Cybersecurity Requirements for Texas School Districts

Texas public school districts operate under a distinct cybersecurity compliance framework rooted in state statute, Texas Education Agency oversight, and alignment with federal guidance from the Cybersecurity and Infrastructure Security Agency (CISA). The requirements span board-adopted policy mandates, incident reporting obligations, and minimum security controls applicable to K–12 technology environments. Understanding how these obligations are structured — and where they differ from requirements on state agencies or healthcare entities — is essential for district administrators, technology directors, and the vendors serving them.

Definition and scope

Texas public school district cybersecurity requirements are grounded primarily in Texas Education Code §11.175, enacted through Senate Bill 820 during the 87th Texas Legislature (2021). That statute requires each school district board of trustees to adopt a cybersecurity policy addressing the security of district networks and data, designation of a cybersecurity coordinator, and procedures for managing cybersecurity incidents. The policy must be filed with the Texas Education Agency (TEA).

The scope of these obligations extends to all Texas independent school districts (ISDs) and open-enrollment charter schools subject to TEA oversight. This framework governs network security posture, student and staff data protection, and incident notification chains — not merely acceptable-use policies for device access.

School districts must also comply with the Family Educational Rights and Privacy Act (FERPA), a federal statute administered by the U.S. Department of Education, which restricts disclosure of student education records. FERPA obligations operate independently of — and in addition to — Texas state requirements. For the full statutory architecture covering Texas public sector entities, see Regulatory Context for Texas Cybersecurity.

Scope boundary: This page addresses cybersecurity requirements specific to Texas K–12 public school districts and open-enrollment charter schools under TEA jurisdiction. It does not address Texas public universities or institutions of higher education, which fall under Texas Government Code Chapter 2054 and Texas Department of Information Resources (DIR) authority. Private schools are not covered by §11.175. Multi-state data flows involving student records may trigger obligations not addressed here. The broader Texas cybersecurity landscape is mapped at the site index.

How it works

Compliance with Texas school district cybersecurity requirements follows a structured sequence of obligations:

1. Board policy adoption — The board of trustees adopts a written cybersecurity policy that meets TEA minimum standards. The policy must address network security, data access controls, incident response procedures, and employee training expectations.

2. Cybersecurity coordinator designation — Each district must designate a cybersecurity coordinator responsible for managing the district's cybersecurity posture and serving as the primary liaison to TEA. This role does not require a specific state-issued license under current statute, but TEA guidance encourages alignment with recognized frameworks such as the NIST Cybersecurity Framework (CSF) published by the National Institute of Standards and Technology (NIST CSF).

3. Policy filing with TEA — The adopted cybersecurity policy must be reported to TEA. TEA maintains oversight authority and can audit district compliance through its monitoring mechanisms.

4. Incident reporting — Under §11.175(c), districts must notify TEA of cybersecurity incidents that affect the district's network. TEA issues guidance on the reporting timeline and the categories of incidents that trigger notification obligations. Ransomware attacks, unauthorized data access events, and denial-of-service disruptions affecting instructional systems are among the incident types covered. For a broader treatment of incident notification obligations, see Texas Cybersecurity Incident Response.

5. Ongoing training and review — While §11.175 does not prescribe a specific training curriculum at the same level of detail as Texas Government Code Chapter 2054 does for state agency employees, district policy is expected to include staff cybersecurity awareness provisions. CISA's K–12 Cybersecurity resources provide federally produced, no-cost training frameworks applicable to district staff.

The Texas Department of Information Resources (DIR) does not have direct regulatory authority over K–12 school districts in the same manner it oversees state agencies; however, DIR's published security standards and the Texas Cybersecurity Framework serve as de facto reference benchmarks that districts and their technology vendors frequently consult.

Common scenarios

Student data breach: A district's student information system is compromised, exposing names, dates of birth, and academic records for a defined student population. This triggers both TEA notification under §11.175 and FERPA obligations requiring notification to affected families. If the breach involves financial account data for staff, Texas Business & Commerce Code §521.053 — which mandates breach notification within 60 days of discovery (Texas B&C Code §521.053) — may apply in parallel.

Ransomware attack on district infrastructure: A ransomware event disabling network systems is one of the most documented threat scenarios affecting Texas K–12 districts, consistent with CISA's K–12 Cybersecurity Report findings. The district's cybersecurity coordinator activates the incident response plan, notifies TEA, and may engage CISA's free incident response resources. For context on this threat pattern in Texas, see Texas Ransomware Threats and Response.

Third-party vendor access: A curriculum technology vendor with access to district systems experiences a breach. The district's exposure depends on contractual data processing agreements and whether FERPA-regulated data was involved. Districts are responsible for vetting third-party vendor security controls — an area where the district's written cybersecurity policy must establish vendor management provisions.

Policy audit by TEA: TEA may request documentation of a district's cybersecurity policy and coordinator designation as part of a compliance review. Districts without a filed policy are in direct violation of §11.175.

Decision boundaries

School district vs. state agency requirements: Texas state agencies and public universities must comply with DIR security control standards derived from NIST SP 800-53 and complete DIR-certified cybersecurity training under Texas Government Code Chapter 2054. K–12 districts are not subject to Chapter 2054 directly; their primary compliance anchor is Texas Education Code §11.175. This distinction affects the administrative authority, the oversight body (TEA vs. DIR), and the specific control requirements.

Public school district vs. private school: Texas Education Code §11.175 applies to independent school districts and open-enrollment charter schools subject to TEA oversight. Private schools, including those accredited through non-state bodies, are not covered by this statute.

FERPA vs. state breach notification: FERPA governs the disclosure of student education records and is enforced by the U.S. Department of Education. Texas Business & Commerce Code Chapter 521 governs notification obligations for breaches of sensitive personal information and is enforced by the Texas Office of the Attorney General. These two frameworks overlap when student data containing personal information is compromised — both notification frameworks may apply simultaneously and are not mutually exclusive.

Cybersecurity coordinator vs. licensed security professional: The §11.175 cybersecurity coordinator role is an administrative designation, not a licensed profession under Texas statute. Districts seeking qualified personnel may look to professionals holding certifications recognized by bodies such as (ISC)² or ISACA, but no specific credential is mandated by current state law. For the landscape of relevant certifications, see Texas Cybersecurity Certifications and Licensing.

Districts with limited internal capacity frequently assess whether managed security service arrangements or shared-services models can satisfy their compliance obligations — a consideration addressed in Texas Managed Security Service Providers. Grant and funding mechanisms available to assist districts with implementation costs are documented at Texas Cybersecurity Grants and Funding.

References

• Texas Education Code §11.175 — Texas Legislature Online
• Texas Business & Commerce Code §521.053 — Texas Legislature Online
• Texas Education Agency (TEA)
• Texas Department of Information Resources (DIR)
• NIST Cybersecurity Framework (CSF)
• NIST SP 800-53 — NIST Computer Security Resource Center
• CISA K–12 Cybersecurity Resources
• U.S. Department of Education — FERPA
• Texas Office of the Attorney General — Data Security Breaches