Mandatory Training Frequently Asked Questions
On this page:
State Agency and Contractor Training Requirements
Local Government Training Requirements
Training Completion and Reporting Requirements
The list of certified programs includes a column that indicates whether there is a cost to use the program. In addition, there are in-house programs that a provider is willing to share. Some of these programs are available at low and/or no cost to your organization. Contact the providers for more details.
Individuals that must be trained have to complete a certified training annually. DIR does not set a specific date for organizations to complete their training.
Texas Government Code 2054.519 State Certified Cybersecurity Training Programs requires DIR to certify at least five cybersecurity training programs. Refer to the list of certified programs for current numbers.
Texas Government Code 2054.519 State Certified Cybersecurity Training Program requires training programs to: (1) focus on forming information security habits and procedures that protect information resources; and (2) teach best practices for detecting, assessing, reporting, and addressing information security threats. Refer to the link above for detailed certification criteria.
Applications for training program certifications are accepted annually from June 1 through July 31.
Training programs will have to be re-submitted for certification annually and meet the criteria for the upcoming year.
The training provider organization must apply to have their training program certified. An organization cannot submit on behalf of another organization.
Access is defined as "any person who has been given an account to access any state (or local) information system."
The training program is what will be certified. A training program is a course or curriculum of courses that meets the specifications. If the training program is part of a larger set of training materials, state and local government organizations in Texas will need to include in their training program the modules/courses that are submitted for certification as a minimum to ensure compliance with state law (although they could add modules/content as desired).
No, training programs are only being assessed for meeting the requirements stated in the Course Certification Checklist. However, there is a field in the application for the training program provider to indicate whether the program meets accessibility requirements. This information is included on the list of certified training programs.
There is a field in the application for the training program provider to indicate available languages. This information is included on the list of certified training programs.
State Agency and Contractor Training Requirements
As defined in Chapter 2054 of Government Code, a state agency includes a department, commission, board, office, council, authority, or other agency in the executive or judicial branch of state government that is created by the constitution or a statute of this state, including a university system or institution of higher education as defined by Section 61.003, Education Code.
The training requirement for contractors affects contracts entered into on, or after, June 14, 2019, and contract renewals executed on, or after, June 14, 2019.
DIR contracts directly with each of the service providers within the STS program, including the Multi-sourcing Services Integrator (MSI) and all Service Component Providers (SCPs); therefore, DIR is responsible for ensuring they meet the training requirements.
A contractor that has access to state computer systems or databases at multiple state agencies must complete the training program specified by each state agency.
Texas Government Code 2054.519 State Certified Cybersecurity Training Programs provides specifics to the security awareness requirements in TAC 202. TAC states that state agencies are responsible for: administering an ongoing information security awareness education program for all users; and introducing information security awareness and inform new employees of information security policies and procedures during the onboarding process. HB 3834 adds requirements around the training that must be provided.
Under SB 64 (86R), community colleges must comply with Texas Administrative Code Chapter 202 (TAC 202) and therefore must follow the training requirements for state agencies.
According to the Texas Education Agency (TEA), Texas ESCs are considered state agencies. Please consult with TEA if you require further clarification.
Employees who use a computer to complete at least 25% of their required duties are required to complete annual training using a certified program.
Yes, elected and appointed officials are required to complete cybersecurity training regardless of whether they use a computer to perform at least 25 percent of their duties.
There is no stipulation for hours worked. Any contractor who has access (see definition of access above) must complete the training.
DIR works with its vendors to ensure that any training program offered through OCISO meets the Mandatory Training Requirements and can provide a certified training program. State agencies need to ensure they are including the specific modules in their employee training. Refer to the list of certified programs for additional details.
State agencies are bound by state procurement regulations and therefore must select a program that is offered through DIR's cooperative contracts. If a state agency wants to procure an item available from DIR's contracts and services program through an avenue other than a DIR contract, the agency must request an exemption.
All certified programs meet the requirements and can be used to meet the training requirements, based on each organization's preference.
Texas Government Code 2054.5192 requires agencies’ contractors to complete training that has been certified by DIR. An agency’s employee training satisfies its internal obligations under Texas Government Code 2054.5191. It does not satisfy the agency’s obligations when it is acting as a contractor, as those obligations are detailed under Texas Government Code 2054.5192. If the contractor agency obtains DIR certification for its training program, and if the customer agency accepts that program, then the training could satisfy the contractor agency’s obligations.
