BILL ANALYSIS

 

 

Senate Research Center

H.B. 3834

 

By: Capriglione (Paxton)

 

Business & Commerce

 

5/15/2019

 

Engrossed

 

 

 

AUTHOR'S / SPONSOR'S STATEMENT OF INTENT

 

H.B. 3834 amends current law relating to the requirement that certain state and local government employees and state contractors complete a cybersecurity training program certified by the Department of Information Resources.

 

RULEMAKING AUTHORITY

 

This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.

 

SECTION BY SECTION ANALYSIS

 

SECTION 1. Amends the heading to Subchapter N-1, Chapter 2054, Government Code, as follows:

 

SUBCHAPTER N-1. CYBERSECURITY

 

SECTION 2. Amends Section 2054.518(a), Government Code, as follows:

 

(a) Deletes existing text of Subdivisions (1)�(3) authorizing the agreement between the Texas Department of Information Resources (DIR) and a national organization in addressing cybersecurity risks to include provisions for providing fee reimbursement for appropriate industry-recognized certification examinations for and training to state agencies preparing for and responding to cybersecurity risks and incidents, developing and maintaining a cybersecurity risks and incidents curriculum using existing programs and models for training state agencies, and delivering to state agency personnel with access to state agency networks routine training related to appropriately protecting and maintaining information technology systems and devices, implementing cybersecurity best practices, and mitigating cybersecurity risks and vulnerabilities. Replaces a reference to cybersecurity training and simulation exercises with a reference to cybersecurity simulation exercises. Redesignates existing text of Subdivision (4) as Subdivision (1) and renumbers accordingly.

 

SECTION 3. Amends Subchapter N-1, Chapter 2054, Government Code, by adding Sections 2054.519, 2054.5191, and 2054.5192, as follows:

 

Sec. 2054.519. STATE CERTIFIED CYBERSECURITY TRAINING PROGRAMS. (a) Requires DIR, in consultation with the cybersecurity council established under Section 2054.512 (Cybersecurity Council) and industry stakeholders, to annually:

 

(1) certify at least five cybersecurity training programs for state and local government employees; and

 

(2) update standards for maintenance of certification by the cybersecurity training programs under this section.

 

(b) Requires a cybersecurity training program, to be certified under Subsection (a), to include activities, case studies, hypothetical situations, and other methods that:

 

(1) focus on forming information security habits and procedures that protect information resources; and

 

(2) teach best practices for detecting, assessing, reporting, and addressing information security threats.

 

(c) Authorizes DIR to contract with an independent third party to certify cybersecurity training programs under this section.

 

(d) Requires DIR to annually publish on its Internet website the list of cybersecurity training programs certified under this section.

 

(e) Authorizes a local government that employs a dedicated information resources cybersecurity officer, notwithstanding Subsection (a), to offer to its employees a cybersecurity training program that satisfies the requirements described by Subsection (b).

 

Sec. 2054.5191. CYBERSECURITY TRAINING REQUIRED: CERTAIN EMPLOYEES. (a) Requires a state employee that uses a computer to complete at least 25 percent of the employee's required duties, at least once each year, to complete a cybersecurity training program certified under Section 2054.519.

 

(a-1) Requires a local government employee that uses a computer to complete at least 25 percent of the employee's required duties, at least once each year, to complete a cybersecurity training program certified under Section 2054.519 or offered under Section 2054.519(e).

 

(b) Authorizes the governing body of a local government to select the most appropriate cybersecurity training program certified under Section 2054.519 or offered under Section 2054.519(e) for employees of the local government to complete. Requires the governing body to:

 

(1) verify and report on the completion of a cybersecurity training program by employees of the local government to DIR; and

 

(2) require periodic audits to ensure compliance with this section.

 

(c) Authorizes a state agency to select the most appropriate cybersecurity training program certified under Section 2054.519 for employees of the state agency. Requires the executive head of each state agency to verify completion of a cybersecurity training program by employees of the state agency in a manner specified by DIR.

 

(d) Requires the executive head of each state agency to periodically audit the agency to ensure compliance with this section and send the results to DIR.

 

Sec. 2054.5192. CYBERSECURITY TRAINING REQUIRED: CERTAIN STATE CONTRACTORS. (a) Defines "contractor" for purposes of this section.

 

(b) Requires a state agency to require any contractor who has access to a state computer system or database to complete a cybersecurity training program certified under Section 2054.519 as selected by the agency.

 

(c) Requires the cybersecurity training program to be completed by a contractor during the term of the contract and during any renewal period.

 

(d) Requires required completion of a cybersecurity training program to be included in the terms of a contract awarded by a state agency to a contractor.

 

(e) Requires a contractor required to complete a cybersecurity training program under this section to verify completion of the program to the contracting state agency. Requires the agency's contract manager to:

 

(1) report the contractor's completion to DIR; and

 

(2) conduct periodic audits to ensure compliance with this section.

 

SECTION 4. Repealer: Section 2054.518(c) (relating to requiring DIR to consider the organization's previous experience in conducting cybersecurity training), Government Code.

 

SECTION 5. Makes application of this Act prospective.

 

SECTION 6. Effective date: upon passage or September 1, 2019.