Texas County Progress

The Official Publication of the County Judges and Commissioners Association of Texas

KEY CONCEPT: Cybersecurity

by

KEY QUESTION: Are county employees and elected and appointed officials required by law to complete cybersecurity training? 

MAIN REFERENCE POINTS: 

  • Government Code, Chapter 2054, Section 2054.5191 
  • Government Code, Chapter 772, Section 772.012 

TALKING POINTS: 

  • House Bill 3834 passed by the 86th Texas Legislature required certain local government employees and elected officials to complete a cybersecurity training program certified by the Texas Department of Information Resources (DIR). 
  • The 87th Texas Legislature passed House Bill 1118, which made a number of changes including: 
    • The required training is now applicable to local government employees and elected and appointed local government officials who use a computer to perform at least 25 percent of their required duties.  
    • A local government governing body is authorized to deny access to its computer system or database to employees or officials who do not comply with the cybersecurity training requirements. 
    • Exempted employees include those on military leave, on leave under the federal Family and Medical Leave Act, on sick leave, disability leave, or other extended leave where they no longer have access to the local government database, and employees who were denied access to the computer system for not complying with the training.  
    • The local government governing body is required to submit certification of compliance with the cybersecurity training mandate when applying for grants under the governor’s office.  
    • If a local government is awarded a governor’s office grant but does not complete the required training, that government must pay back the grant and is not eligible to apply again for two years.  
  • The law requires the DIR, in consultation with the Texas Cybersecurity Council, to certify at least five cybersecurity training programs for state and local government employees and officials. A list of certified training programs is available at https://dir.texas.gov/information-security/statewide-cybersecurity-awareness-training. 
  • State law does not dictate a set time for new employees to take the training outside of the yearly requirement, but as soon as possible is recommended, according to the DIR. 
  • The local government governing body must annually certify the training compliance by August 31 using the Cybersecurity Training Certification for State and Local Governments site, https://dircommunity.force.com/SecurityTrainingVerification/s/CybersecurityTrainingCertification. 
  • Local governments may track their compliance in any method they choose; they are not required to submit training records or employee certificates of completion to DIR. Local governments also do not have to report their audits to DIR. Local governments should retain documentation with their training and auditing records. 
  • For additional information, go to https://dir.texas.gov/information-security/statewide-cybersecurity-awareness-training/.