H.B. No. 3834

	AN ACT
	relating to the requirement that certain state and local government
	employees and state contractors complete a cybersecurity training
	program certified by the Department of Information Resources.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
	SECTION 1.  The heading to Subchapter N-1, Chapter 2054,
	Government Code, is amended to read as follows:
	SUBCHAPTER N-1.  [STATE] CYBERSECURITY
	SECTION 2.  Section 2054.518(a), Government Code, is amended
	to read as follows:
	(a)  The department shall develop a plan to address
	cybersecurity risks and incidents in this state. The department
	may enter into an agreement with a national organization, including
	the National Cybersecurity Preparedness Consortium, to support the
	department's efforts in implementing the components of the plan for
	which the department lacks resources to address internally. The
	agreement may include provisions for:
	(1)  [providing fee reimbursement for appropriate
	industry-recognized certification examinations for and training to
	state agencies preparing for and responding to cybersecurity risks
	and incidents;
	[(2)     developing and maintaining a cybersecurity risks
	and incidents curriculum using existing programs and models for
	training state agencies;
	[(3)     delivering to state agency personnel with access
	to state agency networks routine training related to appropriately
	protecting and maintaining information technology systems and
	devices, implementing cybersecurity best practices, and mitigating
	cybersecurity risks and vulnerabilities;
	[(4)]  providing technical assistance services to
	support preparedness for and response to cybersecurity risks and
	incidents;
	(2)  [(5)]  conducting cybersecurity [training and]
	simulation exercises for state agencies to encourage coordination
	in defending against and responding to cybersecurity risks and
	incidents;
	(3)  [(6)]  assisting state agencies in developing
	cybersecurity information-sharing programs to disseminate
	information related to cybersecurity risks and incidents; and
	(4)  [(7)]  incorporating cybersecurity risk and
	incident prevention and response methods into existing state
	emergency plans, including continuity of operation plans and
	incident response plans.
	SECTION 3.  Subchapter N-1, Chapter 2054, Government Code,
	is amended by adding Sections 2054.519, 2054.5191, and 2054.5192 to
	read as follows:
	Sec. 2054.519.  STATE CERTIFIED CYBERSECURITY TRAINING
	PROGRAMS. (a)  The department, in consultation with the
	cybersecurity council established under Section 2054.512 and
	industry stakeholders, shall annually:
	(1)  certify at least five cybersecurity training
	programs for state and local government employees; and
	(2)  update standards for maintenance of certification
	by the cybersecurity training programs under this section.
	(b)  To be certified under Subsection (a), a cybersecurity
	training program must:
	(1)  focus on forming information security habits and
	procedures that protect information resources; and
	(2)  teach best practices for detecting, assessing,
	reporting, and addressing information security threats.
	(c)  The department may identify and certify under
	Subsection (a) training programs provided by state agencies and
	local governments that satisfy the training requirements described
	by Subsection (b).
	(d)  The department may contract with an independent third
	party to certify cybersecurity training programs under this
	section.
	(e)  The department shall annually publish on the
	department's Internet website the list of cybersecurity training
	programs certified under this section.
	(f)  Notwithstanding Subsection (a), a local government that
	employs a dedicated information resources cybersecurity officer
	may offer to its employees a cybersecurity training program that
	satisfies the requirements described by Subsection (b).
	Sec. 2054.5191.  CYBERSECURITY TRAINING REQUIRED: CERTAIN
	EMPLOYEES.  (a)  Each state agency shall identify state employees
	who use a computer to complete at least 25 percent of the employee's
	required duties.  At least once each year, an employee identified by
	the state agency and each elected or appointed officer of the agency
	shall complete a cybersecurity training program certified under
	Section 2054.519.
	(a-1)  At least once each year, a local government shall
	identify local government employees who have access to a local
	government computer system or database and require those employees
	and elected officials of the local government to complete a
	cybersecurity training program certified under Section 2054.519 or
	offered under Section 2054.519(f).
	(b)  The governing body of a local government may select the
	most appropriate cybersecurity training program certified under
	Section 2054.519 or offered under Section 2054.519(f) for employees
	of the local government to complete. The governing body shall:
	(1)  verify and report on the completion of a
	cybersecurity training program by employees of the local government
	to the department; and
	(2)  require periodic audits to ensure compliance with
	this section.
	(c)  A state agency may select the most appropriate
	cybersecurity training program certified under Section 2054.519
	for employees of the state agency. The executive head of each state
	agency shall verify completion of a cybersecurity training program
	by employees of the state agency in a manner specified by the
	department.
	(d)  The executive head of each state agency shall
	periodically require an internal review of the agency to ensure
	compliance with this section.
	Sec. 2054.5192.  CYBERSECURITY TRAINING REQUIRED: CERTAIN
	STATE CONTRACTORS.  (a)  In this section, "contractor" includes a
	subcontractor, officer, or employee of the contractor.
	(b)  A state agency shall require any contractor who has
	access to a state computer system or database to complete a
	cybersecurity training program certified under Section 2054.519 as
	selected by the agency.
	(c)  The cybersecurity training program must be completed by
	a contractor during the term of the contract and during any renewal
	period.
	(d)  Required completion of a cybersecurity training program
	must be included in the terms of a contract awarded by a state
	agency to a contractor.
	(e)  A contractor required to complete a cybersecurity
	training program under this section shall verify completion of the
	program to the contracting state agency.  The person who oversees
	contract management for the agency shall:
	(1)  report the contractor's completion to the
	department; and
	(2)  periodically review agency contracts to ensure
	compliance with this section.
	SECTION 4.  Section 2054.518(c), Government Code, is
	repealed.
	SECTION 5.  The changes in law made by this Act apply to a
	contract entered into or renewed on or after the effective date of
	this Act. A contract entered into or renewed before the effective
	date of this Act is governed by the law in effect on the date the
	contract was entered into or renewed, and the former law is
	continued in effect for that purpose.
	SECTION 6.  This Act takes effect immediately if it receives
	a vote of two-thirds of all the members elected to each house, as
	provided by Section 39, Article III, Texas Constitution.  If this
	Act does not receive the vote necessary for immediate effect, this
	Act takes effect September 1, 2019.
	______________________________	______________________________
	President of the Senate	Speaker of the House
	I certify that H.B. No. 3834 was passed by the House on April
	25, 2019, by the following vote:  Yeas 130, Nays 2, 1 present, not
	voting; and that the House concurred in Senate amendments to H.B.
	No. 3834 on May 24, 2019, by the following vote:  Yeas 140, Nays 0,
	2 present, not voting.
	______________________________
	Chief Clerk of the House
	I certify that H.B. No. 3834 was passed by the Senate, with
	amendments, on May 22, 2019, by the following vote:  Yeas 31, Nays
	0.
	______________________________
	Secretary of the Senate
	APPROVED: __________________
	Date
	__________________
	Governor