Texas starts mandatory cybersecurity training for government employees

A new law requires nearly all state and local employees across the Lone Star State to undergo annual cybersecurity education.

Information technology officials in Texas are starting the process of implementing a law passed earlier this year mandating that nearly all state and local government employees complete annual cybersecurity training.

The Department of Information Resources, the state’s IT agency, on Monday issued a call for applications for training programs that meet the law’s specifications, with the goal of certifying at least five programs next month.

Under the law, which was enacted in June with minimal opposition from the Texas legislature, all state workers who perform at least 25 percent of their duties using a computer and all local government employees with access to a municipal computer system or database will be required to undergo the training. All elected and appointed officials must go through the process, no matter how much or little they use technology to perform their jobs, the law states. Additionally, state-government contractors will also have to undergo the training as long as they are working for Texas.

The training law was passed more than two months before 22 local governments across the Lone Star State were targeted in a single ransomware incident. Texas had also endured several public cyberattacks previously, including a November 2017 ransomware attack against the state Agriculture Department that resulted in a data exposure affecting nearly 700 students spread across more than three dozen school districts.


DIR is opening the application process to training courses developed both in-house and by third-party vendors, but all programs seeking certification must meet a handful of requirements. The programs must teach the “principles of information security,” according to to a course certification checklist, including knowledge of the types of data employees work with as well as how that data is stored. They must also teach government workers to be aware of basic cybersecurity threats, including phishing emails, malicious code and ransomware.

The certification requirements are based on a cybersecurity education framework developed by the National Institute of Standards and Technology, DIR said.

Providing cybersecurity training to nearly every member of second-largest state’s public workforce will be no small task. The Texas state government alone employs more than 324,000 full-time workers across dozens of agencies and the state university system. Local governments — including counties, cities, towns and school districts — employ 1.34 million people, according to the Dallas Federal Reserve.

Once DIR certifies its first five programs, it will continue to add more. The deadline for all government workers to complete their cybersecurity training courses is next June 14, the one-year anniversary of the law’s passage.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed is the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He has written extensively about ransomware, election security, and the federal government's role in assisting states, localities and higher education institutions with information security.

Latest Podcasts