A Quick Look at the New Cybersecurity Annex Requirement

During the 2024-25 multi-hazard emergency operations plan (EOP) review cycle, the Texas School Safety Center (TxSSC) will evaluate every school district’s EOP Basic Plan and Cybersecurity Annex. The annex is a new requirement, so school staff might have questions. This is the first in a three-article series that offers guidance and resources to help members comply.

In this article, you will get an overview of the annex requirement. If your district is early in the process of creating its annex, see our second article for guidance on prioritizing your work. In our third article, we share free and low-cost resources that will help you create a compliant cyber annex without breaking the bank.

Things to Know

1. The TxSSC will open the window to submit EOP Basic Plans and Cybersecurity Annexes on September 23. Superintendents should receive an email containing a link to the submission portal. Districts must submit their plan and annex by October 23.
2. The TxSSC Basic Plan Toolkit and Cybersecurity Annex Toolkit include templates, completion guides, and checklists to help districts update and complete their plans.
3. EOP review specialists are available to help districts develop compliant plans and to answer questions.

Nuts and Bolts

An EOP Basic Plan is a flexible framework that documents how the district will respond to a variety of hazards. Annexes address specific hazards such as chemical spills, public health emergencies, and the ever-rising threat of cybercrime. School districts and the Legislature have done a great job prioritizing cybersecurity, but criminals constantly adapt.

By creating a Cybersecurity Annex, your district complies with legislative requirements. As important, you take additional steps to protect your stakeholders’ sensitive data.

The annex consists of more than 30 cybersecurity evaluation criteria, or checklist items, that districts must address. These criteria correspond to the Texas Cybersecurity Framework (TCF). Your district should have already used the TCF to create its legislatively mandated cybersecurity plan (see Next Steps below).

The security objectives are labeled “deficiency” or “non-deficiency.” According to the TxSSC, deficiency objectives are required. Non-deficiency objectives are recommended best practices that should be implemented.

Next Steps

Remember that you might not have to start your Cybersecurity Annex from square one. Texas law has required school districts to create a cybersecurity plan based on the TCF since September 2019. The Cybersecurity Annex simply highlights the most important objectives from the TCF.  If your district already created its state-mandated cybersecurity plan, evaluate it against the TxSSC compliance checklist to ensure you address all requirements.

When submitting your EOP with the Cybersecurity Annex to the TxSSC, you may attach your district cybersecurity plan and note on the compliance checklist where you addressed each objective. 

The seven-page compliance checklist can be overwhelming. In the second article in our series, we share tips for prioritizing annex requirements. Our third article offers links to free and low-cost resources that can help your district meet the Cybersecurity Annex requirements and implement the best practices.

As always, Fund members with Privacy and Information Security coverage can count on support from our team. Contact Privacy and Cyber Risk Consultant Lucas Anderson at 800-482-7276, x2893 or lucas.anderson@tasb.org.