Bill Summary – FastDemocracy

LEGISLATIVE GENERAL COUNSEL                                              H.B. 239
       6 Approved for Filing: S. Elder 6
          6 01-10-24 3:04 PM 6
                  STATE EMPLOYEE CYBERSECURITY TRAINING
                                         REQUIREMENTS
                                      2024 GENERAL SESSION
                                           STATE OF UTAH
                               Chief Sponsor: Carl R. Albrecht
                                Senate Sponsor: Evan J. Vickers
 7
 LONG TITLE
 General Description:
        This bill provides for a state cybersecurity awareness training program for all state
 executive branch employees.
 Highlighted Provisions:
        This bill:
        < requires the Division of Technology Services to create a yearly cybersecurity
 training course; and
        < requires all state executive branch employees to complete the cybersecurity training
 course once a year.
 Money Appropriated in this Bill:
        None
 Other Special Clauses:
        None
 Utah Code Sections Affected:
 ENACTS:
        67-27-105, Utah Code Annotated 1953
                                                                                                     H.B. 239
25
 Be it enacted by the Legislature of the state of Utah:
        Section 1. Section 67-27-105 is enacted to read:
     *HB0239*
      H.B. 239                                                                      01-10-24 3:04 PM
           67-27-105. Required cybersecurity training.
           (1) (a) The Division of Technology Services shall institute, develop, conduct, and
 otherwise provide for a cybersecurity training program for all employees of the state executive
 branch.
           (b) A state executive branch employee that is not issued a computer, tablet, or cell
 phone is not required to participate in the cybersecurity training program described in
 Subsection (1).
           (2) The Division of Technology Services shall design the cybersecurity training
 program to provide instruction regarding:
           (a) secure computing practices;
           (b) recognizing and responding to potential cyber threats;
           (c) protecting sensitive data and information;
           (d) password management and multi-factor authentication;
           (e) appropriate use of technology resources; and
           (f) any other matter the Division of Technology Services determines should be
 included in the training program.
           (3) All state executive branch employees shall be required to complete the
 cybersecurity training program described in Subsection (1):
           (a) within 30 days after beginning employment; and
           (b) at least once in each calendar year.
           (4) Each state agency shall be responsible for monitoring and verifying completion of
 cybersecurity training by their employees.
           Section 2. Effective date.
           This bill takes effect on May 1, 2024.
                                                          -2-