The deadline to comply with HB3834 Cybersecurity training requirements is quickly approaching.
Governor Abbott has been emphasizing the need for all of us to remain vigilant and practice good hygiene. However, it may not be the type of hygiene you expect. After the Department of Information Resources (DIR) reported more than 10,000 attempted cyberattacks per minute over a 48-hour span in January 2020, Governor Abbott stressed the importance of the public sector practicing “good cyber hygiene”. This comes after an incident in August 2019 in which more than 20 local governments in Texas reported ransomware attacks and were required to go offline. The State of Texas has recognized the importance of cybersecurity awareness and has implemented new laws in order to defend public sector resources.
On June 14, 2019, House Bill 3834 was signed into law and required school districts, and other local governments, to comply with new cybersecurity training requirements. A summary of these requirements are as follows:
- The DIR, in consultation with the Texas Cybersecurity Council, will certify at least five cybersecurity programs every year. See the current list of certified programs here.
- At least once per year, the school districts should identify employees who have access to a school district computer system or database and require those employees to complete a certified cybersecurity training program. Elected officials are required to complete the training regardless of their access.
- School districts must certify their training compliance annually through a form on the DIR website (Cybersecurity Training Certification for Local Governments). The certification can be submitted by whomever the school district identifies and authorizes to do so.
- School districts can track their compliance in any method they choose and do not submit training records or employee certificates of completion to DIR.
- The governing body should verify and report on completion of a cybersecurity program by employees of the school district. The Governing Board Acknowledgement Form can be used as documentation, but is not required to be submitted to DIR.
- The governing body should require periodic audits to ensure compliance with Section 2 of House Bill 3834.
June 14, 2020 – Training completed by all employees and elected officials.
June 15, 2020 – Certification of completion of training reported to DIR.
- DIR has an optional tool, Texas by Texas (TxT), for school districts to track their employees’ training compliance.
- DIR has developed a certified training, Cybersecurity Awareness Training, free of charge to anyone who needs to meet the training requirements.
- A school district that employs a dedicated information resources cybersecurity officer may qualify for an exception. If the school district’s cybersecurity training program satisfies the statutory content requirements, training program certification is not required. However, exceptions must be submitted annually (Local Government Cybersecurity Training & Awareness Program Exception Form).
- Applications for training program certifications can be submitted to DIR by training providers and school districts from June 1 to July 31 every year. Certifications are valid until August 31 and need to be renewed annually.
- These requirements apply to all local governments as defined in Chapter 2054 of Texas Government Code, which includes a county, municipality, special district, school district, or other political subdivision of the state.
Visit the DIR website for additional resources, FAQs, and other useful information: Security Awareness Training Certification (HB 3834)