Texas 2019 - 86th Regular

Texas House Bill HB3834 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1		-	H.B. No. 3834
	1	+	By: Capriglione (Senate Sponsor - Paxton) H.B. No. 3834
	2	+	(In the Senate - Received from the House April 26, 2019;
	3	+	April 29, 2019, read first time and referred to Committee on
	4	+	Business & Commerce; May 20, 2019, reported favorably by the
	5	+	following vote: Yeas 9, Nays 0; May 20, 2019, sent to printer.)
	6	+	Click here to see the committee vote
2	7
3	8
	9	+	A BILL TO BE ENTITLED
4	10		AN ACT
5	11		relating to the requirement that certain state and local government
6	12		employees and state contractors complete a cybersecurity training
7	13		program certified by the Department of Information Resources.
8	14		BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
9	15		SECTION 1. The heading to Subchapter N-1, Chapter 2054,
10	16		Government Code, is amended to read as follows:
11	17		SUBCHAPTER N-1. [STATE] CYBERSECURITY
12	18		SECTION 2. Section 2054.518(a), Government Code, is amended
13	19		to read as follows:
14	20		(a) The department shall develop a plan to address
15	21		cybersecurity risks and incidents in this state. The department
16	22		may enter into an agreement with a national organization, including
17	23		the National Cybersecurity Preparedness Consortium, to support the
18	24		department's efforts in implementing the components of the plan for
19	25		which the department lacks resources to address internally. The
20	26		agreement may include provisions for:
21	27		(1) [providing fee reimbursement for appropriate
22	28		industry-recognized certification examinations for and training to
23	29		state agencies preparing for and responding to cybersecurity risks
24	30		and incidents;
25	31		[(2) developing and maintaining a cybersecurity risks
26	32		and incidents curriculum using existing programs and models for
27	33		training state agencies;
28	34		[(3) delivering to state agency personnel with access
29	35		to state agency networks routine training related to appropriately
30	36		protecting and maintaining information technology systems and
31	37		devices, implementing cybersecurity best practices, and mitigating
32	38		cybersecurity risks and vulnerabilities;
33	39		[(4)] providing technical assistance services to
34	40		support preparedness for and response to cybersecurity risks and
35	41		incidents;
36	42		(2) [(5)] conducting cybersecurity [training and]
37	43		simulation exercises for state agencies to encourage coordination
38	44		in defending against and responding to cybersecurity risks and
39	45		incidents;
40	46		(3) [(6)] assisting state agencies in developing
41	47		cybersecurity information-sharing programs to disseminate
42	48		information related to cybersecurity risks and incidents; and
43	49		(4) [(7)] incorporating cybersecurity risk and
44	50		incident prevention and response methods into existing state
45	51		emergency plans, including continuity of operation plans and
46	52		incident response plans.
47	53		SECTION 3. Subchapter N-1, Chapter 2054, Government Code,
48	54		is amended by adding Sections 2054.519, 2054.5191, and 2054.5192 to
49	55		read as follows:
50	56		Sec. 2054.519. STATE CERTIFIED CYBERSECURITY TRAINING
51	57		PROGRAMS. (a) The department, in consultation with the
52	58		cybersecurity council established under Section 2054.512 and
53	59		industry stakeholders, shall annually:
54	60		(1) certify at least five cybersecurity training
55	61		programs for state and local government employees; and
56	62		(2) update standards for maintenance of certification
57	63		by the cybersecurity training programs under this section.
58	64		(b) To be certified under Subsection (a), a cybersecurity
59		-	training program must:
	65	+	training program must include activities, case studies,
	66	+	hypothetical situations, and other methods that:
60	67		(1) focus on forming information security habits and
61	68		procedures that protect information resources; and
62	69		(2) teach best practices for detecting, assessing,
63	70		reporting, and addressing information security threats.
64		-	(c) The department may identify and certify under
65		-	Subsection (a) training programs provided by state agencies and
66		-	local governments that satisfy the training requirements described
67		-	by Subsection (b).
68		-	(d) The department may contract with an independent third
	71	+	(c) The department may contract with an independent third
69	72		party to certify cybersecurity training programs under this
70	73		section.
71		-	(e) The department shall annually publish on the
	74	+	(d) The department shall annually publish on the
72	75		department's Internet website the list of cybersecurity training
73	76		programs certified under this section.
74		-	(f) Notwithstanding Subsection (a), a local government that
	77	+	(e) Notwithstanding Subsection (a), a local government that
75	78		employs a dedicated information resources cybersecurity officer
76	79		may offer to its employees a cybersecurity training program that
77	80		satisfies the requirements described by Subsection (b).
78	81		Sec. 2054.5191. CYBERSECURITY TRAINING REQUIRED: CERTAIN
79		-	EMPLOYEES. (a) Each state agency shall identify state employees
80		-	who use a computer to complete at least 25 percent of the employee's
81		-	required duties. At least once each year, an employee identified by
82		-	the state agency and each elected or appointed officer of the agency
83		-	shall complete a cybersecurity training program certified under
84		-	Section 2054.519.
