Certified Cybersecurity Training Programs (HB 3834, 86R)
The timeline below outlines the annual certification and requirements for compliance.
All governmental organizations
Train employees on certified training programs.
March 15 - April 30
DIR with consultation of the Texas Cybersecurity Council reviews requirements of the certified training programs.
Updated list of certification requirements published.
Training providers and governmental entities
Submission of training programs begins.
All governmental entities
Complete training of all employees and elected/appointed officials.
All governmental entities
Report completion of training to DIR via the web form.
Submission of training program ends.
New list of certified training providers published.
Back to top↑
Annual Training Requirements
State and local governments are required to train their employees annually on a certified training program. Employees required to complete the training are outlined in the table below.
State Agency Contractors
During the term of the contract and during any renewal period.
Back to top↑
State Agencies and Local Governments
State agencies and local governments must complete training by June 14 of each year. Government entities must annually certify their employee (and contractor training, if applicable) compliance by June 15, using the
Cybersecurity Training Certification for State and Local Governments.
Government entities can track their compliance in any method they choose, and will not submit training records or employee certificates of completion to DIR.
Texas By Texas
DIR has an optional tool, Texas by Texas (TxT), for state and local governments to track their employees' training compliance. For governments using TxT, employees will report their training completion, and DIR will send reporting from the TxT application to each government entity to verify training compliance. Organizations that wish to use TxT should indicate their interested by submitting the Texas By Texas Self Reporting Form. More details and information about TxT will be provided to the organizations that plan to use TxT.
Back to top↑
Texas Cybersecurity Training Certification Requirements
Certified Training Programs
The list of certified training programs for FY 20-21 is below, and valid until August 31, 2021. Please note that these programs are certified for content, not other regulatory or statutory obligations.
Download the Certified Training Programs (DOCX - 89 KB) or View the
Certified Training Programs (HTML)
Last Updated 3/24/2021
Application for Training Program Certification
Texas Government Code Section 2054.519(b) states that a cybersecurity training program must:
Focus on forming information security habits and procedures that protect information resources; and
Teach best practices for detecting, assessing, reporting, and addressing information security threats.
Certifications are valid until August 31 and need to be renewed annually.
Applications for FY 20-21 training program certifications are no longer being accepted. The next application period will be June 1, 2021 - July 31, 2021.
Back to top↑
Course Certification Checklist
The purpose of this checklist is to assess and determine whether a state agency's, local government's, or vendor's cybersecurity awareness training program meets the minimum requirements for certification under Section 2054.519(b), Texas Government Code. This detailed certification criteria are based on the
National Initiative for Cybersecurity Education (NICE) Framework.
FY 20-21 Security Awareness Training Program Certification Standards (PDF|194.96KB)
A local government that employs a 'dedicated information resources cybersecurity officer' may use a cybersecurity training program that satisfies the statutory content requirements. This exception does not apply to state agencies. In this scenario, training program certification is not required.
A cybersecurity officer must be an employee of the organization who:
Has responsibility for information security for their represented organization;
- Possesses the training and experience required to administer cybersecurity functions; and
- Has information security duties as their primary duty (primary is defined as greater than 50% of the employee's workload).
Submit a Local Government Cybersecurity Training & Awareness Program Exception Form
Exceptions are valid until August 31 and need to be renewed annually.
Back to top↑
Frequently Asked Questions
For questions, please contact
Are there any low and/or no cost certified training programs available?
The list of certified programs includes a column that indicates whether there is a cost to use the program. In addition, there are in-house programs that a provider is willing to share. Some of these programs are available at low and/or no cost to your organization. Contact the providers for more details.
What are the annual training dates for cybersecurity training?
Individuals that must be trained have to complete a certified training annually, starting June 14, 2019. How government entities choose to track the annual training internally for their employees and elected officials is up to the entity.
How many training programs will be certified?
Texas Government Code 2054.519 State Certified Cybersecurity Training Programs requires DIR to certify at least five cybersecurity training programs. Refer to the
list of certified programs for current numbers.
What criteria will be used to certify the programs?
