Texas HB 3834 Certified Cybersecurity Training Program

Cybersecurity is a major threat to any organization, but government entities top the list for criminals. Data breaches have increased by over 160% for government organizations over the past 10 years. Due to the exponentially growing threat, the State of Texas passed HB 3834. This house bill requires all local and state government employees to fulfill an annual cybersecurity training program each year. It is important to understand that government employees may not take any cybersecurity training program, but they must be authorized by the Texas Department of Information Resources (DIR). ThreatProtector is authorized and approved by the state to help your agency meet this important requirement.

Training Topics to be Covered

Our cybersecurity training program meets all requirements for HB 3834 and has been approved by the State of Texas. This 45 minute online course covers the following topics:
Training Topics to be Covered
Z

Personally Identifiable Information (PII) and Sensitive Data

Z

How cybercriminals are trying to make you a victim

Z

Phishing 101

Z

Business Email Compromise (BEC) scams

Z

Password Security

Z

Internet of Things (IoT) Devices

Z

Proper Disposal

Z

What to do if you suspect a data breach

Pricing Texas Cyber Security Training

ProductPer User (one time yearly)
TX HB 3834 Training$ 5.00

Annual Timeline for State of TX Agencies

Annual Training Requirements

Entity TypeTraining Required ForTraining Due Date
State AgenciesEmployees who use a computer to complete at least 25 percent of the
employees required duties.
All elected or appointment offices of the agency.
June 1
State Agencies ContractorsContractors who have access to a state computer system or database.During the term of the contract and during any renewal period.
Local Governments– Employees who have access to a local government computer.
– All elected officials of the local government.
June 14
All elected officials must take training, regarding of whether the use a computer or not.
Access is defined as any person who has been given an account ant state (or local) information system.

Reporting Requirements

Entity TypeReporting MethodReport Due Date
State AgenciesEmployees who use a computer to complete at least 25 percent of the
employees required duties.
All elected or appointment offices of the agency.
June 1 (Biennially)
Local Governments– Cybersecurity Training Certification of Local Governments
– (Optional) Texas by Texas (TxT) can assist with tracking employees
training
by allowing employees to self-report their training
compliance. Local governments will
still need to submit their certification
via the Cybersecurity Training Certification form.
June 15
All elected officials must take training, regarding of whether the use a computer or not.
Access is defined as any person who has been given an account ant state (or local) information system.

Frequently Asked Questions

When does the annual training need to be completed?
State agencies must complete training by June 1 of each year.  Local governments must complete training by June 14 of each year.
How will agencies report training compliance?
Agencies will certify their employee and contractor training compliance biennially in the Agency Security Plan.  This will be done using the Executive Sign Off Acknowledgment Form, which can be downloaded from the Agency Security Plan Page of the DIR Website.
How can local governments track training compliance?
Local governments can track their compliance in any method they choose.  DIR has also created a tool for local governments to have their employees self-report their training compliance by using Texas by Texas (TxT).  For local governments using TxT, DIR will send reporting from the TxT application to each local government entity to verify training compliance.  Organizations that wish to use TxT for employee self-reporting should indicate their interest by submitting the House Bill 3834 Texas by Texas (TxT) Self-Reporting Form.  More details and information about TxT will be provided to the organizations that plan to use TxT.

Note: Organizations who signed up for 2020 reporting will automatically be enrolled for future reporting cycles and do not need to resubmit the form.

