H.B. No. 3834
 
 
 
 
AN ACT
  relating to the requirement that certain state and local government
  employees and state contractors complete a cybersecurity training
  program certified by the Department of Information Resources.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  The heading to Subchapter N-1, Chapter 2054,
  Government Code, is amended to read as follows:
  SUBCHAPTER N-1.  [STATE] CYBERSECURITY
         SECTION 2.  Section 2054.518(a), Government Code, is amended
  to read as follows:
         (a)  The department shall develop a plan to address
  cybersecurity risks and incidents in this state. The department
  may enter into an agreement with a national organization, including
  the National Cybersecurity Preparedness Consortium, to support the
  department's efforts in implementing the components of the plan for
  which the department lacks resources to address internally. The
  agreement may include provisions for:
               (1)  [providing fee reimbursement for appropriate
  industry-recognized certification examinations for and training to
  state agencies preparing for and responding to cybersecurity risks
  and incidents;
               [(2)     developing and maintaining a cybersecurity risks
  and incidents curriculum using existing programs and models for
  training state agencies;
               [(3)     delivering to state agency personnel with access
  to state agency networks routine training related to appropriately
  protecting and maintaining information technology systems and
  devices, implementing cybersecurity best practices, and mitigating
  cybersecurity risks and vulnerabilities;
               [(4)]  providing technical assistance services to
  support preparedness for and response to cybersecurity risks and
  incidents;
               (2)  [(5)]  conducting cybersecurity [training and]
  simulation exercises for state agencies to encourage coordination
  in defending against and responding to cybersecurity risks and
  incidents;
               (3)  [(6)]  assisting state agencies in developing
  cybersecurity information-sharing programs to disseminate
  information related to cybersecurity risks and incidents; and
               (4)  [(7)]  incorporating cybersecurity risk and
  incident prevention and response methods into existing state
  emergency plans, including continuity of operation plans and
  incident response plans.
         SECTION 3.  Subchapter N-1, Chapter 2054, Government Code,
  is amended by adding Sections 2054.519, 2054.5191, and 2054.5192 to
  read as follows:
         Sec. 2054.519.  STATE CERTIFIED CYBERSECURITY TRAINING
  PROGRAMS. (a)  The department, in consultation with the
  cybersecurity council established under Section 2054.512 and
  industry stakeholders, shall annually:
               (1)  certify at least five cybersecurity training
  programs for state and local government employees; and
               (2)  update standards for maintenance of certification
  by the cybersecurity training programs under this section.
         (b)  To be certified under Subsection (a), a cybersecurity
  training program must:
               (1)  focus on forming information security habits and
  procedures that protect information resources; and
               (2)  teach best practices for detecting, assessing,
  reporting, and addressing information security threats.
         (c)  The department may identify and certify under
  Subsection (a) training programs provided by state agencies and
  local governments that satisfy the training requirements described
  by Subsection (b).
         (d)  The department may contract with an independent third
  party to certify cybersecurity training programs under this
  section.
         (e)  The department shall annually publish on the
  department's Internet website the list of cybersecurity training
  programs certified under this section.
         (f)  Notwithstanding Subsection (a), a local government that
  employs a dedicated information resources cybersecurity officer
  may offer to its employees a cybersecurity training program that
  satisfies the requirements described by Subsection (b).
         Sec. 2054.5191.  CYBERSECURITY TRAINING REQUIRED: CERTAIN
  EMPLOYEES.  (a)  Each state agency shall identify state employees
  who use a computer to complete at least 25 percent of the employee's
  required duties.  At least once each year, an employee identified by
  the state agency and each elected or appointed officer of the agency
  shall complete a cybersecurity training program certified under
  Section 2054.519.
         (a-1)  At least once each year, a local government shall
  identify local government employees who have access to a local
  government computer system or database and require those employees
  and elected officials of the local government to complete a
  cybersecurity training program certified under Section 2054.519 or
  offered under Section 2054.519(f).
         (b)  The governing body of a local government may select the
  most appropriate cybersecurity training program certified under
  Section 2054.519 or offered under Section 2054.519(f) for employees
  of the local government to complete. The governing body shall:
               (1)  verify and report on the completion of a
  cybersecurity training program by employees of the local government
  to the department; and
               (2)  require periodic audits to ensure compliance with
  this section.
         (c)  A state agency may select the most appropriate
  cybersecurity training program certified under Section 2054.519
  for employees of the state agency. The executive head of each state
  agency shall verify completion of a cybersecurity training program
  by employees of the state agency in a manner specified by the
  department.
         (d)  The executive head of each state agency shall
  periodically require an internal review of the agency to ensure
  compliance with this section.
         Sec. 2054.5192.  CYBERSECURITY TRAINING REQUIRED: CERTAIN
  STATE CONTRACTORS.  (a)  In this section, "contractor" includes a
  subcontractor, officer, or employee of the contractor.
         (b)  A state agency shall require any contractor who has
  access to a state computer system or database to complete a
  cybersecurity training program certified under Section 2054.519 as
  selected by the agency.
         (c)  The cybersecurity training program must be completed by
  a contractor during the term of the contract and during any renewal
  period.
         (d)  Required completion of a cybersecurity training program
  must be included in the terms of a contract awarded by a state
  agency to a contractor.
         (e)  A contractor required to complete a cybersecurity
  training program under this section shall verify completion of the
  program to the contracting state agency.  The person who oversees
  contract management for the agency shall:
               (1)  report the contractor's completion to the
  department; and
               (2)  periodically review agency contracts to ensure
  compliance with this section.
         SECTION 4.  Section 2054.518(c), Government Code, is
  repealed.
         SECTION 5.  The changes in law made by this Act apply to a
  contract entered into or renewed on or after the effective date of
  this Act. A contract entered into or renewed before the effective
  date of this Act is governed by the law in effect on the date the
  contract was entered into or renewed, and the former law is
  continued in effect for that purpose.
         SECTION 6.  This Act takes effect immediately if it receives
  a vote of two-thirds of all the members elected to each house, as
  provided by Section 39, Article III, Texas Constitution.  If this
  Act does not receive the vote necessary for immediate effect, this
  Act takes effect September 1, 2019.
 
 
  ______________________________ ______________________________
     President of the Senate Speaker of the House     
 
 
         I certify that H.B. No. 3834 was passed by the House on April
  25, 2019, by the following vote:  Yeas 130, Nays 2, 1 present, not
  voting; and that the House concurred in Senate amendments to H.B.
  No. 3834 on May 24, 2019, by the following vote:  Yeas 140, Nays 0,
  2 present, not voting.
 
  ______________________________
  Chief Clerk of the House   
 
         I certify that H.B. No. 3834 was passed by the Senate, with
  amendments, on May 22, 2019, by the following vote:  Yeas 31, Nays
  0.
 
  ______________________________
  Secretary of the Senate   
  APPROVED: __________________
                  Date       
   
           __________________
                Governor