55 federal and state regulations that require employee security awareness and training
Introduction
Humans are repeatedly described as the weakest link in the cybersecurity chain. We are highly susceptible to falling for phishing attacks, social engineering schemes and other deceptive attempts. This realization makes cybersecurity training increasingly important.
Companies are putting more effort into their cybersecurity training programs, but does the law require cybersecurity training? Or is just something good to do in the interest of safety?
No matter your industry, many laws and mandates require employees to receive some level of cybersecurity training. If applicable, these laws and mandates also dictate tracking requirements. It’s not enough to just implement training; you need to track and document that all applicable employees have taken it. Audits do happen!
It’s important to note that training requirements may vary based on roles and levels of responsibilities. A privileged user, such as a system administrator, engineer or developer, may have different requirements than a standard user, who may have different requirements than an executive. Below, we will discuss various compliance laws and how they define cybersecurity training.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
Federal regulations
If you are a business owner, an independent contractor or an employee, you are subject to cybersecurity regulations. From a federal perspective, your industry determines which regulatory bodies and legislation apply to you. If you work in healthcare, you have heard of HIPAA. If you work in the DoD or federal government, you’ve probably heard of FISMA.
Not just your industry determines what regulations you must abide by — the functions you perform also determine that. You could be subject to multiple laws, regulations and authorities. If you’re an IT company that processes health-related data, you may need to know about FISMA as well as HIPAA requirements. Most federal training requirements are expected to be performed annually at a minimum.
- Federal Information Security Modernization Act (FISMA) The office of Management and Budget (OMB) is responsible for managing the Federal Information Security Modernization Act of 2014. This is the overarching mandate for federal agencies. FISMA requires all federal employees and contractors to participate in annual cybersecurity training
- Health Insurance Portability and Accountability Act (HIPAA) HIPAA has been around since 1996. It is a federal law issued by the US Department of Health and Human Services (HHS). It provides national standards for the protection of health and healthcare information. HHS ensures complete compliance with role-based training requirements based on the OMB A-130 FISMA requirements and is also required annually.
- Gramm-Leach-Bliley Act (GLBA) The GLBA was implemented to determine how financial organizations protect non-public information (NPI). Annual training is required.
- Payment Card Industry Data Security Standard (PCI DSS) This policy regulates the banking industry and is used by any organization that processes payment via credit cards. Annual training is required.
- General Data Privacy Regulation (GDPR) The GDPR was launched to ensure businesses secured privacy data in relation to European citizens. Even if you are a US-based company, you are subject to compliance if you manage any European customer data. GDPR requires annual privacy awareness training.
State regulations
When it comes to state regulations, they seem to still be evolving and adapting. Below, we will address the requirements for each state.
- Alabama Alabama Code Title 41, Section 28 mandates Alabama Information technology laws. The Executive Branch Secretary indirectly authorizes cyber training, and training is provided here.
- Alaska Alaska does not mandate cybersecurity training. However, they do provide training and threat indicators. Alaska’s Department of Administration, Enterprise Technology Services division, develops the cybersecurity website for the state.
- Arizona Arizona does not mandate cybersecurity training. However, the Chief Information Officer develops the state IT strategic plan, and cyber training is incorporated under goal 1.4.
- Arkansas Arkansas does not mandate cybersecurity training. Voluntary training is developed and provided by the State of Arkansas Department of Information Systems, Cybersecurity Office.
- California California does not mandate cyber training. However, there are several training opportunities. Individual state agencies like the DMV and the Franchise Tax Board implement mandatory cyber training.
- Colorado Colorado requires cyber training for state employees. It is statutorily required under the Colorado Information Security Act, Colorado Revised Statutes 24-37.5-401 et seq.
- Connecticut Connecticut mandates cybersecurity awareness for state employees.
- Delaware Delaware mandates statewide cyber training for all executive branch, state and local agency employees through the Delaware Code Title 29, Chapter 90C.
- Florida Florida mandates cyber training for state employees, as required by Florida Statutes Chapter 282. Source.
- Georgia GA E.O.182: This executive order mandates that all Executive Branch agencies and employees complete cybersecurity training within ninety (90) days of releasing this order.
- Hawaii Hawaii does not mandate cybersecurity awareness training but does provide a cybersecurity program.
- Idaho Idaho does not mandate cybersecurity training but does provide training on their state webpage.
- Illinois In Illinois, Cook County has training.
- Indiana Indiana has recently released a bill to mandate cybersecurity training: IN H 1240.