Texas Government Code 2054.519 State Certified Cybersecurity Training Program requires training programs to: (1) focus on forming information security habits and procedures that protect information resources; and (2) teach best practices for detecting, assessing, reporting, and addressing information security threats. Refer to the link above for detailed certification criteria, based on the
National Initiative for Cybersecurity Education (NICE) framework.
When can programs be submitted for certification?
Applications for training program certifications are accepted annually from June 1 through July 31.
What are the standards for maintenance of certification?
Training programs will have to be re-submitted for certification annually.
Can a state agency or local government organization submit a vendor's program for certification?
No, the training provider organization must apply to have their training program certified.
Access is defined as "any person who has been given an account to access any state (or local) information system."
When certifying vendors who provide security awareness courses and/or packages, is it the vendor who is being certified or individual components of that vendor's solution? In the case that it is individual components, how will those components be identified?
The training program is what will be certified. A training program is a course or curriculum of courses that meets the specifications. If the training program is part of a larger set of training materials, state and local government organizations in Texas will need to include in their training program the modules/courses that are submitted for certification as a minimum to ensure compliance with state law (although they could add modules/content as desired).
Are training programs being assessed for accessibility?
No, training programs are only being assessed for meeting the requirements stated in the Course Certification Checklist. However, there is a field in the application for the training program provider to indicate whether the program meets accessibility requirements. This information is included on the list of certified training programs.
Will training programs be offered in languages other than English?
There is a field in the application for the training program provider to indicate available languages. This information is included on the list of certified training programs.
State Agency and Contractor Training Requirements
What constitutes a state agency?
As defined in Chapter 2054 of Government Code, a state agency includes a department, commission, board, office, council, authority, or other agency in the executive or judicial branch of state government that is created by the constitution or a statute of this state, including a university system or institution of higher education as defined by Section 61.003, Education Code.
What contracts are affected by the training requirement?
The training requirement for contractors affects contracts entered into on, or after, June 14, 2019, and contract renewals executed on, or after, June 14, 2019.
Who is responsible for ensuring the service providers in the Shared Technology Services (STS) program meet the contractor training requirements?
DIR contracts directly with each of the service providers within the STS program, including the Multi-sourcing Services Integrator (MSI) and all Service Component Providers (SCPs); therefore, DIR is responsible for ensuring they meet the training requirements.
If a contractor works with multiple state agencies, do they have to complete the training program selected by each of the state agencies?
A contractor that has access to state computer systems or databases at multiple state agencies must complete the training program specified by each state agency.
What is the difference between Texas Government Code 2054.519 State Certified Cybersecurity Training Programs and the security awareness training requirements included in Texas Administrative Code, Chapter 202 (TAC 202)?
Texas Government Code 2054.519 State Certified Cybersecurity Training Programs provides specifics to the security awareness requirements in TAC 202. TAC states that state agencies are responsible for: administering an ongoing information security awareness education program for all users; and introducing information security awareness and inform new employees of information security policies and procedures during the onboarding process. Texas Government Code 2054.519 adds requirements around the training that must be provided.
Which training requirements apply to community colleges?
Under SB 64 (86R), community colleges must comply with Texas Administrative Code Chapter 202 (TAC 202) and therefore must follow the training requirements for state agencies.
Which training requirements apply to Texas Education Service Centers (ESCs)?
According to the Texas Education Agency (TEA), Texas ESCs are considered state agencies. Please consult with TEA if you require further clarification.
Which state agency and institution of higher education employees are required to have annual cybersecurity awareness training?
Employees who use a computer to complete at least 25% of their required duties are required to complete annual training using a certified program.
If elected or appointed officials of a state agency do not use a computer to perform at least 25 percent of their duties, are they required to complete cybersecurity training?
Yes, elected and appointed officials are required to complete cybersecurity training regardless of whether they use a computer to perform at least 25 percent of their duties.
What is the minimum number of hours contractors have to work to be required to take cybersecurity training?
There is no stipulation for hours worked. Any contractor who has
access (see definition of
access above) must complete the training.