85		-	(a-1) At least once each year, a local government shall
86		-	identify local government employees who have access to a local
87		-	government computer system or database and require those employees
88		-	and elected officials of the local government to complete a
89		-	cybersecurity training program certified under Section 2054.519 or
90		-	offered under Section 2054.519(f).
	82	+	EMPLOYEES. (a) At least once each year, a state employee that uses a
	83	+	computer to complete at least 25 percent of the employee's required
	84	+	duties shall complete a cybersecurity training program certified
	85	+	under Section 2054.519.
	86	+	(a-1) At least once each year, a local government employee
	87	+	that uses a computer to complete at least 25 percent of the
	88	+	employee's required duties shall complete a cybersecurity training
	89	+	program certified under Section 2054.519 or offered under Section
	90	+	2054.519(e).
91	91		(b) The governing body of a local government may select the
92	92		most appropriate cybersecurity training program certified under
93		-	Section 2054.519 or offered under Section 2054.519(f) for employees
	93	+	Section 2054.519 or offered under Section 2054.519(e) for employees
94	94		of the local government to complete. The governing body shall:
95	95		(1) verify and report on the completion of a
96	96		cybersecurity training program by employees of the local government
97	97		to the department; and
98	98		(2) require periodic audits to ensure compliance with
99	99		this section.
100	100		(c) A state agency may select the most appropriate
101	101		cybersecurity training program certified under Section 2054.519
102	102		for employees of the state agency. The executive head of each state
103	103		agency shall verify completion of a cybersecurity training program
104	104		by employees of the state agency in a manner specified by the
105	105		department.
106	106		(d) The executive head of each state agency shall
107		-	periodically ~~require an internal review of~~ the agency to ensure
108		-	~~compliance with this~~ section.
	107	+	periodically audit the agency to ensure compliance with this
	108	+	section and send the results to the department.
109	109		Sec. 2054.5192. CYBERSECURITY TRAINING REQUIRED: CERTAIN
110	110		STATE CONTRACTORS. (a) In this section, "contractor" includes a
111	111		subcontractor, officer, or employee of the contractor.
112	112		(b) A state agency shall require any contractor who has
113	113		access to a state computer system or database to complete a
114	114		cybersecurity training program certified under Section 2054.519 as
115	115		selected by the agency.
116	116		(c) The cybersecurity training program must be completed by
117	117		a contractor during the term of the contract and during any renewal
118	118		period.
119	119		(d) Required completion of a cybersecurity training program
120	120		must be included in the terms of a contract awarded by a state
121	121		agency to a contractor.
122	122		(e) A contractor required to complete a cybersecurity
123	123		training program under this section shall verify completion of the
124		-	program to the contracting state agency. The ~~person who oversees~~
125		-	~~contract management for the agency~~ shall:
	124	+	program to the contracting state agency. The agency's contract
	125	+	manager shall:
126	126		(1) report the contractor's completion to the
127	127		department; and
128		-	(2) ~~periodically review agency contracts~~ to ensure
129		-	~~compliance with~~ this section.
	128	+	(2) conduct periodic audits to ensure compliance with
	129	+	this section.
130	130		SECTION 4. Section 2054.518(c), Government Code, is
131	131		repealed.
132	132		SECTION 5. The changes in law made by this Act apply to a
133	133		contract entered into or renewed on or after the effective date of
134	134		this Act. A contract entered into or renewed before the effective
135	135		date of this Act is governed by the law in effect on the date the
136	136		contract was entered into or renewed, and the former law is
137	137		continued in effect for that purpose.
138	138		SECTION 6. This Act takes effect immediately if it receives
139	139		a vote of two-thirds of all the members elected to each house, as
140	140		provided by Section 39, Article III, Texas Constitution. If this
141	141		Act does not receive the vote necessary for immediate effect, this
142	142		Act takes effect September 1, 2019.
143		-	______________________________ ______________________________
144		-	President of the Senate Speaker of the House
145		-	I certify that H.B. No. 3834 was passed by the House on April
146		-	25, 2019, by the following vote: Yeas 130, Nays 2, 1 present, not
147		-	voting; and that the House concurred in Senate amendments to H.B.
148		-	No. 3834 on May 24, 2019, by the following vote: Yeas 140, Nays 0,
149		-	2 present, not voting.
150		-	______________________________
151		-	Chief Clerk of the House
152		-	I certify that H.B. No. 3834 was passed by the Senate, with
153		-	amendments, on May 22, 2019, by the following vote: Yeas 31, Nays
154		-	0.
155		-	______________________________
156		-	Secretary of the Senate
157		-	APPROVED: __________________
158		-	Date
159		-	__________________
160		-	Governor
	143	+	* * * * *