Cybersecurity Training Requirements (HB 3834)
Print this Article | Send to Colleague
There are many questions circulating related to the HB 3834 Cybersecurity Training Requirements. TAGITM reached out to Deputy Chief Information Security Officer Andy Bennett with the Department of Information (DIR) in an attempt to answer some of the questions that our members have expressed.
What training is required for HB3834 Compliance?
An agency must select a certified training provider from DIR's published Certified Training Programs Document and complete all modules listed for the selected provider. For example, four trainings are required for KnowBe4.
Who must complete the training?
Local government employees who have access to a local government computer system or database and elected officials are required to complete annual cybersecurity awareness training.
How will agencies/employees report compliance?
Option 1: Local government employees and elected officials will self-report their training compliance using Texas by Texas (TxT) portal. The expected launch date for this application is February 2020. In June, DIR will send a detailed report from the TxT application to each local government entity to verify training compliance. Although the self-reporting capability will not be available until early February, employees can take their certified cybersecurity training at any time prior to June 14, 2020.
Option 2: Alternatively, a local government may track the completion of training for each employee and elected official and upload an attestation of compliance form prior to the June 14, 2020 deadline.
Additional details will be posted on the Cybersecurity Awareness Training Program webpage by mid-February.
Will reporting differ for agencies that requested a certification exception?
A local government that employs a "dedicated information resources cybersecurity officer" may use a cybersecurity training program that satisfies the statutory content requirements. In this scenario, training program certification is not required. However, they will be required to upload an attestation of compliance.
What is the definition of a "dedicated information resources cybersecurity officer"?
An employee who: (1) has responsibility for information security for their represented organization; (2) possesses the training and experience required to administer cybersecurity functions; and (3) has information security duties as their primary duty (primary is defined as greater than 50% of the employee's workload).
Thanks,
Beth Ann Unger, Cybersecurity Committee Chair
