55 federal and state regulations that require employee security awareness and training
Humans are repeatedly described as the weakest link in the cybersecurity chain. We are highly susceptible to falling for phishing attacks, social engineering schemes and other deceptive attempts. This realization makes cybersecurity training increasingly important.
Companies are putting more effort into their cybersecurity training programs, but does the law require cybersecurity training? Or is just something good to do in the interest of safety?
No matter your industry, many laws and mandates require employees to receive some level of cybersecurity training. If applicable, these laws and mandates also dictate tracking requirements. It’s not enough to just implement training; you need to track and document that all applicable employees have taken it. Audits do happen!
It’s important to note that training requirements may vary based on roles and levels of responsibilities. A privileged user, such as a system administrator, engineer or developer, may have different requirements than a standard user, who may have different requirements than an executive. Below, we will discuss various compliance laws and how they define cybersecurity training.
If you are a business owner, an independent contractor or an employee, you are subject to cybersecurity regulations. From a federal perspective, your industry determines which regulatory bodies and legislation apply to you. If you work in healthcare, you have heard of HIPAA. If you work in the DoD or federal government, you’ve probably heard of FISMA.
Not just your industry determines what regulations you must abide by — the functions you perform also determine that. You could be subject to multiple laws, regulations and authorities. If you’re an IT company that processes health-related data, you may need to know about FISMA as well as HIPAA requirements. Most federal training requirements are expected to be performed annually at a minimum.
- Federal Information Security Modernization Act (FISMA)
The office of Management and Budget (OMB) is responsible for managing the Federal Information Security Modernization Act of 2014. This is the overarching mandate for federal agencies. FISMA requires all federal employees and contractors to participate in annual cybersecurity training
- Health Insurance Portability and Accountability Act (HIPAA)
HIPAA has been around since 1996. It is a federal law issued by the US Department of Health and Human Services (HHS). It provides national standards for the protection of health and healthcare information. HHS ensures complete compliance with role-based training requirements based on the OMB A-130 FISMA requirements and is also required annually.
- Gramm-Leach-Bliley Act (GLBA)
The GLBA was implemented to determine how financial organizations protect non-public information (NPI). Annual training is required.
- Payment Card Industry Data Security Standard (PCI DSS)
This policy regulates the banking industry and is used by any organization that processes payment via credit cards. Annual training is required.
- General Data Privacy Regulation (GDPR)
The GDPR was launched to ensure businesses secured privacy data in relation to European citizens. Even if you are a US-based company, you are subject to compliance if you manage any European customer data. GDPR requires annual privacy awareness training.
When it comes to state regulations, they seem to still be evolving and adapting. Below, we will address the requirements for each state.
Alabama Code Title 41, Section 28 mandates Alabama Information technology laws. The Executive Branch Secretary indirectly authorizes cyber training, and training is provided here.
Alaska does not mandate cybersecurity training. However, they do provide training and threat indicators. Alaska’s Department of Administration, Enterprise Technology Services division, develops the cybersecurity website for the state.
Arizona does not mandate cybersecurity training. However, the Chief Information Officer develops the state IT strategic plan, and cyber training is incorporated under goal 1.4.
Arkansas does not mandate cybersecurity training. Voluntary training is developed and provided by the State of Arkansas Department of Information Systems, Cybersecurity Office.
California does not mandate cyber training. However, there are several training opportunities. Individual state agencies like the DMV and the Franchise Tax Board implement mandatory cyber training.
Colorado requires cyber training for state employees. It is statutorily required under the Colorado Information Security Act, Colorado Revised Statutes 24-37.5-401 et seq.
Connecticut mandates cybersecurity awareness for state employees.
Delaware mandates statewide cyber training for all executive branch, state and local agency employees through the Delaware Code Title 29, Chapter 90C.
Florida mandates cyber training for state employees, as required by Florida Statutes Chapter 282. Source.
GA E.O.182: This executive order mandates that all Executive Branch agencies and employees complete cybersecurity training within ninety (90) days of releasing this order.
Hawaii does not mandate cybersecurity awareness training but does provide a cybersecurity program.
