(a) A policy adopted under § 620.003 may provide for the installation and use of a covered application to the extent necessary for:
(1) providing law enforcement; or
(2) developing or implementing information security measures.
(b) A policy allowing the installation and use of a covered application under Subsection (a) must require:
(1) the use of measures to mitigate risks posed to this state during the use of the covered application; and
(2) the documentation of those measures.