Security Awareness Training Certification (HB 3834)

Overview

House Bill (HB) 3834 (86R) requires DIR in consultation with the Texas Cybersecurity Council to certify at least five cybersecurity training programs for state and local government employees. The sections that follow demonstrate the certification requirements for cybersecurity training programs, and the training requirements for state agencies, local governments, and contractors.

Texas Cybersecurity Training Certification Requirements

The initial list of cybersecurity training programs (a minimum of five) will be published to the DIR website.  Additional training programs will be added to the list as they are certified. During the initial year, there will be a rolling certification period.  In subsequent years, there will be designated time frames for submitting training programs for certification.

Course Content Requirements

The application for submitting cybersecurity training programs for certification is available below.  Texas Government Code Section 2054.519(b) states that a cybersecurity training program must:

    1. Focus on forming information security habits and procedures that protect information resources; and
    2. Teach best practices for detecting, assessing, reporting, and addressing information security threats.

Application for Security Awareness Training Program Certification

The application to submit training programs for certification is now available.

Programs will be assessed on an ongoing basis throughout the first year.

Submit a security awareness training program for certification

Prepare your training program submission in advance by reviewing the application guide which includes a glossary of relevant terminology.

Download the Application Guide (.pdf, 457KB)

Course Certification Checklist

The purpose of this checklist is to assess and determine whether a state agency's, local government's, or vendor's cybersecurity awareness training program meets the minimum requirements for certification under Section 2054.519(b), Texas Government Code.  This detailed certification criteria are based on the National Initiative for Cybersecurity Education (NICE) Framework.

Download the Course Certification Checklist (.pdf, 171KB)

Certification Exception

A local government that employs a ‘dedicated information resources cybersecurity officer’ may use a cybersecurity training program that satisfies the statutory content requirements.  In this scenario, training program certification is not required.

Submit a Local Government Cybersecurity Training & Awareness Program Exception Form

Statewide Training Requirements

Annual training must be completed by June 14, 2020 by the following employees:

    • State Agencies: Employees who use a computer to complete at least 25 percent of the employee’s required duties, and elected or appointed officers of the agency.
    • Local Government Entities: Employees who have access to a local government computer system or database, and elected officials.

Contractors of state agencies who have access to a state computer system or database must complete training during the term of the contract and during any renewal period.

HB 3834 FAQs

Assistance

For questions about HB 3834 and the certification process, please contact TXTrainingCert@dir.texas.gov.

Program Certification

How many training programs will be certified?

HB 3834 requires DIR to certify at least five cybersecurity training programs, although we anticipate certifying more than the minimum. 

What criteria will be used to certify the programs?

HB3834 requires training programs to: (1) focus on forming information security habits and procedures that protect information resources; and (2) teach best practices for detecting, assessing, reporting, and addressing information security threats.  Refer to the link above for detailed certification criteria, based on the National Initiative for Cybersecurity Education (NICE) framework.

When can programs be submitted for certification?

You can submit a security awareness training program for certification using the online application form.

When will the list of certified programs be published?

We anticipate publishing the initial list of certified programs in October 2019. Programs will continue to be certified after the initial list of certified programs is published.

Where will the list of certified programs be published?

The list of certified programs will be published to the DIR website and communicated out through several channels, including appropriate DIR mailing lists and our local government association partners. 

What are the standards for maintenance of certification?

Training programs will have to be re-submitted for certification annually.

Will there be any low and/or no cost certified training programs available?

Options for low and no cost training programs are being explored and details will be published once finalized.

Can a state agency or local government organization submit a vendor's program for certification?

No, the training provider organization must apply to have their training program certified.  Agencies and other consumers of third-party training programs can use the certification application link to notify DIR of the third-party program currently used by their organization.

Who is responsible for ensuring the service providers in the Shared Technology Services (STS) program meet the contractor training requirements?

DIR contracts directly with each of the service providers within the STS program, including the Multi-sourcing Services Integrator (MSI) and all Service Component Providers (SCPs); therefore, DIR is responsible for ensuring they meet the training requirements.

How is access defined?

Access is defined as "any person who has been given an account to access any state (or local) information system."

In the training program application, is providing a free trial an acceptable method for providing access to training course materials for review?

A free trial may be acceptable if it doesn't have the possibility of leading to any kind of obligation, financial or otherwise, to the State or any other user.

When certifying vendors who provide security awareness courses and/or packages, is it the vendor who is being certified or individual components of that vendor's solution?  In the case that it is individual components, how will those components be identified?

