Security Awareness Training Certification (HB 3834)

Overview

House Bill (HB) 3834 (86R) requires DIR in consultation with the Texas Cybersecurity Council to certify at least five cybersecurity training programs for state and local government employees and also requires state and local government employees to complete a certified training program. The sections that follow explain the annual timeline for certification of trainings, the training and reporting requirements for state agencies, local governments, and contractors, the certification requirements for cybersecurity training programs, and a listing of certified programs.

Annual Timeline

The timeline below outlines the annual certification and requirements for compliance with HB 3834.

​Date

​Entity

​Description

​Annually

​All governmental organizations

​Train employees on certified training programs.

​March 15 - April 30

​DIR

​DIR with consultation of the Texas Cybersecurity Council reviews requirements of the certified training programs.

​April 2020

​DIR

​Publishes web form for local governments to report completion of training.

​April 30, 2020

​Training providers

​Submission of training programs for 2019-2020 closes. After April 30, 2020, all training program applications will be processed annnually from June 1 - July 31.

​May 15

​DIR

​Updated list of certification requirements published.

​June 1

​Training providers and local governments

​Submission of training programs begins.

​June 1

​State agencies

​Complete training of all employees and elected/appointed officers. Biennially report on completion of training to DIR via your agency's security plan.

​June 14

​Local governments

​Complete training of all employees and elected officials.

​June 15

​Local governments

​Report completion of training to DIR via the web form.

​July 31

​Training providers

​Submission of training program ends.

​August 31

​DIR

​New list of certified training providers published.


Back to top↑

Annual Training Requirements

State and local governments are required to train their employees annually on a certified training program. Employees required to complete the training are outlined in the table below.

​Entity Type

​Training Required For

​Training Due Date

​State Agencies

  • ​Employees who use a computer at least 25 percent of the employee's required duties.

  • Elected or appointed officers of the agency.

​June 1

​State Agency Contractors

  • ​Contractors who have access to a state computer system or database.

​During the term of the contract and during any renewal period.

​Local Governments

  • ​Employees who have access to a local government computer.

  • Elected officials.

​June 14, 2020


Back to top↑

Reporting Requirements

State Agencies

State agencies must complete training by June 1, 2020.  Agencies must certify their employee and contractor training compliance biennially in the Agency Security Plan.  This will be done using the Executive Acknowledgment of Risk Form, which can be downloaded from the Agency Security Plan page of the DIR website.

Local Governments

Local governments must complete training by June 14, 2020.  By June 15th, the governing body of the local government is required to certify their completion of training via a web form to DIR.  The web form will be live in April 2020 and a link published here.

Local governments can track their compliance in any method they choose, and will not submit training records or employee certificates of completion to DIR.  Local governments also do not have to report their audits to DIR. Local governments should retain documentation with their training and auditing records.

Texas By Texas

DIR has a tool for local governments to have their employees self-report their training compliance by using Texas By Texas (TxT).  For local governments using TxT, DIR will send reporting from the TxT application to each local government entity to verify training compliance.  Organizations that wish to use TxT for employee self-reporting should indicate their interested by submitting the House Bill 3834 Texas By Texas Self Reporting Form.  More details and information about TxT will be provided to the organizations that plan to use TxT. 

Governing Body Acknowledgement Form

The governing body of a local government is required to verify and report on the completion of a cybersecurity training program by employees of the local government to the department and should retain documentation pertaining to this requirement. The Governing Board Acknowledgement Form can be used as documentation, as desired.

Back to top↑

Texas Cybersecurity Training Certification Requirements

Certified Training Programs

The list of certified training programs is below. Additional programs will be certified on a continuing basis. Please note that these programs are certified for the content, not other regulatory or statutory obligations.

Last Updated 4/1/2020

Certified Training Programs (.docx)

The next steps for state and local government entities are:

  • If your organization is currently using a cybersecurity training program:
    • Check the list of certified programs to see if it has been certified.
    • If it has, continue using that program to meet the requirements of HB 3834 (86R).  Make note of the modules listed with the certified program and make sure you are including these in your program.
    • If it has not, first make sure your program has been submitted for certification (if it's a 3rd-party program, check with the training provider).  Second, continue to monitor the list of certified programs as additional programs will be added as they are certified.
  • If your organization is not currently using a cybersecurity training program:
    • Review the list of certified programs to find one that meets your needs.
    • Contact the point of contact for instructions on:
      • how to access the training program (if you selected an in-house program that the organization is willing to share, or
      • how to procure the training program (if you selected a 3rd-party program). 

