Committee Report (Substituted)
BACKGROUND AND PURPOSE
It has been suggested that the integration of information technology services into the daily duties of many state and local government employees and contractors has created points of vulnerability for government data systems that may house sensitive information. C.S.H.B. 3834 seeks to ensure that state and local governments are better safeguarded against cybersecurity risks by requiring certain government employees and contractors to undergo cybersecurity training.
CRIMINAL JUSTICE IMPACT
It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.
It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.
C.S.H.B. 3834 amends the Government Code to remove from authorized components of the agreement between the Department of Information Resources (DIR) and a national organization to support DIR efforts in implementing the components of the plan to address cybersecurity risks and incidents in Texas:
· providing fee reimbursement for appropriate industry-recognized certification examinations for and training to state agencies preparing for and responding to cybersecurity risks and incidents;
· developing and maintaining a cybersecurity risks and incidents curriculum using existing programs and models for training state agencies; and
· delivering to state agency personnel with access to state agency networks routine training related to appropriately protecting and maintaining information technology systems and devices, implementing cybersecurity best practices, and mitigating cybersecurity risks and vulnerabilities.
The bill removes cybersecurity training from the component regarding cybersecurity exercises for state agencies to encourage coordination in defending against and responding to cybersecurity risks and incidents. The bill repeals the requirement for DIR, in selecting a national organization with whom to contract, to consider the organization's previous experience in conducting cybersecurity training and exercises for state agencies and political subdivisions.
C.S.H.B. 3834 requires DIR, in consultation with the cybersecurity council, to annually certify at least 20 cybersecurity training programs for state and local government employees and to annually update standards for maintenance of certification by the programs. The bill sets out requirements for the components of a training program to be eligible for certification and authorizes DIR to contract with an independent third party to certify the programs. The bill requires DIR to annually publish on its website the list of certified training programs.
C.S.H.B. 3834 sets out cybersecurity training requirements for a state or local government employee that uses a computer to complete at least 25 percent of the employee's required duties and for any contractor, including a subcontractor, officer, or employee of the contractor, who has access to a state computer system or database. The bill requires such a governmental employee to complete the required training at least once a year and requires the contractor to complete the training during the contract term and any renewal term. The bill sets out provisions relating to monitoring and verifying compliance with the training requirements and provides for related periodic audits and reporting to DIR regarding completed training.
C.S.H.B. 3834 repeals Section 2054.518(c), Government Code.
On passage, or, if the bill does not receive the necessary vote, September 1, 2019.
COMPARISON OF ORIGINAL AND SUBSTITUTE
While C.S.H.B. 3834 may differ from the original in minor or nonsubstantive ways, the following summarizes the substantial differences between the introduced and committee substitute versions of the bill.
The substitute does not remove from the provisions relating to the DIR agreement with a national organization the component relating to conducting cybersecurity exercises.
The substitute replaces the state cybersecurity coordinator or the coordinator's designee with DIR in provisions relating to the following:
· the required certification of qualifying cybersecurity training programs for state and local government employees; and
· the responsibility to receive certain training verification and related reports and to require periodic compliance audits of state agencies.