Preparations are underway in Texas to introduce mandatory annual cybersecurity training for nearly all government employees.
The Lone Star State passed a House bill to introduce the cyber-safety training into law on June 14 of this year. As if to reinforce the need for Texas to protect itself from cyber-criminals, 23 local government entities in the state were targeted in a single coordinated ransomware attack just two months later.
On Monday, the Texas Department of Information Resources (DIR) announced that it was accepting applications to certify cybersecurity training programs. DIR, in consultation with the Texas Cybersecurity Council, is required to certify at least five cybersecurity training programs as required by the new legislation.
To be certified, a cybersecurity awareness training program must focus on forming habits and procedures that will help government employees protect information resources. The program must also teach best practices for detecting, assessing, reporting, and addressing information security threats.
A spokesperson for DIR said: "DIR has worked with statewide stakeholders and the Texas Cybersecurity Council to develop detailed certification criteria and a systematic process for certifying cybersecurity programs. Once DIR certifies a minimum of five training programs, the list of programs will be published on the DIR website."
To be considered for inclusion on the very first list of certified training programs, applicants must submit their security-awareness training programs by Friday, October 4.
The initial year of the mandatory training will be a rolling certification period, in which additional programs will be certified on a continuing basis. In subsequent years, companies that want to put forward their programs for certification will have to submit them within a designated time frame. To remain on the approved list, training programs will have to be resubmitted for certification annually.
Once the certified programs have been chosen, all mandated state and local government employees will have until June 14, 2020, to complete their cybersecurity training.
In state agencies, the training will only be mandatory for elected or appointed officials and for employees who use a computer to complete at least 25 percent of their required duties. At local government entities, all elected officials and employees who have access to a local government computer system or database must complete the training.
Local governments can get around the obligatory training if they employ a dedicated information resources cybersecurity officer and have a cybersecurity training program in place already that satisfies the requirement.