Course Content Requirements

The application for submitting cybersecurity training programs for certification is available below.  Texas Government Code Section 2054.519(b) states that a cybersecurity training program must:

    1. Focus on forming information security habits and procedures that protect information resources; and

    2. Teach best practices for detecting, assessing, reporting, and addressing information security threats.

Submit a security awareness training program for certification

Certifications are valid until August 31 and need to be renewed annually.

Back to top↑

Course Certification Checklist

The purpose of this checklist is to assess and determine whether a state agency's, local government's, or vendor's cybersecurity awareness training program meets the minimum requirements for certification under Section 2054.519(b), Texas Government Code.  This detailed certification criteria are based on the National Initiative for Cybersecurity Education (NICE) Framework.

Download the Course Certification Checklist (.pdf, 171KB)

Application Guide for Security Awareness Training Program Certification

The application to submit training programs for certification is now available. Programs will be assessed on an ongoing basis throughout the first year. Prepare your training program submission in advance by reviewing the application guide which includes a glossary of relevant terminology.

Download the Application Guide (.pdf, 457KB)

Certification Exception

A local government that employs a ‘dedicated information resources cybersecurity officer’ may use a cybersecurity training program that satisfies the statutory content requirements.  In this scenario, training program certification is not required.

A local government that employs a 'dedicated information resources cybersecurity officer' may use a cybersecurity training program that satisfies the statutory content requirements. This exception does not apply to state agencies. In this scenario, training program certification is not required.

A cybersecurity officer must be an employee of the organization who:

  • Has responsibility for information security for their represented organization;
  • Possesses the training and experience required to administer cybersecurity functions; and
  • Has information security duties as their primary duty (primary is defined as greater than 50% of the employee's workload).

Submit a Local Government Cybersecurity Training & Awareness Program Exception Form

Exceptions are valid until August 31 and need to be renewed annually.

Back to top↑

HB 3834 FAQs

For questions about HB 3834, please contact TXTrainingCert@dir.texas.gov.

Assistance

Can my organization get an extension on the due date for training?

Training due dates are set by legislation. DIR is not authorized to change the due date of training and cannot grant extensions. We believe cybersecurity training is of the utmost importance and encourage your organization to complete the required training as soon as possible.

Are there any low and/or no cost certified training programs available?

The list of certified programs include in-house programs that a provider is willing to share. Some of these programs are available at low and/or no cost to your organization. Contact the providers that have indicated they are willing to share for more details.

Program Certification

How many training programs will be certified?

HB 3834 requires DIR to certify at least five cybersecurity training programs. Refer to the list of certified programs for current numbers. 

What criteria will be used to certify the programs?

HB3834 requires training programs to: (1) focus on forming information security habits and procedures that protect information resources; and (2) teach best practices for detecting, assessing, reporting, and addressing information security threats.  Refer to the link above for detailed certification criteria, based on the National Initiative for Cybersecurity Education (NICE) framework.

When can programs be submitted for certification?

You can submit a security awareness training program for certification using the online application form.

What are the standards for maintenance of certification?

Training programs will have to be re-submitted for certification annually.

Can a state agency or local government organization submit a vendor's program for certification?

No, the training provider organization must apply to have their training program certified.  Agencies and other consumers of third-party training programs can use the certification application link to notify DIR of the third-party program currently used by their organization.

How is access defined?

Access is defined as "any person who has been given an account to access any state (or local) information system."

In the training program application, is providing a free trial an acceptable method for providing access to training course materials for review?

A free trial may be acceptable if it doesn't have the possibility of leading to any kind of obligation, financial or otherwise, to the State or any other user.

When certifying vendors who provide security awareness courses and/or packages, is it the vendor who is being certified or individual components of that vendor's solution?  In the case that it is individual components, how will those components be identified?

The training program is what will be certified.  A training program is a course or curriculum of courses that meets the specifications of HB 3834.  If the training program is part of a larger set of training materials, state and local government organizations in Texas will need to include in their training program the modules/courses that are submitted for certification as a minimum to ensure compliance with state law (although they could add modules/content as desired).

Our training partner has a license agreement for end users.  May we submit their license agreement as part of the proposal?

Submitting a license agreement is not a specific requirement of the application, however training providers can submit any documentation that provides evidence of how the program meets requirements.

Can we submit a description of the intended audience with our training program?

There is no field on the application for intended audience and therefore this type of information would not be included on the list of certified programs.  However, training providers can submit any documentation that provides evidence of how the program meets the requirements. If a vendor-provided training program is only available to a specific audience, and therefore not available for general use, please specify this information in the application.

Are training programs being assessed for accessibility?

No, training programs are only being assessed for meeting the requirements stated in the Course Certification Checklist.