Will training offered through DIR's CISO be certified?
DIR works with its vendors to ensure that any training program offered through OCISO meets the Mandatory Training Requirements and can provide a certified training program. State agencies need to ensure they are including the specific modules in their employee training. Refer to the
list of certified programs for additional details.
Can state agencies select any training program from the list of certified programs?
State agencies are bound by state procurement regulations and therefore must select a program that is offered through DIR's cooperative contracts. If a state agency wants to procure an item available from DIR's contracts and services program through an avenue other than a DIR contract, the agency must request an exemption.
Could an agency use a different method of training for elected officials and contracts than they use for employees?
All certified programs meet the requirements and can be used to meet the training requirements, based on each organization's preference.
To save state resources, may a state agency consider the employee training received by another agency’s employees pursuant to Texas Government Code 2054.5191 as an alternative to the contractor representative training required by Texas Government Code 2054.5192?
Texas Government Code 2054.5192 requires agencies’ contractors to complete training that has been certified by DIR. An agency’s employee training satisfies its internal obligations under Texas Government Code 2054.5191. It does not satisfy the agency’s obligations when it is acting as a contractor, as those obligations are detailed under Texas Government Code 2054.5192. If the contractor agency obtains DIR certification for its training program, and if the customer agency accepts that program, then the training could satisfy the contractor agency’s obligations.
For contractor employees working on multiple contracts, can the state agency require such training only once per year?
Texas Government Code 2054.5192 requires the contractor to certify annually that the contractor (and its subcontractors, officers, and employees) with access to a state computer system or database, have received the requisite training. Each contract’s file should include the required annual certification from the contractor concerning all relevant personnel working on that contract. If such personnel work on more than one contract, then each contract file should be documented, but it is not necessary for an individual to take a separate class annually for each contract under which she or he is engaged.
Are contractors required to submit certifications of cybersecurity training for contract extensions, or only for contract renewals?
The distinction between a renewal and an extension may turn on many factors. These include, among others, the length and purpose of the additional time, the work to be performed during that time, and the amount and nature of compensation related to that work. Agencies are encouraged to confer with their legal counsel concerning specific cases.
Do vendors like Microsoft who have access to organization data need to take training?
For state agencies, only contractors who have been given an account to access any state information system have to take training. This would generally exclude vendors like Microsoft unless they are specifically given an account.
For contractors, do all employees of the company holding the contract have to be trained or only those accessing the governmental system?
For state agencies, only contractors who have been given an account to access any state information system have to take training.
Local Government Training Requirements
What constitutes a local government?
As defined in Chapter 2054 of Texas Government Code, local government includes a county, municipality, special district, school district, or other political subdivision of the state.
Do local governments have to use a certified training program?
Yes, local governments must use a certified training program, unless the local government employs a ‘dedicated information resources cybersecurity officer’ and has a cybersecurity training program that satisfies the requirements.
Which local government employees are required to complete annual cybersecurity awareness training?
Local government employees who have access to a local government computer system or database, and elected officials are required to complete annual cybersecurity awareness training.
Which training requirements apply to river authorities?
River authorities may be considered local governments. Local government is as defined in Texas Government Code 2054, which includes a county, municipality, special district, school district, or other political subdivision of the state. Consult your legal counsel for confirmation.
Do contractors of local governments have to complete cybersecurity awareness training?
No, the contractor training requirement only applies to state agencies. However, ensuring that contractors have appropriate awareness of cybersecurity best practices can be beneficial to any organization.
What is the definition of a "dedicated information resources cybersecurity officer"?
An employee who: 1.) has responsibility for information security for their represented organization; 2.) possesses the training and experience required to administer cybersecurity functions; and 3.) has information security duties as their primary duty (primary is defined as greater than 50% of the employee's workload).
What steps are required to request a dedicated cybersecurity officer exception?
The cybersecurity officer will need to submit a form confirming they meet the exception requirements. Use the online
Local Government Cybersecurity Training & Awareness Program Exception Form to submit an exception request.
If elected officials of the local government organization do not have access to a local government computer system or database, are they required to complete cybersecurity training?
