A Quick Look at the New Cybersecurity Annex Requirement
During the 2024-25 multi-hazard emergency operations plan (EOP) review cycle, the Texas School Safety Center (TxSSC) will evaluate every school district’s EOP Basic Plan and Cybersecurity Annex. The annex is a new requirement, so school staff might have questions. This is the first in a three-article series that offers guidance and resources to help members comply.
In this article, you will get an overview of the annex requirement. If your district is early in the process of creating its annex, see our second article for guidance on prioritizing your work. In our third article, we share free and low-cost resources that will help you create a compliant cyber annex without breaking the bank.
Things to Know
- The TxSSC will open the window to submit EOP Basic Plans and Cybersecurity Annexes on September 23. Superintendents should receive an email containing a link to the submission portal. Districts must submit their plan and annex by October 23.
- The TxSSC Basic Plan Toolkit and Cybersecurity Annex Toolkit include templates, completion guides, and checklists to help districts update and complete their plans.
- EOP review specialists are available to help districts develop compliant plans and to answer questions.
Nuts and Bolts
An EOP Basic Plan is a flexible framework that documents how the district will respond to a variety of hazards. Annexes address specific hazards such as chemical spills, public health emergencies, and the ever-rising threat of cybercrime. School districts and the Legislature have done a great job prioritizing cybersecurity, but criminals constantly adapt.
By creating a Cybersecurity Annex, your district complies with legislative requirements. As important, you take additional steps to protect your stakeholders’ sensitive data.
The annex consists of more than 30 cybersecurity evaluation criteria, or checklist items, that districts must address. These criteria correspond to the Texas Cybersecurity Framework (TCF). Your district should have already used the TCF to create its legislatively mandated cybersecurity plan (see Next Steps below).
The security objectives are labeled “deficiency” or “non-deficiency.” According to the TxSSC, deficiency objectives are required. Non-deficiency objectives are recommended best practices that should be implemented.
Next Steps
Remember that you might not have to start your Cybersecurity Annex from square one. Texas law has required school districts to create a cybersecurity plan based on the TCF since September 2019. The Cybersecurity Annex simply highlights the most important objectives from the TCF. If your district already created its state-mandated cybersecurity plan, evaluate it against the TxSSC compliance checklist to ensure you address all requirements.
When submitting your EOP with the Cybersecurity Annex to the TxSSC, you may attach your district cybersecurity plan and note on the compliance checklist where you addressed each objective.
The seven-page compliance checklist can be overwhelming. In the second article in our series, we share tips for prioritizing annex requirements. Our third article offers links to free and low-cost resources that can help your district meet the Cybersecurity Annex requirements and implement the best practices.
As always, Fund members with Privacy and Information Security coverage can count on support from our team. Contact Privacy and Cyber Risk Consultant Lucas Anderson at 800-482-7276, x2893 or lucas.anderson@tasb.org.
Lucas Anderson
Lucas Anderson joined TASB Risk Management Services in 2019, bringing more than a decade of experience in cybersecurity, network administration, and information technology. He advises districts on preemptive mitigation against ongoing and emerging cybercriminal threats targeting the education sector, as well as cybersecurity-related regulatory compliance.
Over his career, Anderson has supported public and private organizations, including Booz Allen Hamilton, the White House Office of Management and Budget, the Department of Defense, and the Texas Association of Counties.
You May Also Like…
View All Related InsightsCybersecurity Is Not Just an IT Thing
Cybersecurity culture is built on every employee embracing their role in keeping criminals at bay. Here are seven tips to help you get there.
Want to Worry Less About Data Breaches?
The accidental release of sensitive information can tarnish your organization’s reputation. Data loss prevention tools help ensure that when employees make mistakes, technology has your back.
Tax Season Tips for Avoiding Cyber Scams
During tax season, cybercriminals are looking to claim their own returns. Stay up to date on this season's scams to protect your organization and employees.
Elements of Accident Prevention Plans
An accident prevention plan can keep employees safe at work and keep them from taking days off of work. We broke down how to create one and what to include.