How will local governments report training compliance?
After verifying employee training records (from TxT or otherwise), local governments will the Cybersecurity Training Certification for Local Governments. The form is due by June 15 of each year. The form is required for all local governments, regardless of whether TxT is used for employee self-reporting.
Will certificates of training completion need to be submitted to DIR?
No, certificates of completion do not need to be submitted to DIR.  Organizations should retain certificates, or other proof of completion, with their training records.
Will documentation of local governing body verification need to be submitted to DIR?
No, documentation of governing board verification does not need to be submitted to DIR.  The governing body of a local government is required to: (1) verify and report on the completion of a cybersecurity training program by employees of the local government to the department; and (2) require periodic audits to ensure compliance.  Local governments should retain documentation pertaining to this requirement with their training records.  The Governing Board Acknowledgment Form can be used as documentation, as desired.
Who can submit the Cybersecurity Training Certification for Local Governments?
The Cybersecurity Training for Local Governments can be submitted by whomever the local government authorizes.  The authorized individual submitting the form will need access to their email account as they will be required to enter a confirmation code in order to finalize the submission.
If a local government does not have any employees that would be required to complete the training, does the entity need to submit any report to DIR?
DIR recommends that the entity still submit a report. If there are no employees that are required to take training, and any elected officials are not also employees (receiving a salary, etc.), then reporting is not required.
What constitutes a state agency?
As defined in Chapter 2054 of Government Code, a state agency includes a department, commission, board, office, council, authority, or other agency in the executive or judicial branch of state government that is created by the constitution or a statute of this state, including a university system or institution of higher education as defined by Section 61.003, Education Code.
Who is responsible for ensuring the service providers in the Shared Technology Services (STS) program meet the contractor training requirements?
DIR contracts directly with each of the service providers within the STS program, including the Multi-sourcing Services Integrator (MSI) and all Service Component Providers (SCPs); therefore, DIR is responsible for ensuring they meet the training requirements.
If a contractor works with multiple state agencies, do they have to complete the training program selected by each of the state agencies?
A contractor that has access to state computer systems or databases at multiple state agencies must complete the training program specified by each state agency. 
What is the difference between Texas Government Code 2054.519 State Certified Cybersecurity Training Programs and the security awareness training requirements included in Texas Administrative Code, Chapter 202 (TAC 202)?
Texas Government Code 2054.519 State Certified Cybersecurity Training Programs provides specifics to the security awareness requirements in TAC 202.  TAC states that state agencies are responsible for:  administering an ongoing information security awareness education program for all users; and introducing information security awareness and inform new employees of information security policies and procedures during the onboarding process. HB 3834 adds requirements around the training that must be provided.
Which training requirements apply to community colleges?
Under SB 64 (86R), community colleges must comply with Texas Administrative Code Chapter 202 (TAC 202) and therefore must follow the training requirements for state agencies.
Which training requirements apply to Texas Education Service Centers (ESCs)?
According to the Texas Education Agency (TEA), Texas ESCs are considered state agencies. Please consult with TEA if you require further clarification.
Which state agency and institution of higher education employees are required to have annual cybersecurity awareness training?
Employees who use a computer to complete at least 25% of their required duties are required to complete annual training using a certified program.
If elected or appointed officials of a state agency do not use a computer to perform at least 25 percent of their duties, are they required to complete cybersecurity training?
Yes, elected and appointed officials are required to complete cybersecurity training regardless of whether they use a computer to perform at least 25 percent of their duties.
What is the minimum number of hours contractors have to work to be required to take cybersecurity training?
There is no stipulation for hours worked.  Any contractor who has access (see definition of access above) must complete the training.
Will DIR's CISO training program for security awareness, SANS Securing the Human, be certified?
The SANS training program, TX-3834 SANS Security Awareness Program, has been certified for FY 20-21. State agencies need to ensure they are including the specific modules in their employee training.  Refer to the list of certified programs for additional details. The SANS contract is in place through December 2020.
Can state agencies select any training program from the list of certified programs?
State agencies are bound by state procurement regulations and therefore must select a program that is offered through DIR’s cooperative contracts.  If a state agency wants to procure an item available from DIR’s contracts and services program through an avenue other than a DIR contract, the agency must request an exemption.
Could an agency use a different method of training for elected officials and contracts than they use for employees?
All certified programs meet the requirements and can be used to meet the training requirements, based on each organization’s preference.
To save state resources, may a state agency consider the employee training received by another agency’s employees pursuant to Texas Government Code 2054.5191 as an alternative to the contractor representative training required by Texas Government Code 2054.5192?
Texas Government Code 2054.5192 requires agencies’ contractors to complete training that has been certified by DIR.  An agency’s employee training satisfies its internal obligations under Texas Government Code 2054.5191.  It does not satisfy the agency’s obligations when it is acting as a contractor, as those obligations are detailed under Texas Government Code 2054.5192.  If the contractor agency obtains DIR certification for its training program, and if the customer agency accepts that program, then the training could satisfy the contractor agency’s obligations.
For contractor employees working on multiple contracts, can the state agency require such training only once per year?
Texas Government Code 2054.5192 requires the contractor to certify annually that the contractor (and its subcontractors, officers, and employees) with access to a state computer system or database, have received the requisite training.  Each contract’s file should include the required annual certification from the contractor concerning all relevant personnel working on that contract.  If such personnel work on more than one contract, then each contract file should be documented, but it is not necessary for an individual to take a separate class annually for each contract under which she or he is engaged.
Are contractors required to submit certifications of cybersecurity training for contract extensions, or only for contract renewals?
The distinction between a renewal and an extension may turn on many factors. These include, among others, the length and purpose of the additional time, the work to be performed during that time, and the amount and nature of compensation related to that work.  Agencies are encouraged to confer with their legal counsel concerning specific cases.
Do vendors like Microsoft who have access to organization data need to take training?
For state agencies, only contractors who have been given an account to access any state information system have to take training.  This would generally exclude vendors like Microsoft unless they are specifically given an account.
For contractors, do all employees of the company holding the contract have to be trained or only those accessing the governmental system?
For state agencies, only contractors who have been given an account to access any state information system have to take training.