Will training programs be offered in languages other than English?

The list of certified programs will include the available languages for each program.

State Agency and Contractor Training Requirements

What constitutes a state agency?

As defined in Chapter 2054 of Government Code, a state agency includes a department, commission, board, office, council, authority, or other agency in the executive or judicial branch of state government that is created by the constitution or a statute of this state, including a university system or institution of higher education as defined by Section 61.003, Education Code.

Which state agencies and institutions of higher education employees are required to have annual cybersecurity awareness training? 

Employees who use a computer to complete at least 25% of their required duties are required to complete annual awareness training through a certified program.

What contracts are affected by the training requirement?

The training requirement for contractors affects contracts entered into on, or after, June 14, 2019, and contract renewals executed on, or after, June 14, 2019. 

Who is responsible for ensuring the service providers in the Shared Technology Services (STS) program meet the contractor training requirements?

DIR contracts directly with each of the service providers within the STS program, including the Multi-sourcing Services Integrator (MSI) and all Service Component Providers (SCPs); therefore, DIR is responsible for ensuring they meet the training requirements.

If a contractor works with multiple state agencies, do they have to complete the training program selected by each of the state agencies?

A contractor that has access to state computer systems or databases at multiple state agencies must complete the training program specified by each state agency. 

What is the difference between HB 3834 and the security awareness training requirements included in Texas Administrative Code, Chapter 202 (TAC 202)?

HB3834 provides specifics to the security awareness requirements in TAC 202.  TAC states that state agencies are responsible for:  administering an ongoing information security awareness education program for all users; and introducing information security awareness and inform new employees of information security policies and procedures during the onboarding process. HB 3834 adds requirements around the training that must be provided.

Which training requirements apply to community colleges?

Under SB 64 (86R), community colleges must comply with Texas Administrative Code Chapter 202 (TAC 202) and therefore must follow the training requirements for state agencies.

If elected or appointed officials of a state agency do not use a computer to perform at least 25 percent of their duties, are they required to complete cybersecurity training?

Yes, elected and appointed officials are required to complete cybersecurity training regardless of whether they use a computer to perform at least 25 percent of their duties.

What is the minimum number of hours contractors have to work to be required to take cybersecurity training?

There is no stipulation for hours worked.  Any contractor who has access (see definition of access above) must complete the training.

Will DIR's CISO training program for security awareness, SANS Securing the Human, be certified?

The SANS training program, TX-3834 SANS Security Awareness Program, has been certified. State agencies need to ensure they are including the specific modules in their employee training.  Refer to the list of certified programs for additional details. The SANS contract is in place through December 2020.

Can state agencies select any training program from the list of certified programs?

State agencies are bound by state procurement regulations and therefore must select a program that is offered through DIR's cooperative contracts.  If a state agency wants to procure an item available from DIR's contracts and services program through an avenue other than a DIR contract, the agency must request an exemption.

To save state resources while complying with HB 3834, may a state agency consider the employee training received by another agency’s employees pursuant to Texas Government Code 2054.5191 as an alternative to the contractor representative training required by Texas Government Code 2054.5192?

Texas Government Code 2054.5192 requires agencies’ contractors to complete training that has been certified by DIR.  An agency’s employee training satisfies its internal obligations under Texas Government Code 2054.5191.  It does not satisfy the agency’s obligations when it is acting as a contractor, as those obligations are detailed under Texas Government Code 2054.5192.  If the contractor agency obtains DIR certification for its training program, and if the customer agency accepts that program, then the training could satisfy the contractor agency’s obligations.

For contractor employees working on multiple contracts, can the state agency require such training only once per year?

Texas Government Code 2054.5192 requires the contractor to certify annually that the contractor (and its subcontractors, officers, and employees) with access to a state computer system or database, have received the requisite training.  Each contract’s file should include the required annual certification from the contractor concerning all relevant personnel working on that contract.  If such personnel work on more than one contract, then each contract file should be documented, but it is not necessary for an individual to take a separate class annually for each contract under which she or he is engaged.

Are contractors required to submit certifications of cybersecurity training for contract extensions, or only for contract renewals?

The distinction between a renewal and an extension may turn on many factors. These include, among others, the length and purpose of the additional time, the work to be performed during that time, and the amount and nature of compensation related to that work.  Agencies are encouraged to confer with their legal counsel concerning specific cases.

Local Government Training Requirements

What constitutes a local government?

As defined in Chapter 2054 of Texas Government Code, local government includes a county, municipality, special district, school district, or other political subdivision of the state.

Do local governments have to use a certified training program?

