Contractors with access to university-managed systems or databases are now required to complete cybersecurity training

University contractors who have access to controlled or confidential information and data are now required by HB 3834 to complete a cybersecurity training program. Colleges, schools, and units (CSUs) who hire contractors are also required to certify that these individuals have completedthe required training.CSUs are required to provide this certification to the contract manager at UT Austin for every contract where contractors have been given access to a UT Austin computer system with access to controlled or confidential information.

Cybersecurity Training for Contractors 
Cybersecurity awareness training must be completed by the contractor or affiliate during the term of a purchase order or contract and during any renewal period. The UTLearn “Information Security Awareness” course will fulfill this training requirement. Contractors, consultants who are added to Workday as “Affiliate Contractor” or “Independent Contractor” will have access to this training in UTLearn starting August 14, 2020. For others, please see the Vendor section in the Certified Training Programs from the DIR Texas website.

Certifying Contractors have Completed Training through the ISORA process
Each CSU will be asked to certify that they have certificates from all contractors who are working on an active contract or who have worked on a contract within the previous year through the annual ISORA enterprise risk assessment process. The first time CSUs will be asked to provide this certification will be in the 2020 ISORA process which will take place near the end of October 2020. 

Compliance Auditing and Reporting 
Periodically, the university will conduct an audit where CSUs will be required to produce certificated to verify that the CSU is in compliance with this training requirement. 

Important Definitions
“Contractors” include subcontractors, officers, or employee of a contractor who have access to a state-managed computer system or database.

“Controlled” or “confidential information or data” includes any UT Austin computer system or database that is protected specifically by federal or state law, is protected by University of Texas rules and regulations, or protected due to contractual agreements requiring confidentiality. Visit the ISO data classification overview for more information. 

About House Bill 3834
HB 3834, passed in 2019, created the requirement that certain state employees and contractors must complete a cybersecurity awareness training. Visit the DIR Texas website for a list of approved training options. 

Additional Help and FAQs
For help in determining if a contractor qualifies for this requirement, please refer to this self-help article, contact the askUS help desk or call 512-471-8802 (8:00 AM - 5:00 PM, M-F).