Yes, elected officials are required to complete cybersecurity training regardless of whether they have access to a local government computer system or database.
Do part-time employees of local governments have to complete cybersecurity training?
If part-time employees have access to a local government computer system or database, then yes, they are required to complete training.
Do appointed officials of local governments have to complete cybersecurity awareness training?
No, the local government training requirements apply to employees and elected officials. However, ensuring that everyone has appropriate awareness of cybersecurity best practices can be beneficial to any organization.
Are board members required to take annual cybersecurity training?
For local governments, elected officials are required to take annual training. Appointed officials are not. The members of the board of an appraisal district are not elected officials within the scope of subsection 2054.5191(a-1) and thus they are not required to complete the certified cybersecurity training program it mandates. Consult your legal counsel if you have additional questions.
Do substitute teachers have to complete cybersecurity awareness training?
For school districts, annual training is required for employees and elected officials. Each district will need to make the determination of whether substitute teachers are considered employees or contractors. However, if the determination is that substitute teachers are contractors, the district may choose to have them take training since ensuring that contractors have appropriate awareness of cybersecurity best practices can be beneficial to any organization.
Do transportation, cafeteria, custodial and other staff that have not had a computer assigned to them nor use a school district computer have to complete cybersecurity awareness training?
For local governments, including school districts, any employee who has been given an account to access any local information system, is required to take annual training. If the employee does not access any IT resources, then no, they are not required to take training.
How should we handle new hires being required to complete the training?
Each organization should develop internal policies regarding when new employees take their training. If employees take training annually, that complies.
Training Completion and Reporting Requirements
When does the annual training need to be completed?
All governmental entities must complete training by June 14 of each year.
How will agencies report training compliance?
Agencies will certify their employee and contractor training compliance annually by June 15, using the
Cybersecurity Training Certification for State and Local Governments.
How can governmental entities track training compliance?
State and local governments can track their compliance in any method they choose. DIR has also created a tool for governments to have their employees self-report their training compliance by using Texas by Texas (TxT). For governments using TxT, DIR will send reporting from the TxT application to each government to verify training compliance. Organizations that wish to use TxT for employee self-reporting should indicate their interest by submitting the Texas by Texas (TxT) Self-Reporting Form. More details and information about TxT will be provided to the organizations that plan to use TxT.
Note: Organizations who signed up for 2020 reporting will automatically be enrolled for future reporting cycles and do not need to resubmit the form.
How will local governments report training compliance?
Local governments will certify their employee training compliance annually by June 15 using the
Cybersecurity Training Certification for State and Local Governments.
Will certificates of training completion need to be submitted to DIR?
No, certificates of completion do not need to be submitted to DIR. Organizations should retain certificates, or other proof of completion, with their training records.
Will documentation of local governing body verification need to be submitted to DIR?
No, documentation of governing board verification does not need to be submitted to DIR. The governing body of a local government is required to: (1) verify and report on the completion of a cybersecurity training program by employees of the local government to the department; and (2) require periodic audits to ensure compliance. Local governments should retain documentation pertaining to this requirement with their training records.
Who can submit the Cybersecurity Training Certification for State and Local Governments?
The Cybersecurity Training for State and Local Governments can be submitted by whomever the government authorizes. The authorized individual submitting the form will need access to their email account as they will be required to enter a confirmation code in order to finalize the submission.
If a state or local government does not achieve 100% training compliance, does the entity need to submit a report to DIR?
The Cybersecurity Training for State and Local Governments form includes a field to report percentage complete. State and local governments submitting the form should indicate the completion percentage.
If a local government does not have any employees that would be required to complete the training, does the entity need to submit any report to DIR?
DIR recommends that the entity still submit a report. If there are no employees that are required to take training, and any elected officials are not also employees (receiving a salary, etc.), then reporting is not required.
What is the record retention for previous years' cybersecurity awareness training records?
For organizations that keep their training records in their Human Resources files, the retention period is five years past employee term. Organizations are encouraged to confer with their legal counsel concerning specific cases, or if there are additional questions.