Security awareness

55 federal and state regulations that require employee security awareness and training

Tyra Appleby
November 10, 2020 by
Tyra Appleby

Introduction

Humans are repeatedly described as the weakest link in the cybersecurity chain. We are highly susceptible to falling for phishing attacks, social engineering schemes and other deceptive attempts. This realization makes cybersecurity training increasingly important. 

Companies are putting more effort into their cybersecurity training programs, but does the law require cybersecurity training? Or is just something good to do in the interest of safety?

No matter your industry, many laws and mandates require employees to receive some level of cybersecurity training. If applicable, these laws and mandates also dictate tracking requirements. It’s not enough to just implement training; you need to track and document that all applicable employees have taken it. Audits do happen! 

It’s important to note that training requirements may vary based on roles and levels of responsibilities. A privileged user, such as a system administrator, engineer or developer, may have different requirements than a standard user, who may have different requirements than an executive. Below, we will discuss various compliance laws and how they define cybersecurity training.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

Federal regulations

If you are a business owner, an independent contractor or an employee, you are subject to cybersecurity regulations. From a federal perspective, your industry determines which regulatory bodies and legislation apply to you. If you work in healthcare, you have heard of HIPAA. If you work in the DoD or federal government, you’ve probably heard of FISMA. 

Not just your industry determines what regulations you must abide by — the functions you perform also determine that. You could be subject to multiple laws, regulations and authorities. If you’re an IT company that processes health-related data, you may need to know about FISMA as well as HIPAA requirements. Most federal training requirements are expected to be performed annually at a minimum.

  1. Federal Information Security Modernization Act (FISMA) The office of Management and Budget (OMB) is responsible for managing the Federal Information Security Modernization Act of 2014. This is the overarching mandate for federal agencies. FISMA requires all federal employees and contractors to participate in annual cybersecurity training
  2. Health Insurance Portability and Accountability Act (HIPAA) HIPAA has been around since 1996. It is a federal law issued by the US Department of Health and Human Services (HHS). It provides national standards for the protection of health and healthcare information. HHS ensures complete compliance with role-based training requirements based on the OMB A-130 FISMA requirements and is also required annually.
  3. Gramm-Leach-Bliley Act (GLBA) The GLBA was implemented to determine how financial organizations protect non-public information (NPI). Annual training is required.
  4. Payment Card Industry Data Security Standard (PCI DSS) This policy regulates the banking industry and is used by any organization that processes payment via credit cards. Annual training is required.
  5. General Data Privacy Regulation (GDPR) The GDPR was launched to ensure businesses secured privacy data in relation to European citizens. Even if you are a US-based company, you are subject to compliance if you manage any European customer data. GDPR requires annual privacy awareness training.

State regulations

When it comes to state regulations, they seem to still be evolving and adapting. Below, we will address the requirements for each state.

  1. Alabama Alabama Code Title 41, Section 28 mandates Alabama Information technology laws. The Executive Branch Secretary indirectly authorizes cyber training, and training is provided here.
  2. Alaska Alaska does not mandate cybersecurity training. However, they do provide training and threat indicators. Alaska’s Department of Administration, Enterprise Technology Services division, develops the cybersecurity website for the state.
  3. Arizona Arizona does not mandate cybersecurity training. However, the Chief Information Officer develops the state IT strategic plan, and cyber training is incorporated under goal 1.4.
  4. Arkansas Arkansas does not mandate cybersecurity training. Voluntary training is developed and provided by the State of Arkansas Department of Information Systems, Cybersecurity Office.
  5. California California does not mandate cyber training. However, there are several training opportunities. Individual state agencies like the DMV and the Franchise Tax Board implement mandatory cyber training.
  6. Colorado Colorado requires cyber training for state employees. It is statutorily required under the Colorado Information Security Act, Colorado Revised Statutes 24-37.5-401 et seq.
  7. Connecticut Connecticut mandates cybersecurity awareness for state employees.
  8. Delaware Delaware mandates statewide cyber training for all executive branch, state and local agency employees through the Delaware Code Title 29, Chapter 90C.
  9. Florida Florida mandates cyber training for state employees, as required by Florida Statutes Chapter 282. Source.
  10. Georgia GA E.O.182: This executive order mandates that all Executive Branch agencies and employees complete cybersecurity training within ninety (90) days of releasing this order.
  11. Hawaii Hawaii does not mandate cybersecurity awareness training but does provide a cybersecurity program.
  12. Idaho Idaho does not mandate cybersecurity training but does provide training on their state webpage.
  13. Illinois In Illinois, Cook County has training.
  14. Indiana Indiana has recently released a bill to mandate cybersecurity training: IN H 1240.
  15. Iowa Iowa has voluntary security awareness training produced by the Executive branch.
  16. Kansas The Kansas Office of Information Technology Services webpage has self-assessment security tools.
  17. Kentucky Kentucky does not mandate cybersecurity training but does annual host training for state government employees during October, which is Cybersecurity Awareness Month.
  18. Louisiana Louisiana has mandatory cybersecurity training for new employees and annually thereafter pursuant to the Louisiana Division of Administration, Office of Technology Services p.52: LA H 633.
  19. Maine Maine does not mandate cyber training. They do provide training for new employees through the Maine Office of Information Technology.
  20. Maryland Maryland requires state employee cyber training through DHS. State agency personnel have to take a cyber class each month in order to gain access to state networks. See here and here.
  21. Massachusetts Massachusetts does not mandate cyber training.
  22. Michigan Michigan does not mandate cybersecurity training. They do, however, offer online state employee training.
  23. Minnesota Minnesota does not mandate cybersecurity training. They offer security services to employees and residents.
  24. Mississippi Mississippi does not mandate cybersecurity training. They do provide online training resources for state employees through an outside college.
  25. Missouri Missouri has an employee tips webpage. Here is their Cybersecurity page.
    Get six free posters