Texas Government Code 2054.5192 requires the contractor to certify annually that the contractor (and its subcontractors, officers, and employees) with access to a state computer system or database, have received the requisite training. Each contract’s file should include the required annual certification from the contractor concerning all relevant personnel working on that contract. If such personnel work on more than one contract, then each contract file should be documented, but it is not necessary for an individual to take a separate class annually for each contract under which she or he is engaged. Agencies may choose if this is acceptable for contractors working on their systems or may require additional trainings.
The distinction between a renewal and an extension may turn on many factors. These include, among others, the length and purpose of the additional time, the work to be performed during that time, and the amount and nature of compensation related to that work. Agencies are encouraged to confer with their legal counsel concerning specific cases.
For state agencies, only contractors who have been given an account to access any state information system have to take training. This would generally exclude vendors like Microsoft unless they are specifically given an account.
For state agencies, only contractors who have been given an account to access any state information system have to take training.
Local Government Training Requirements
As defined in Chapter 2054 of Texas Government Code, local government includes a county, municipality, special district, school district, or other political subdivision of the state.
Yes, local governments must use a certified training program.
Local government employees, elected officials, and appointed officials who have access to a local government computer system or database and use a computer to perform at least 25 percent of their duties are required to complete annual cybersecurity awareness training. Note: School districts have different training requirements.
Yes, the Cybersecurity Coordinator is the only one required by statute. However, the Cybersecurity Coordinator along with district leadership may decide additional personnel are required. TEA recommends using Texas Government Code 2054.5191 and the updates from HB 1118 (87th Leg.) as a best practice for determining which staff members would benefit from cybersecurity training.
As elected officials, school board members may be required to take annual cybersecurity training under Texas Government Code 2054.5191. However, they could be subject to exemption if it is determined that they do not use a computer to perform at least 25 percent of their required duties.
No. Charter schools do not meet the definition of a local government and are therefore not subject to the statute.
Anyone designated by the LEA is authorized to submit the training certification form to DIR.
River authorities may be considered local governments. Local government is as defined in Texas Government Code 2054, which includes a county, municipality, special district, school district, or other political subdivision of the state. Consult your legal counsel for confirmation.
No, the contractor training requirement only applies to state agencies. However, ensuring that contractors have appropriate awareness of cybersecurity best practices can be beneficial to any organization
If part-time employees have access to a local government computer system or database and use a computer to perform at least 25 percent of their duties, then yes, they are required to complete training.
If the appointed officials have access to a local government computer system or database and use a computer to perform at least 25 percent of their duties, then they are required to complete training.
For local governments, elected and appointed officials who have access to a local government computer system or database and use a computer to perform at least 25 percent of their duties are required to take annual training. Consult your legal counsel if you have additional questions.
Each organization should develop internal policies regarding when new employees take their training. If employees take training annually, that complies.
Texas Government Code Section 2054.5191 requires annual cybersecurity training. Using the CJIS Security Awareness Training program does not remove the annual training requirement.
Training Completion and Reporting Requirements
All governmental entities must complete annual training. There is no specific training completion date. The only requirement is for governmental entities to report training by August 31.
No. The requirement is that employees must be trained annually. This can be tracked per employee or organization-wide in whichever manner the organization chooses.
State and local governments can track their compliance in any method they choose. DIR has also created a tool for governments to have their employees self-report their training compliance by using Texas by Texas (TxT). For governments using TxT, DIR will send reporting from the TxT application to each government to verify training compliance. Organizations that wish to use TxT for employee self-reporting should indicate their interest by submitting the Texas by Texas (TxT) Self-Reporting Form. More details and information about TxT will be provided to the organizations that plan to use TxT.
Note: Organizations who previously signed up for the TxT reporting will automatically be enrolled for future reporting cycles and do not need to resubmit the form.
No, certificates of completion do not need to be submitted to DIR. Organizations should retain certificates, or other proof of completion, with their training records.
No, documentation of governing board verification does not need to be submitted to DIR. The governing body of a local government is required to: (1) verify and report on the completion of a cybersecurity training program by employees of the local government to the department; and (2) require periodic audits to ensure compliance. Local governments should retain documentation pertaining to this requirement with their training records.
The Cybersecurity Training for State and Local Governments can be submitted by whomever the government authorizes. The authorized individual submitting the form will need access to their email account as they will be required to enter a confirmation code in order to finalize the submission.
The Cybersecurity Training for State and Local Governments form includes a field to report percentage complete. State and local governments submitting the form should indicate the completion percentage.
DIR recommends that the entity still submit a report.
For organizations that keep their training records in their Human Resources files, the retention period is five years past employee term. Organizations are encouraged to confer with their legal counsel concerning specific cases, or if there are additional questions.