By: Capriglione H.B. No. 3834
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to the requirement that certain state and local government
  employees and state contractors complete a cybersecurity training
  program certified by the Department of Information Resources.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  The heading to Subchapter N-1, Chapter 2054,
  Government Code, is amended to read as follows:
  SUBCHAPTER N-1.  [STATE] CYBERSECURITY
         SECTION 2.  Section 2054.518(a), Government Code, is amended
  to read as follows:
         (a)  The department shall develop a plan to address
  cybersecurity risks and incidents in this state. The department
  may enter into an agreement with a national organization, including
  the National Cybersecurity Preparedness Consortium, to support the
  department's efforts in implementing the components of the plan for
  which the department lacks resources to address internally. The
  agreement may include provisions for:
               (1)  [providing fee reimbursement for appropriate
  industry-recognized certification examinations for and training to
  state agencies preparing for and responding to cybersecurity risks
  and incidents;
               [(2)     developing and maintaining a cybersecurity risks
  and incidents curriculum using existing programs and models for
  training state agencies;
               [(3)     delivering to state agency personnel with access
  to state agency networks routine training related to appropriately
  protecting and maintaining information technology systems and
  devices, implementing cybersecurity best practices, and mitigating
  cybersecurity risks and vulnerabilities;
               [(4)]  providing technical assistance services to
  support preparedness for and response to cybersecurity risks and
  incidents;
               (2)  [(5)]  conducting cybersecurity [training and]
  simulation exercises for state agencies to encourage coordination
  in defending against and responding to cybersecurity risks and
  incidents;
               (3)  [(6)]  assisting state agencies in developing
  cybersecurity information-sharing programs to disseminate
  information related to cybersecurity risks and incidents; and
               (4)  [(7)]  incorporating cybersecurity risk and
  incident prevention and response methods into existing state
  emergency plans, including continuity of operation plans and
  incident response plans.
         SECTION 3.  Subchapter N-1, Chapter 2054, Government Code,
  is amended by adding Sections 2054.519, 2054.5191, and 2054.5192 to
  read as follows:
         Sec. 2054.519.  STATE CERTIFIED CYBERSECURITY TRAINING
  PROGRAMS. (a)  The department, in consultation with the
  cybersecurity council established under Section 2054.512 and
  industry stakeholders, shall annually:
               (1)  certify at least five cybersecurity training
  programs for state and local government employees; and
               (2)  update standards for maintenance of certification
  by the cybersecurity training programs under this section.
         (b)  To be certified under Subsection (a), a cybersecurity
  training program must include activities, case studies,
  hypothetical situations, and other methods that:
               (1)  focus on forming information security habits and
  procedures that protect information resources; and
               (2)  teach best practices for detecting, assessing,
  reporting, and addressing information security threats.
         (c)  The department may contract with an independent third
  party to certify cybersecurity training programs under this
  section.
         (d)  The department shall annually publish on the
  department's Internet website the list of cybersecurity training
  programs certified under this section.
         (e)  Notwithstanding Subsection (a), a local government that
  employs a dedicated information resources cybersecurity officer
  may offer to its employees a cybersecurity training program that
  satisfies the requirements described by Subsection (b).
         Sec. 2054.5191.  CYBERSECURITY TRAINING REQUIRED: CERTAIN
  EMPLOYEES. (a) At least once each year, a state employee that uses a
  computer to complete at least 25 percent of the employee's required
  duties shall complete a cybersecurity training program certified
  under Section 2054.519.
         (a-1)  At least once each year, a local government employee
  that uses a computer to complete at least 25 percent of the
  employee's required duties shall complete a cybersecurity training
  program certified under Section 2054.519 or offered under Section
  2054.519(e).
         (b)  The governing body of a local government may select the
  most appropriate cybersecurity training program certified under
  Section 2054.519 or offered under Section 2054.519(e)
  for employees
  of the local government to complete. The governing body shall:
               (1)  verify and report on the completion of a
  cybersecurity training program by employees of the local government
  to the department; and
               (2)  require periodic audits to ensure compliance with
  this section.
         (c)  A state agency may select the most appropriate
  cybersecurity training program certified under Section 2054.519
  for employees of the state agency. The executive head of each state
  agency shall verify completion of a cybersecurity training program
  by employees of the state agency in a manner specified by the
  department.
         (d)  The executive head of each state agency shall
  periodically audit the agency to ensure compliance with this
  section and send the results to the department.
         Sec. 2054.5192.  CYBERSECURITY TRAINING REQUIRED: CERTAIN
  STATE CONTRACTORS.  (a)  In this section, "contractor" includes a
  subcontractor, officer, or employee of the contractor.
         (b)  A state agency shall require any contractor who has
  access to a state computer system or database to complete a
  cybersecurity training program certified under Section 2054.519 as
  selected by the agency.
         (c)  The cybersecurity training program must be completed by
  a contractor during the term of the contract and during any renewal
  period.
         (d)  Required completion of a cybersecurity training program
  must be included in the terms of a contract awarded by a state
  agency to a contractor.
         (e)  A contractor required to complete a cybersecurity
  training program under this section shall verify completion of the
  program to the contracting state agency. The agency's contract
  manager shall:
               (1)  report the contractor's completion to the
  department; and
               (2)  conduct periodic audits to ensure compliance with
  this section.
         SECTION 4.  Section 2054.518(c), Government Code, is
  repealed.
         SECTION 5.  The changes in law made by this Act apply to a
  contract entered into or renewed on or after the effective date of
  this Act. A contract entered into or renewed before the effective
  date of this Act is governed by the law in effect on the date the
  contract was entered into or renewed, and the former law is
  continued in effect for that purpose.
         SECTION 6.  This Act takes effect immediately if it receives
  a vote of two-thirds of all the members elected to each house, as
  provided by Section 39, Article III, Texas Constitution.  If this
  Act does not receive the vote necessary for immediate effect, this
  Act takes effect September 1, 2019.