use or access.
Communication infrastructure could include groupware, email, project management software, fax, phone, teleconferencing systems, and document management systems.
In general terms an IT infrastructure could include:
Hardware – servers, computers, network devices, storage systems, and peripheral devices
Software – operating systems applications, databases, virtualization, and other software programs that enable various functionalities within the infrastructure.
Networks – Networking components such as routers, switches, firewalls, and cables connect devices and facilitate data transmission across the infrastructure.
Data Centers – Centralized facilities that house servers, storage systems, and networking equipment. The data center provides a controlled environments with power, cooling, and security features to ensure optimal performance and data protection.
Cloud Systems – Cloud computing services, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), offer scalable and flexible solutions for infrastructure requirements.
Security Systems – Infrastructure security measures like firewalls, antivirus software, intrusion detection systems, and encryption technologies protect against unauthorized access, data breaches, and cyber threats.
IT Service Management (ITSM) – ITSM frameworks and tools enable efficient management of IT services, including incident management, change management, problem management, and service desk support.
Cybersecurity System – Cybersecurity refers to any technologies, practices and policies for preventing cyberattacks or mitigating their impact. Cybersecurity aims to protect computer systems, applications, devices, data, financial assets and people against ransomware and other malware, phishing scams, data theft and other cyberthreats.
No. Professional travel to “Countries of Concern” is prohibited. GA-48 does not apply to business travel to Venezuela unless it is to do business with the Maduro Regime. Accepting gifts from “Countries of Concern” is also prohibited.
System employees must provide the required notice through Workday using the following Workday process:
Step 1: Login to Workday.
Step 2: In the search window type “Create Request” and press “Enter”
Step 3: In the search results, under Tasks and Reports, select “Create Request”
Step 4: When the dialog box appears, select the search window and then select “All” as the “Request Type” from the drop-down menu.
Step 5: Select “Certification of Travel to a Foreign-Adversary” and then select OK.
Step 6: Answer the following questions in the form:
-When do you intend to leave for travel?
-When do you plan to return from travel?
-Where do you intend to travel?
-Enter any other comments
The manager will receive a task and acknowledges receipt by submitting the task.
A task is triggered for the employee to complete a post-travel brief, and it remains in their Workday inbox until they return to work.
It should be noted that this task is a separate stand-alone process so the employee will need to request the appropriate absence (i.e. vacation) through Workday.
System employees must provide the required post-travel information through Workday using the following Workday process:
Upon submission of the required pre-travel report in Workday, a task is triggered for the employee to complete a post-travel brief, and it remains in their Workday inbox until they return to work.
Upon the employee’s return to work, the employee completes a similar post-travel questionnaire and selects submit.
The manager receives notification of the post-travel brief and closes the request.
The information is being collected solely for the purpose of complying with Executive Order GA-48. The System Member will retain the information in accordance with state records retention laws.
Yes. Each System member will be required to submit a certification confirming its full implementation of this plan this summer. This certification must be submitted to the System Ethics and Compliance Office on or before July 1, 2025, to facilitate the System’s certification to the Governor’s Office on or before August 1, 2025.
Yes. You are considered a full-time employee even without a summer appointment.
No. GA-48 prohibits employees from accepting gifts from “Countries of Concern” for professional purposes.
Yes. Allowing a “Country of Concern” to pay for publishing costs is considered a gift for professional purposes.
There are no waivers or exemptions.
Yes, however steps must be taken to ensure that no professional business is conducted while in the Country of Concern.
No. Working while abroad is considered professional activities, and in a “Country of Concern” is prohibited. The Workday personal travel notification includes a certification: “I will not participate in any university/agency related activity, access university/agency software, platforms, or networks, nor travel with any university/agency related data, equipment, or property.”
No. GA-48 and System Regulation 15.05.04 prohibit participation in programs such as the PRC Thousand Talents Program.