- Iowa Iowa has voluntary security awareness training produced by the Executive branch.
- Kansas The Kansas Office of Information Technology Services webpage has self-assessment security tools.
- Kentucky Kentucky does not mandate cybersecurity training but does annual host training for state government employees during October, which is Cybersecurity Awareness Month.
- Louisiana Louisiana has mandatory cybersecurity training for new employees and annually thereafter pursuant to the Louisiana Division of Administration, Office of Technology Services p.52: LA H 633.
- Maine Maine does not mandate cyber training. They do provide training for new employees through the Maine Office of Information Technology.
- Maryland Maryland requires state employee cyber training through DHS. State agency personnel have to take a cyber class each month in order to gain access to state networks. See here and here.
- Massachusetts Massachusetts does not mandate cyber training.
- Michigan Michigan does not mandate cybersecurity training. They do, however, offer online state employee training.
- Minnesota Minnesota does not mandate cybersecurity training. They offer security services to employees and residents.
- Mississippi Mississippi does not mandate cybersecurity training. They do provide online training resources for state employees through an outside college.
- Missouri
Missouri has an employee tips webpage. Here is their Cybersecurity page.
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
- Montana Montana enforces mandatory cyber training for executive branch state employees upon hiring and annually thereafter. Legislative branch employees are not required to take cyber training but are encouraged to do so.
- Nebraska Nebraska has mandatory annual training and a refresher course for all NV state employees.
- Nevada Nevada requires agency-by-agency state employee annual cybersecurity training, and a passing grade is required: State Security Standard 123 – IT Security.
- New Hampshire New Hampshire requires mandatory annual cyber training for state employees through an executive order.
- New Jersey New Jersey recently passed legislation to mandate annual cybersecurity awareness training: NJ A 1654
- New Mexico New Mexico does not have mandatory cyber training.
- New York New York does not mandate cyber training but provides training for the general public.
- North Carolina North Carolina mandates each agency to provide training and annual assessments of security issues on an agency-by-agency basis.
- North Dakota North Dakota does not mandate cybersecurity training. They provide security information for state government employees.
- Ohio Ohio mandates cybersecurity awareness training through its IT-15 (Security Awareness and Training) mandate. Training is provided here.
- Oklahoma Oklahoma does not mandate cyber training. The Oklahoma Department of Homeland Security provides a webpage with cyber tips.
- Oregon Oregon employees, volunteers and third-party users will receive appropriate cyber awareness training and regular updates on policies and procedures.
- Pennsylvania Pennsylvania mandates annual online security awareness training for all state government employees.
- Rhode Island Rhode Island does not mandate cyber training.
- South Carolina Cyber training is not mandated. The state offers training as a program through DHS to state government employees.
- South Dakota South Dakota does not mandate cybersecurity training. They do provide a training resources page.
- Tennessee State employees are expected, but not mandated, to take state-provided security and awareness training when first employed and annually thereafter.
- Texas Texas mandates annual cybersecurity training for all state employees. All training programs must be certified by the state.
- Utah
Utah has mandatory cyber training for all executive branch level state employees. Training must be completed annually. Below are the security policies:
5000-0002 Information Security Policy (DTS)
5000-0003 Enterprise Mobile Device Policy
5000-0004 Enterprise Web Filter Policy - Vermont
- Virginia Virginia has required agency by agency state employee training: VA H 852.
- Washington Washington state does not mandate cybersecurity training.
- West Virginia Cybersecurity training in West Virginia is mandatory under WV Code Section 5A-6-4a.
- Wisconsin Wisconsin does not mandate cyber training. Training is available for employees and the general public.
- Wyoming Wyoming does not mandate cybersecurity training. There is, however, a cyber awareness page provided for the general public.
Vermont enforces mandatory security awareness training for all new state employees. There is no current requirement for repeat training. Their standards and directives include:
Cybersecurity Standard Update 19-01
Information Security Standards
See Infosec IQ in action
Sources
Security Awareness Training FAQ, TeachPrivacy
HIPAA for Professionals, HHS.gov
Federal Information Security Modernization Act of 2014, HHS.gov
Cybersecurity Legislation 2020, NCSL
Exec Order :: GA 182 2019, custom.statenet.com
HOUSE BILL No. 1240, custom.statenet.com
Security Awareness Training in the Context of GDPR, Mindsett Security
Cybersecurity Legislation 2019, NCSL
State Cyber Training for State Employees, ncsl.org