    Get six free posters

    Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.

  26. Montana Montana enforces mandatory cyber training for executive branch state employees upon hiring and annually thereafter. Legislative branch employees are not required to take cyber training but are encouraged to do so.
  27. Nebraska Nebraska has mandatory annual training and a refresher course for all NV state employees.
  28. Nevada Nevada requires agency-by-agency state employee annual cybersecurity training, and a passing grade is required: State Security Standard 123 – IT Security.
  29. New Hampshire New Hampshire requires mandatory annual cyber training for state employees through an executive order.
  30. New Jersey New Jersey recently passed legislation to mandate annual cybersecurity awareness training: NJ A 1654
  31. New Mexico New Mexico does not have mandatory cyber training.
  32. New York New York does not mandate cyber training but provides training for the general public.
  33. North Carolina North Carolina mandates each agency to provide training and annual assessments of security issues on an agency-by-agency basis.
  34. North Dakota North Dakota does not mandate cybersecurity training. They provide security information for state government employees.
  35. Ohio Ohio mandates cybersecurity awareness training through its IT-15 (Security Awareness and Training) mandate. Training is provided here.
  36. Oklahoma Oklahoma does not mandate cyber training. The Oklahoma Department of Homeland Security provides a webpage with cyber tips.
  37. Oregon Oregon employees, volunteers and third-party users will receive appropriate cyber awareness training and regular updates on policies and procedures.
  38. Pennsylvania Pennsylvania mandates annual online security awareness training for all state government employees.
  39. Rhode Island Rhode Island does not mandate cyber training.
  40. South Carolina Cyber training is not mandated. The state offers training as a program through DHS to state government employees.
  41. South Dakota South Dakota does not mandate cybersecurity training. They do provide a training resources page.
  42. Tennessee State employees are expected, but not mandated, to take state-provided security and awareness training when first employed and annually thereafter.
  43. Texas Texas mandates annual cybersecurity training for all state employees. All training programs must be certified by the state.
  44. Utah Utah has mandatory cyber training for all executive branch level state employees. Training must be completed annually. Below are the security policies:

    5000-0002 Information Security Policy (DTS)

    5000-0003 Enterprise Mobile Device Policy

    5000-0004 Enterprise Web Filter Policy
  45. Vermont
  46. Vermont enforces mandatory security awareness training for all new state employees. There is no current requirement for repeat training. Their standards and directives include:

    Cybersecurity Directive 19-01

    Cybersecurity Standard Update 19-01

    Information Security Standards

    See Infosec IQ in action

    See Infosec IQ in action

    From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

  47. Virginia
  48. Virginia has required agency by agency state employee training: VA H 852.
  49. Washington Washington state does not mandate cybersecurity training.
  50. West Virginia Cybersecurity training in West Virginia is mandatory under WV Code Section 5A-6-4a.
  51. Wisconsin Wisconsin does not mandate cyber training. Training is available for employees and the general public.
  52. Wyoming Wyoming does not mandate cybersecurity training. There is, however, a cyber awareness page provided for the general public.

 

Sources

Security Awareness Training FAQ, TeachPrivacy

HIPAA for Professionals, HHS.gov

Federal Information Security Modernization Act of 2014, HHS.gov

Cybersecurity Legislation 2020, NCSL

Exec Order :: GA 182 2019, custom.statenet.com

HOUSE BILL No. 1240, custom.statenet.com

Security Awareness Training in the Context of GDPR, Mindsett Security

Cybersecurity Legislation 2019, NCSL

State Cyber Training for State Employees, ncsl.org

Tyra Appleby
Tyra Appleby

Tyra Appleby is a CISSP certified lover of all things cybersecurity. After serving 4 years in the Navy as a Cryptologic Technician, she continued supporting various DoD and government agencies as a Systems Security Engineer. She has a passion for writing and research, particularly in the areas of Reverse Engineering and Digital Forensics. When she’s not working, you can find her at the beach with her Rottweiler Ava.