Security awareness

55 federal and state regulations that require employee security awareness and training

November 10, 2020 by Tyra Appleby

Introduction

Humans are repeatedly described as the weakest link in the cybersecurity chain. We are highly susceptible to falling for phishing attacks, social engineering schemes and other deceptive attempts. This realization makes cybersecurity training increasingly important. 

Companies are putting more effort into their cybersecurity training programs, but does the law require cybersecurity training? Or is just something good to do in the interest of safety?

No matter your industry, many laws and mandates require employees to receive some level of cybersecurity training. If applicable, these laws and mandates also dictate tracking requirements. It’s not enough to just implement training; you need to track and document that all applicable employees have taken it. Audits do happen! 

It’s important to note that training requirements may vary based on roles and levels of responsibilities. A privileged user, such as a system administrator, engineer or developer, may have different requirements than a standard user, who may have different requirements than an executive. Below, we will discuss various compliance laws and how they define cybersecurity training.

Federal regulations

If you are a business owner, an independent contractor or an employee, you are subject to cybersecurity regulations. From a federal perspective, your industry determines which regulatory bodies and legislation apply to you. If you work in healthcare, you have heard of HIPAA. If you work in the DoD or federal government, you’ve probably heard of FISMA. 

Not just your industry determines what regulations you must abide by — the functions you perform also determine that. You could be subject to multiple laws, regulations and authorities. If you’re an IT company that processes health-related data, you may need to know about FISMA as well as HIPAA requirements. Most federal training requirements are expected to be performed annually at a minimum.

  1. Federal Information Security Modernization Act (FISMA)
    The office of Management and Budget (OMB) is responsible for managing the Federal Information Security Modernization Act of 2014. This is the overarching mandate for federal agencies. FISMA requires all federal employees and contractors to participate in annual cybersecurity training
  2. Health Insurance Portability and Accountability Act (HIPAA)
    HIPAA has been around since 1996. It is a federal law issued by the US Department of Health and Human Services (HHS). It provides national standards for the protection of health and healthcare information. HHS ensures complete compliance with role-based training requirements based on the OMB A-130 FISMA requirements and is also required annually.
  3. Gramm-Leach-Bliley Act (GLBA)
    The GLBA was implemented to determine how financial organizations protect non-public information (NPI). Annual training is required.
  4. Payment Card Industry Data Security Standard (PCI DSS)
    This policy regulates the banking industry and is used by any organization that processes payment via credit cards. Annual training is required.
  5. General Data Privacy Regulation (GDPR)
    The GDPR was launched to ensure businesses secured privacy data in relation to European citizens. Even if you are a US-based company, you are subject to compliance if you manage any European customer data. GDPR requires annual privacy awareness training.

State regulations

When it comes to state regulations, they seem to still be evolving and adapting. Below, we will address the requirements for each state.

