H.B. No. 3834
AN ACT
relating to the requirement that certain state and local government
employees and state contractors complete a cybersecurity training
program certified by the Department of Information Resources.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. The heading to Subchapter N-1, Chapter 2054,
Government Code, is amended to read as follows:
SUBCHAPTER N-1. [STATE] CYBERSECURITY
SECTION 2. Section 2054.518(a), Government Code, is amended
to read as follows:
(a) The department shall develop a plan to address
cybersecurity risks and incidents in this state. The department
may enter into an agreement with a national organization, including
the National Cybersecurity Preparedness Consortium, to support the
department's efforts in implementing the components of the plan for
which the department lacks resources to address internally. The
agreement may include provisions for:
(1) [providing fee reimbursement for appropriate
industry-recognized certification examinations for and training to
state agencies preparing for and responding to cybersecurity risks
and incidents;
[(2) developing and maintaining a cybersecurity risks
and incidents curriculum using existing programs and models for
training state agencies;
[(3) delivering to state agency personnel with access
to state agency networks routine training related to appropriately
protecting and maintaining information technology systems and
devices, implementing cybersecurity best practices, and mitigating
cybersecurity risks and vulnerabilities;
[(4)] providing technical assistance services to
support preparedness for and response to cybersecurity risks and
incidents;
(2) [(5)] conducting cybersecurity [training and]
simulation exercises for state agencies to encourage coordination
in defending against and responding to cybersecurity risks and
incidents;
(3) [(6)] assisting state agencies in developing
cybersecurity information-sharing programs to disseminate
information related to cybersecurity risks and incidents; and
(4) [(7)] incorporating cybersecurity risk and
incident prevention and response methods into existing state
emergency plans, including continuity of operation plans and
incident response plans.
SECTION 3. Subchapter N-1, Chapter 2054, Government Code,
is amended by adding Sections 2054.519, 2054.5191, and 2054.5192 to
read as follows:
Sec. 2054.519. STATE CERTIFIED CYBERSECURITY TRAINING
PROGRAMS. (a) The department, in consultation with the
cybersecurity council established under Section 2054.512 and
industry stakeholders, shall annually:
(1) certify at least five cybersecurity training
programs for state and local government employees; and
(2) update standards for maintenance of certification
by the cybersecurity training programs under this section.
(b) To be certified under Subsection (a), a cybersecurity
training program must:
(1) focus on forming information security habits and
procedures that protect information resources; and
(2) teach best practices for detecting, assessing,
reporting, and addressing information security threats.
(c) The department may identify and certify under
Subsection (a) training programs provided by state agencies and
local governments that satisfy the training requirements described
by Subsection (b).
(d) The department may contract with an independent third
party to certify cybersecurity training programs under this
section.
(e) The department shall annually publish on the
department's Internet website the list of cybersecurity training
programs certified under this section.
(f) Notwithstanding Subsection (a), a local government that
employs a dedicated information resources cybersecurity officer
may offer to its employees a cybersecurity training program that
satisfies the requirements described by Subsection (b).
Sec. 2054.5191. CYBERSECURITY TRAINING REQUIRED: CERTAIN
EMPLOYEES. (a) Each state agency shall identify state employees
who use a computer to complete at least 25 percent of the employee's
required duties. At least once each year, an employee identified by
the state agency and each elected or appointed officer of the agency
shall complete a cybersecurity training program certified under
Section 2054.519.
(a-1) At least once each year, a local government shall
identify local government employees who have access to a local
government computer system or database and require those employees
and elected officials of the local government to complete a
cybersecurity training program certified under Section 2054.519 or
offered under Section 2054.519(f).
(b) The governing body of a local government may select the
most appropriate cybersecurity training program certified under
Section 2054.519 or offered under Section 2054.519(f) for employees
of the local government to complete. The governing body shall:
(1) verify and report on the completion of a
cybersecurity training program by employees of the local government
to the department; and
(2) require periodic audits to ensure compliance with
this section.
(c) A state agency may select the most appropriate
cybersecurity training program certified under Section 2054.519
for employees of the state agency. The executive head of each state
agency shall verify completion of a cybersecurity training program
by employees of the state agency in a manner specified by the
department.
(d) The executive head of each state agency shall
periodically require an internal review of the agency to ensure
compliance with this section.
Sec. 2054.5192. CYBERSECURITY TRAINING REQUIRED: CERTAIN
STATE CONTRACTORS. (a) In this section, "contractor" includes a
subcontractor, officer, or employee of the contractor.
(b) A state agency shall require any contractor who has
access to a state computer system or database to complete a
cybersecurity training program certified under Section 2054.519 as
selected by the agency.
(c) The cybersecurity training program must be completed by
a contractor during the term of the contract and during any renewal
period.
(d) Required completion of a cybersecurity training program
must be included in the terms of a contract awarded by a state
agency to a contractor.
(e) A contractor required to complete a cybersecurity
training program under this section shall verify completion of the
program to the contracting state agency. The person who oversees
contract management for the agency shall:
(1) report the contractor's completion to the
department; and
(2) periodically review agency contracts to ensure
compliance with this section.
SECTION 4. Section 2054.518(c), Government Code, is
repealed.
SECTION 5. The changes in law made by this Act apply to a
contract entered into or renewed on or after the effective date of
this Act. A contract entered into or renewed before the effective
date of this Act is governed by the law in effect on the date the
contract was entered into or renewed, and the former law is
continued in effect for that purpose.
SECTION 6. This Act takes effect immediately if it receives
a vote of two-thirds of all the members elected to each house, as
provided by Section 39, Article III, Texas Constitution. If this
Act does not receive the vote necessary for immediate effect, this
Act takes effect September 1, 2019.
______________________________ ______________________________
President of the Senate Speaker of the House
I certify that H.B. No. 3834 was passed by the House on April
25, 2019, by the following vote: Yeas 130, Nays 2, 1 present, not
voting; and that the House concurred in Senate amendments to H.B.
No. 3834 on May 24, 2019, by the following vote: Yeas 140, Nays 0,
2 present, not voting.
______________________________
Chief Clerk of the House
I certify that H.B. No. 3834 was passed by the Senate, with
amendments, on May 22, 2019, by the following vote: Yeas 31, Nays
0.
______________________________
Secretary of the Senate
APPROVED: __________________
Date
__________________
Governor