Yes, local governments must use a certified training program, unless the local government employs a ‘dedicated information resources cybersecurity officer’ and has a cybersecurity training program that satisfies the requirements. 

Which local government employees are required to complete annual cybersecurity awareness training?

Local government employees who have access to a local government computer system or database, and elected officials are required to complete annual cybersecurity awareness training.

Do contractors of local governments have to complete cybersecurity awareness training? 

No, the contractor training requirement only applies to state agencies.  However, ensuring that contractors have appropriate awareness of cybersecurity best practices can be beneficial to any organization.

What is the definition of a "dedicated information resources cybersecurity officer"?

An employee who: 1.) has responsibility for information security for their represented organization; 2.) possesses the training and experience required to administer cybersecurity functions; and 3.) has information security duties as their primary duty (primary is defined as greater than 50% of the employee's workload).

What steps are required to request a dedicated cybersecurity officer exception?

The cybersecurity officer will need to submit a form confirming they meet the exception requirements.  Use the online Local Government Cybersecurity Training & Awareness Program Exception Form to submit an exception request.

If elected officials of the local government organization do not have access to a local government computer system or database, are they required to complete cybersecurity training?

Yes, elected officials are required to complete cybersecurity training regardless of whether they have access to a local government computer system or database.

How is governing body defined?

As defined in Section 332 of Local Government Code, governing body means a governing body of a municipality or commissioners court of a county, or another body acting in place of the municipal governing body or commissioners court.

Do part-time employees of local governments have to complete cybersecurity training?

If part-time employees have access to a local government computer system or database, then yes, they are required to complete training.

Do appointed officials of local governments have to complete cybersecurity awareness training?

No, the local government training requirements apply to employees and elected officials.  However, ensuring that everyone has appropriate awareness of cybersecurity best practices can be beneficial to any organization.

Do substitute teachers have to complete cybersecurity awareness training?

For school districts, HB 3834 only requires annual training for employees and elected officials.  Each district will need to make the determination of whether substitute teachers are considered employees or contractors.  However, if the determination is that substitute teachers are contractors, the district may choose to have them take training since ensuring that contractors have appropriate awareness of cybersecurity best practices can be beneficial to any organization.

Our users took a certified training program, but took different modules than those listed on the certified list.  How should we proceed?

If users took a training that didn’t include the required modules, there are a few options. 1) Users can retake the training, or take only the modules that weren’t included in their original training. 2) If all the required content was covered under the modules that the users took, document the rationale and keep this in the records for audit purposes.  (If this option is chosen, make sure to include all the required modules next year.)  3) If the local government employs a dedicated information resources cybersecurity officer, consider submitting an exception request.  Under this exception, the cybersecurity officer can choose the training program, and isn’t limited to the certified programs or modules. 

Training Completion and Reporting Requirements

When does the annual training need to be completed?

State agencies must complete training by June 1, 2020.  Local governments must complete training by June 14, 2020.

How will agencies report training compliance?

Agencies will certify their employee and contractor training compliance biennially in the Agency Security Plan.  This will be done using the Executive Sign Off Acknowledgment Form, which can be downloaded from the Agency Security Plan Page of the DIR Website. The next due date for this plan is June 1, 2020.

How can local governments track training compliance?

Local governments can track their compliance in any method they choose.  DIR has also created a tool for local governments to have their employees self-report their training compliance by using Texas by Texas (TxT).  For local governments using TxT, DIR will send reporting from the TxT application to each local government entity to verify training compliance.  Organizations that wish to use TxT for employee self-reporting should indicate their interest by submitting the House Bill 3834 Texas by Texas (TxT) Self-Reporting Form.  More details and information about TxT will be provided to the organizations that plan to use TxT. 

Note: Organizations who have signed up for 2020 reporting will automatically be enrolled for future reporting cycles and do not need to resubmit the form.

How will local governments report training compliance?

After verifying employee training records (from TxT or otherwise), local governments will submit a web form acknowledging compliance with the security awareness training requirements. The web form will be available in April 2020 and is due by June 15, 2020. The form is required for all local governments, regardless of whether TxT is used for employee self-reporting.

Will certificates of training completion need to be submitted to DIR?

No, certificates of completion do not need to be submitted to DIR.  Organizations should retain certificates, or other proof of completion, with their training records.

Will documentation of local governing body verification need to be submitted to DIR?

No, documentation of governing board verification does not need to be submitted to DIR.  The governing body of a local government is required to: (1) verify and report on the completion of a cybersecurity training program by employees of the local government to the department; and (2) require periodic audits to ensure compliance.  Local governments should retain documentation pertaining to this requirement with their training records.  The Governing Board Acknowledgment Form can be used as documentation, as desired.