  1. Alabama
    Alabama Code Title 41, Section 28 mandates Alabama Information technology laws. The Executive Branch Secretary indirectly authorizes cyber training, and training is provided here.
  2. Alaska
    Alaska does not mandate cybersecurity training. However, they do provide training and threat indicators. Alaska’s Department of Administration, Enterprise Technology Services division, develops the cybersecurity website for the state.
  3. Arizona
    Arizona does not mandate cybersecurity training. However, the Chief Information Officer develops the state IT strategic plan, and cyber training is incorporated under goal 1.4.
  4. Arkansas
    Arkansas does not mandate cybersecurity training. Voluntary training is developed and provided by the State of Arkansas Department of Information Systems, Cybersecurity Office.
  5. California
    California does not mandate cyber training. However, there are several training opportunities. Individual state agencies like the DMV and the Franchise Tax Board implement mandatory cyber training.
  6. Colorado
    Colorado requires cyber training for state employees. It is statutorily required under the Colorado Information Security Act, Colorado Revised Statutes 24-37.5-401 et seq.
  7. Connecticut
    Connecticut mandates cybersecurity awareness for state employees.
  8. Delaware
    Delaware mandates statewide cyber training for all executive branch, state and local agency employees through the Delaware Code Title 29, Chapter 90C.
  9. Florida
    Florida mandates cyber training for state employees, as required by Florida Statutes Chapter 282. Source.
  10. Georgia
    GA E.O.182: This executive order mandates that all Executive Branch agencies and employees complete cybersecurity training within ninety (90) days of releasing this order.
  11. Hawaii
    Hawaii does not mandate cybersecurity awareness training but does provide a cybersecurity program.
  12. Idaho
    Idaho does not mandate cybersecurity training but does provide training on their state webpage.
  13. Illinois
    In Illinois, Cook County has training.
  14. Indiana
    Indiana has recently released a bill to mandate cybersecurity training: IN H 1240.
  15. Iowa
    Iowa has voluntary security awareness training produced by the Executive branch.
  16. Kansas
    The Kansas Office of Information Technology Services webpage has self-assessment security tools.
  17. Kentucky
    Kentucky does not mandate cybersecurity training but does annual host training for state government employees during October, which is Cybersecurity Awareness Month.
  18. Louisiana
    Louisiana has mandatory cybersecurity training for new employees and annually thereafter pursuant to the Louisiana Division of Administration, Office of Technology Services p.52: LA H 633.
  19. Maine
    Maine does not mandate cyber training. They do provide training for new employees through the Maine Office of Information Technology.
  20. Maryland
    Maryland requires state employee cyber training through DHS. State agency personnel have to take a cyber class each month in order to gain access to state networks. See here and here.
  21. Massachusetts
    Massachusetts does not mandate cyber training.
  22. Michigan
    Michigan does not mandate cybersecurity training. They do, however, offer online state employee training.
  23. Minnesota
    Minnesota does not mandate cybersecurity training. They offer security services to employees and residents.
  24. Mississippi
    Mississippi does not mandate cybersecurity training. They do provide online training resources for state employees through an outside college.
  25. Missouri
    Missouri has an employee tips webpage. Here is their Cybersecurity page.
  26. Montana
    Montana enforces mandatory cyber training for executive branch state employees upon hiring and annually thereafter. Legislative branch employees are not required to take cyber training but are encouraged to do so.
  27. Nebraska
    Nebraska has mandatory annual training and a refresher course for all NV state employees.
  28. Nevada
    Nevada requires agency-by-agency state employee annual cybersecurity training, and a passing grade is required: State Security Standard 123 – IT Security.
  29. New Hampshire
    New Hampshire requires mandatory annual cyber training for state employees through an executive order.
  30. New Jersey
    New Jersey recently passed legislation to mandate annual cybersecurity awareness training: NJ A 1654
  31. New Mexico
    New Mexico does not have mandatory cyber training.
  32. New York
    New York does not mandate cyber training but provides training for the general public.
  33. North Carolina
    North Carolina mandates each agency to provide training and annual assessments of security issues on an agency-by-agency basis.
  34. North Dakota
    North Dakota does not mandate cybersecurity training. They provide security information for state government employees.
  35. Ohio
    Ohio mandates cybersecurity awareness training through its IT-15 (Security Awareness and Training) mandate. Training is provided here.
  36. Oklahoma
    Oklahoma does not mandate cyber training. The Oklahoma Department of Homeland Security provides a webpage with cyber tips.
  37. Oregon
    Oregon employees, volunteers and third-party users will receive appropriate cyber awareness training and regular updates on policies and procedures.
  38. Pennsylvania
    Pennsylvania mandates annual online security awareness training for all state government employees.
  39. Rhode Island
    Rhode Island does not mandate cyber training.
  40. South Carolina
    Cyber training is not mandated. The state offers training as a program through DHS to state government employees.
  41. South Dakota
    South Dakota does not mandate cybersecurity training. They do provide a training resources page.
  42. Tennessee
    State employees are expected, but not mandated, to take state-provided security and awareness training when first employed and annually thereafter.
  43. Texas
    Texas mandates annual cybersecurity training for all state employees. All training programs must be certified by the state.
  44. Utah
    Utah has mandatory cyber training for all executive branch level state employees. Training must be completed annually. Below are the security policies:
    5000-0002 Information Security Policy (DTS)
    5000-0003
    Enterprise Mobile Device Policy
    5000-0004 Enterprise Web Filter Policy
  45. Vermont
    Vermont enforces mandatory security awareness training for all new state employees. There is no current requirement for repeat training. Their standards and directives include:
    Cybersecurity Directive 19-01
    Cybersecurity Standard Update 19-01
    Information Security Standards
  46. Virginia
    Virginia has required agency by agency state employee training: VA H 852.
  47. Washington
    Washington state does not mandate cybersecurity training.
  48. West Virginia
    Cybersecurity training in West Virginia is mandatory under WV Code Section 5A-6-4a.
  49. Wisconsin
    Wisconsin does not mandate cyber training. Training is available for employees and the general public.
  50. Wyoming
    Wyoming does not mandate cybersecurity training. There is, however, a cyber awareness page provided for the general public.

 

Sources

Security Awareness Training FAQ, TeachPrivacy

HIPAA for Professionals, HHS.gov

Federal Information Security Modernization Act of 2014, HHS.gov

Cybersecurity Legislation 2020, NCSL

Exec Order :: GA 182 2019, custom.statenet.com

HOUSE BILL No. 1240, custom.statenet.com

Security Awareness Training in the Context of GDPR, Mindsett Security

Cybersecurity Legislation 2019, NCSL

State Cyber Training for State Employees, ncsl.org

Posted: November 10, 2020
Articles Author
Tyra Appleby
View Profile

Tyra Appleby is a CISSP certified lover of all things cybersecurity. After serving 4 years in the Navy as a Cryptologic Technician, she continued supporting various DoD and government agencies as a Systems Security Engineer. She has a passion for writing and research, particularly in the areas of Reverse Engineering and Digital Forensics. When she’s not working, you can find her at the beach with her Rottweiler Ava.