Cybersecurity Training Requirements Clarified

Many of our members have reached out to HR Services regarding the impact of Senate Bill (SB) 1267 and House Bill (HB) 1118 on cybersecurity training requirements.

SB 1267 limited the annual cybersecurity employee training requirement to cybersecurity coordinators and allowed other employees to be trained on a locally-developed schedule. In a separate piece of legislation, HB 1118 amended the training requirements in Texas Government Code §2054.5191 addressing who must complete the training. As a result, a school district is responsible for determining the frequency of training for anyone other than the cybersecurity coordinator and choosing the source of training.

The Texas Department of Information Resources (DIR) recently provided clarification on these issues in a question and answer format on the bottom of the Certified Cybersecurity Training Programs webpage. Below are three questions specifically addressing school district employees and board members:

Q:Which Local Government Employees Are Required to Complete Annual Cybersecurity Awareness Training?

A: Local government employees, elected officials, and appointed officials, who have access to a local government computer system or database and use a computer to perform at least 25 percent of their duties are required to complete annual cybersecurity awareness training. Note: School district employees have a different training schedule.

Q: Is a School District’s Cybersecurity Coordinator the Only Employee Required To Take Cybersecurity Training on an Annual Basis?

A: Yes, the cybersecurity coordinator is the only employee required by statute to complete annual training. The district, in consultation with the district’s cybersecurity coordinator, shall determine how often other district employees who must complete the cybersecurity training should take the training. According to DIR, the Texas Education Agency (TEA) recommends using Texas Government Code 2054.5191 and HB 1118 (87th Leg.) as a best practice for determining which staff members would benefit from cybersecurity training. 

Q: Are School Board Members Required To Take Annual Cybersecurity Training?

A: As elected officials, school board members may be required to take annual cybersecurity training under Texas Government Code 2054.5191. However, they could be subject to exemption if it is determined that they do not use a computer to perform at least 25 percent of their required duties. 

A list of certified training programs is also available on the Certified Cybersecurity Training Programs webpage. DIR has also developed a free training in English and Spanish that can be accessed on this page.