H.B. No. 1118 AN ACT relating to state agency and local government compliance with cybersecurity training requirements. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: SECTION 1. Subchapter A, Chapter 772, Government Code, is amended by adding Section 772.012 to read as follows: Sec. 772.012. COMPLIANCE WITH CYBERSECURITY TRAINING REQUIREMENTS. (a) In this section, "local government" has the meaning assigned by Section 2054.003. (b) To apply for a grant under this chapter, a local government must submit with the grant application a written certification of the local government's compliance with the cybersecurity training required by Section 2054.5191. (c) On a determination by the criminal justice division established under Section 772.006 that a local government awarded a grant under this chapter has not complied with the cybersecurity training required by Section 2054.5191, the local government shall pay to this state an amount equal to the amount of the grant award. A local government that is the subject of a determination described by this subsection is ineligible for another grant under this chapter until the second anniversary of the date the local government is determined ineligible. SECTION 2. The heading to Section 2054.5191, Government Code, is amended to read as follows: Sec. 2054.5191. CYBERSECURITY TRAINING REQUIRED: CERTAIN EMPLOYEES AND OFFICIALS. SECTION 3. Section 2054.5191, Government Code, is amended by amending Subsections (a-1) and (b) and adding Subsections (a-2), (e), and (f) to read as follows: (a-1) At least once each year, a local government shall: (1) identify local government employees and elected and appointed officials who have access to a local government computer system or database and use a computer to perform at least 25 percent of the employee's or official's required duties; and (2) require the [those] employees and [elected] officials identified under Subdivision (1) [of the local government] to complete a cybersecurity training program certified under Section 2054.519 [or offered under Section 2054.519(f)]. (a-2) The governing body of a local government or the governing body's designee may deny access to the local government's computer system or database to an individual described by Subsection (a-1)(1) who the governing body or the governing body's designee determines is noncompliant with the requirements of Subsection (a-1)(2). (b) The governing body of a local government may select the most appropriate cybersecurity training program certified under Section 2054.519 [or offered under Section 2054.519(f)] for employees and officials of the local government to complete. The governing body shall: (1) verify and report on the completion of a cybersecurity training program by employees and officials of the local government to the department; and (2) require periodic audits to ensure compliance with this section. (e) The department shall develop a form for use by state agencies and local governments in verifying completion of cybersecurity training program requirements under this section. The form must allow the state agency and local government to indicate the percentage of employee completion. (f) The requirements of Subsections (a) and (a-1) do not apply to employees and officials who have been: (1) granted military leave; (2) granted leave under the federal Family and Medical Leave Act of 1993 (29 U.S.C. Section 2601 et seq.); (3) granted leave related to a sickness or disability covered by workers' compensation benefits, if that employee no longer has access to the state agency's or local government's database and systems; (4) granted any other type of extended leave or authorization to work from an alternative work site if that employee no longer has access to the state agency's or local government's database and systems; or (5) denied access to a local government's computer system or database by the governing body of the local government or the governing body's designee under Subsection (a-2) for noncompliance with the requirements of Subsection (a-1)(2). SECTION 4. Section 2056.002(b), Government Code, is amended to read as follows: (b) The Legislative Budget Board and the governor's office shall determine the elements required to be included in each agency's strategic plan. Unless modified by the Legislative Budget Board and the governor's office, and except as provided by Subsection (c), a plan must include: (1) a statement of the mission and goals of the state agency; (2) a description of the indicators developed under this chapter and used to measure the output and outcome of the agency; (3) identification of the groups of people served by the agency, including those having service priorities, or other service measures established by law, and estimates of changes in those groups expected during the term of the plan; (4) an analysis of the use of the agency's resources to meet the agency's needs, including future needs, and an estimate of additional resources that may be necessary to meet future needs; (5) an analysis of expected changes in the services provided by the agency because of changes in state or federal law; (6) a description of the means and strategies for meeting the agency's needs, including future needs, and achieving the goals established under Section 2056.006 for each area of state government for which the agency provides services; (7) a description of the capital improvement needs of the agency during the term of the plan and a statement, if appropriate, of the priority of those needs; (8) identification of each geographic region of this state, including the Texas-Louisiana border region and the Texas-Mexico border region, served by the agency, and if appropriate the agency's means and strategies for serving each region; (9) a description of the training of the agency's contract managers under Section 656.052; (10) an analysis of the agency's expected expenditures that relate to federally owned or operated military installations or facilities, or communities where a federally owned or operated military installation or facility is located; (11) an analysis of the strategic use of information resources as provided by the instructions prepared under Section 2054.095; [and] (12) a written certification of the agency's compliance with the cybersecurity training required under Sections 2054.5191 and 2054.5192; and (13) other information that may be required. SECTION 5. Section 2054.519(f), Government Code, as added by Chapter 1308 (H.B. 3834), Acts of the 86th Legislature, Regular Session, 2019, is repealed. SECTION 6. (a) Section 772.012, Government Code, as added by this Act, applies only to a grant application submitted by a local government on or after September 1, 2021. (b) Section 2056.002(b), Government Code, as amended by this Act, applies only to a strategic plan submitted by a state agency on or after January 1, 2022. SECTION 7. This Act takes effect immediately if it receives a vote of two-thirds of all the members elected to each house, as provided by Section 39, Article III, Texas Constitution. If this Act does not receive the vote necessary for immediate effect, this Act takes effect September 1, 2021. ______________________________ ______________________________ President of the Senate Speaker of the House I certify that H.B. No. 1118 was passed by the House on April 8, 2021, by the following vote: Yeas 149, Nays 0, 1 present, not voting; and that the House concurred in Senate amendments to H.B. No. 1118 on May 5, 2021, by the following vote: Yeas 143, Nays 0, 1 present, not voting. ______________________________ Chief Clerk of the House I certify that H.B. No. 1118 was passed by the Senate, with amendments, on April 29, 2021, by the following vote: Yeas 31, Nays 0. ______________________________ Secretary of the Senate APPROVED: __________________ Date __________________ Governor