Idaho does not mandate cybersecurity training but does provide training on their state webpage.
In Illinois, Cook County has training.
Indiana has recently released a bill to mandate cybersecurity training: IN H 1240.
Iowa has voluntary security awareness training produced by the Executive branch.
The Kansas Office of Information Technology Services webpage has self-assessment security tools.
Kentucky does not mandate cybersecurity training but does annual host training for state government employees during October, which is Cybersecurity Awareness Month.
Louisiana has mandatory cybersecurity training for new employees and annually thereafter pursuant to the Louisiana Division of Administration, Office of Technology Services p.52: LA H 633.
Maine does not mandate cyber training. They do provide training for new employees through the Maine Office of Information Technology.
Maryland requires state employee cyber training through DHS. State agency personnel have to take a cyber class each month in order to gain access to state networks. See here and here.
Massachusetts does not mandate cyber training.
Michigan does not mandate cybersecurity training. They do, however, offer online state employee training.
Minnesota does not mandate cybersecurity training. They offer security services to employees and residents.
Mississippi does not mandate cybersecurity training. They do provide online training resources for state employees through an outside college.
Missouri has an employee tips webpage. Here is their Cybersecurity page.
Montana enforces mandatory cyber training for executive branch state employees upon hiring and annually thereafter. Legislative branch employees are not required to take cyber training but are encouraged to do so.
Nebraska has mandatory annual training and a refresher course for all NV state employees.
Nevada requires agency-by-agency state employee annual cybersecurity training, and a passing grade is required: State Security Standard 123 – IT Security.
- New Hampshire
New Hampshire requires mandatory annual cyber training for state employees through an executive order.
- New Jersey
New Jersey recently passed legislation to mandate annual cybersecurity awareness training: NJ A 1654
- New Mexico
New Mexico does not have mandatory cyber training.
- New York
New York does not mandate cyber training but provides training for the general public.
- North Carolina
North Carolina mandates each agency to provide training and annual assessments of security issues on an agency-by-agency basis.
- North Dakota
North Dakota does not mandate cybersecurity training. They provide security information for state government employees.
Ohio mandates cybersecurity awareness training through its IT-15 (Security Awareness and Training) mandate. Training is provided here.
Oklahoma does not mandate cyber training. The Oklahoma Department of Homeland Security provides a webpage with cyber tips.
Oregon employees, volunteers and third-party users will receive appropriate cyber awareness training and regular updates on policies and procedures.
Pennsylvania mandates annual online security awareness training for all state government employees.
- Rhode Island
Rhode Island does not mandate cyber training.
- South Carolina
Cyber training is not mandated. The state offers training as a program through DHS to state government employees.
- South Dakota
South Dakota does not mandate cybersecurity training. They do provide a training resources page.
State employees are expected, but not mandated, to take state-provided security and awareness training when first employed and annually thereafter.
Texas mandates annual cybersecurity training for all state employees. All training programs must be certified by the state.
Utah has mandatory cyber training for all executive branch level state employees. Training must be completed annually. Below are the security policies:
5000-0002 Information Security Policy (DTS)
5000-0003 Enterprise Mobile Device Policy
5000-0004 Enterprise Web Filter Policy
Vermont enforces mandatory security awareness training for all new state employees. There is no current requirement for repeat training. Their standards and directives include:
Cybersecurity Directive 19-01
Cybersecurity Standard Update 19-01
Information Security Standards
Virginia has required agency by agency state employee training: VA H 852.
Washington state does not mandate cybersecurity training.
- West Virginia
Cybersecurity training in West Virginia is mandatory under WV Code Section 5A-6-4a.
Wisconsin does not mandate cyber training. Training is available for employees and the general public.
Wyoming does not mandate cybersecurity training. There is, however, a cyber awareness page provided for the general public.
Security Awareness Training FAQ, TeachPrivacy
HIPAA for Professionals, HHS.gov
Exec Order :: GA 182 2019, custom.statenet.com
HOUSE BILL No. 1240, custom.statenet.com
Security Awareness Training in the Context of GDPR, Mindsett Security
State Cyber Training for State Employees, ncsl.org