|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
|
relating to the requirement that certain state and local government |
|
employees and state contractors complete a cybersecurity training |
|
program certified by the Department of Information Resources. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. The heading to Subchapter N-1, Chapter 2054, |
|
Government Code, is amended to read as follows: |
|
SUBCHAPTER N-1. [STATE] CYBERSECURITY |
|
SECTION 2. Section 2054.518(a), Government Code, is amended |
|
to read as follows: |
|
(a) The department shall develop a plan to address |
|
cybersecurity risks and incidents in this state. The department |
|
may enter into an agreement with a national organization, including |
|
the National Cybersecurity Preparedness Consortium, to support the |
|
department's efforts in implementing the components of the plan for |
|
which the department lacks resources to address internally. The |
|
agreement may include provisions for: |
|
(1) [providing fee reimbursement for appropriate
|
|
industry-recognized certification examinations for and training to
|
|
state agencies preparing for and responding to cybersecurity risks
|
|
and incidents;
|
|
[(2)
developing and maintaining a cybersecurity risks
|
|
and incidents curriculum using existing programs and models for
|
|
training state agencies;
|
|
[(3)
delivering to state agency personnel with access
|
|
to state agency networks routine training related to appropriately
|
|
protecting and maintaining information technology systems and
|
|
devices, implementing cybersecurity best practices, and mitigating
|
|
cybersecurity risks and vulnerabilities;
|
|
[(4)] providing technical assistance services to |
|
support preparedness for and response to cybersecurity risks and |
|
incidents; |
|
(2) [(5)] conducting cybersecurity [training and] |
|
simulation exercises for state agencies to encourage coordination |
|
in defending against and responding to cybersecurity risks and |
|
incidents; |
|
(3) [(6)] assisting state agencies in developing |
|
cybersecurity information-sharing programs to disseminate |
|
information related to cybersecurity risks and incidents; and |
|
(4) [(7)] incorporating cybersecurity risk and |
|
incident prevention and response methods into existing state |
|
emergency plans, including continuity of operation plans and |
|
incident response plans. |
|
SECTION 3. Subchapter N-1, Chapter 2054, Government Code, |
|
is amended by adding Sections 2054.519, 2054.5191, and 2054.5192 to |
|
read as follows: |
|
Sec. 2054.519. STATE CERTIFIED CYBERSECURITY TRAINING |
|
PROGRAMS. (a) The department, in consultation with the |
|
cybersecurity council established under Section 2054.512 and |
|
industry stakeholders, shall annually: |
|
(1) certify at least five cybersecurity training |
|
programs for state and local government employees; and |
|
(2) update standards for maintenance of certification |
|
by the cybersecurity training programs under this section. |
|
(b) To be certified under Subsection (a), a cybersecurity |
|
training program must include activities, case studies, |
|
hypothetical situations, and other methods that: |
|
(1) focus on forming information security habits and |
|
procedures that protect information resources; and |
|
(2) teach best practices for detecting, assessing, |
|
reporting, and addressing information security threats. |
|
(c) The department may contract with an independent third |
|
party to certify cybersecurity training programs under this |
|
section. |
|
(d) The department shall annually publish on the |
|
department's Internet website the list of cybersecurity training |
|
programs certified under this section. |
|
(e) Notwithstanding Subsection (a), a local government that |
|
employs a dedicated information resources cybersecurity officer |
|
may offer to its employees a cybersecurity training program that |
|
satisfies the requirements described by Subsection (b). |
|
Sec. 2054.5191. CYBERSECURITY TRAINING REQUIRED: CERTAIN |
|
EMPLOYEES. (a) At least once each year, a state employee that uses a |
|
computer to complete at least 25 percent of the employee's required |
|
duties shall complete a cybersecurity training program certified |
|
under Section 2054.519. |
|
(a-1) At least once each year, a local government employee |
|
that uses a computer to complete at least 25 percent of the |
|
employee's required duties shall complete a cybersecurity training |
|
program certified under Section 2054.519 or offered under Section |
|
2054.519(e). |
|
(b) The governing body of a local government may select the |
|
most appropriate cybersecurity training program certified under |
|
Section 2054.519 or offered under Section 2054.519(e) for employees |
|
of the local government to complete. The governing body shall: |
|
(1) verify and report on the completion of a |
|
cybersecurity training program by employees of the local government |
|
to the department; and |
|
(2) require periodic audits to ensure compliance with |
|
this section. |
|
(c) A state agency may select the most appropriate |
|
cybersecurity training program certified under Section 2054.519 |
|
for employees of the state agency. The executive head of each state |
|
agency shall verify completion of a cybersecurity training program |
|
by employees of the state agency in a manner specified by the |
|
department. |
|
(d) The executive head of each state agency shall |
|
periodically audit the agency to ensure compliance with this |
|
section and send the results to the department. |
|
Sec. 2054.5192. CYBERSECURITY TRAINING REQUIRED: CERTAIN |
|
STATE CONTRACTORS. (a) In this section, "contractor" includes a |
|
subcontractor, officer, or employee of the contractor. |
|
(b) A state agency shall require any contractor who has |
|
access to a state computer system or database to complete a |
|
cybersecurity training program certified under Section 2054.519 as |
|
selected by the agency. |
|
(c) The cybersecurity training program must be completed by |
|
a contractor during the term of the contract and during any renewal |
|
period. |
|
(d) Required completion of a cybersecurity training program |
|
must be included in the terms of a contract awarded by a state |
|
agency to a contractor. |
|
(e) A contractor required to complete a cybersecurity |
|
training program under this section shall verify completion of the |
|
program to the contracting state agency. The agency's contract |
|
manager shall: |
|
(1) report the contractor's completion to the |
|
department; and |
|
(2) conduct periodic audits to ensure compliance with |
|
this section. |
|
SECTION 4. Section 2054.518(c), Government Code, is |
|
repealed. |
|
SECTION 5. The changes in law made by this Act apply to a |
|
contract entered into or renewed on or after the effective date of |
|
this Act. A contract entered into or renewed before the effective |
|
date of this Act is governed by the law in effect on the date the |
|
contract was entered into or renewed, and the former law is |
|
continued in effect for that purpose. |
|
SECTION 6. This Act takes effect immediately if it receives |
|
a vote of two-thirds of all the members elected to each house, as |
|
provided by Section 39, Article III, Texas Constitution. If this |
|
Act does not receive the vote necessary for immediate effect, this |
|
Act takes effect September 1, 2019. |
|
|
|
* * * * * |