The training program is what will be certified.  A training program is a course or curriculum of courses that meets the specifications of HB 3834.  If the training program is part of a larger set of training materials, state and local government organizations in Texas will need to include in their training program the modules/courses that are submitted for certification as a minimum to ensure compliance with state law (although they could add modules/content as desired).

Our training partner has a license agreement for end users.  May we submit their license agreement as part of the proposal?

Submitting a license agreement is not a specific requirement of the application, however training providers can submit any documentation that provides evidence of how the program meets requirements.

Can we submit a description of the intended audience with our training program?

There is no field on the application for intended audience and therefore this type of information would not be included on the list of certified programs.  However, training providers can submit any documentation that provides evidence of how the program meets the requirements.

State Agency and Contractor Training Requirements

What constitutes a state agency?

As defined in Chapter 2054 of Government Code, a state agency includes a department, commission, board, office, council, authority, or other agency in the executive or judicial branch of state government that is created by the constitution or a statute of this state, including a university system or institution of higher education as defined by Section 61.003, Education Code.

Which state agencies and institutions of higher education employees are required to have annual cybersecurity awareness training? 

Employees who use a computer to complete at least 25% of their required duties are required to complete annual awareness training through a certified program.

What contracts are affected by the training requirement?

The training requirement for contractors affects contracts entered into on, or after, June 14, 2019, and contract renewals executed on, or after, June 14, 2019. 

If a contractor works with multiple state agencies, do they have to complete the training program selected by each of the state agencies?

A contractor that has access to state computer systems or databases at multiple state agencies must complete the training program specified by each state agency. 

What is the difference between HB 3834 and the security awareness training requirements included in Texas Administrative Code, Chapter 202 (TAC 202)?

HB3834 provides specifics to the security awareness requirements in TAC 202.  TAC states that state agencies are responsible for:  administering an ongoing information security awareness education program for all users; and introducing information security awareness and inform new employees of information security policies and procedures during the onboarding process. HB 3834 adds requirements around the training that must be provided.

Which training requirements apply to community colleges?

Under SB 64 (86R), community colleges must comply with Texas Administrative Code Chapter 202 (TAC 202) and therefore must follow the training requirements for state agencies.

If elected or appointed officials of a state agency do not use a computer to perform at least 25 percent of their duties, are they required to complete cybersecurity training?

Yes, elected and appointed officials are required to complete cybersecurity training regardless of whether they use a computer to perform at least 25 percent of their duties.

What is the minimum number of hours contractors have to work to be required to take cybersecurity training?

There is no stipulation for hours worked.  Any contractor who has access to a state computer system or database must complete the training.

Will DIR's CISO training program for security awareness, SANS Securing the Human, be certified?

DIR is working with SANS to certify their security awareness training program.  In addition, since the SANS contract ends in December 2019, the subsequent security awareness training solicitation will include requirements that the selected program also be certified.

Local Government Training Requirements

What constitutes a local government?

As defined in Chapter 2054 of Texas Government Code, local government includes a county, municipality, special district, school district, or other political subdivision of the state.

Do local governments have to use a certified training program?

Yes, local governments must use a certified training program, unless the local government employs a ‘dedicated information resources cybersecurity officer’ and has a cybersecurity training program that satisfies the requirements. 

Which local government employees are required to complete annual cybersecurity awareness training?

Local government employees who have access to a local government computer system or database, and elected officials are required to complete annual cybersecurity awareness training.

Do contractors of local governments have to complete cybersecurity awareness training? 

No, the contractor training requirement only applies to state agencies.  However, ensuring that contractors have appropriate awareness of cybersecurity best practices can be beneficial to any organization.

What is the definition of a "dedicated information resources cybersecurity officer"?

An employee who: 1.) has responsibility for information security for their represented organization; 2.) possesses the training and experience required to administer cybersecurity functions; and 3.) has information security duties as their primary duty (primary is defined as greater than 50% of the employee's workload).

What steps are required to request a dedicated cybersecurity officer exception?

The cybersecurity officer will need to submit a form confirming they meet the exception requirements.  Use the online Local Government Cybersecurity Training & Awareness Program Exception Form to submit an exception request.

If elected officials of the local government organization do not have access to a local government computer system or database, are they required to complete cybersecurity training?

Yes, elected officials are required to complete cybersecurity training regardless of whether they have access to a local government computer system or database.

How is governing body defined?

As defined in Section 332 of Local Government Code, governing body means a governing body of a municipality or commissioners court of a county, or another body acting in place of the municipal governing body or commissioners court.

Training Completion Requirements

When does the annual training need to be completed?

The effective date of HB3834 is June 14, 2019, therefore the annual training must be completed by June 14, 2020.