The Texas CAD Cybersecurity Training Rule Most Districts Get Wrong

Most Texas appraisal districts handle their annual cybersecurity training compliance assuming a 25% computer-use threshold determines who needs the training. That threshold is real — but it’s not the rule that applies to CADs. It’s the rule for state agencies under §2054.5192. CADs fall under §2054.5191, which casts a noticeably wider net, and that difference is the most common audit miss we see in the field.

If you’re a Chief Appraiser or CAD Director reading this between ARB hearings and a CAMA vendor call, the short version is this: the August 31 compliance deadline is real, the training itself is offered free at freecybersecurityawarenesstraining.com, and the actual lift is the documentation and tracking work around it. What follows is who’s actually covered by §2054.5191 (broader than most CADs assume), what missing the deadline costs you in practice, and how to automate the compliance cycle so your office isn’t the bottleneck.

📜 Understanding Texas Gov Code 2054.5191

HB 3834, passed in 2019, was Texas’s response to a pattern of ransomware attacks hitting local government IT. It added two parallel sections to the Government Code — §2054.5191 for local government entities (CADs included) and §2054.5192 for state agencies — both requiring annual cybersecurity awareness training from a state-certified provider.

Under §2054.5191, the training has to be completed annually and the program has to come from a state-certified training provider. The reasoning behind the law is straightforward: most local government breaches in Texas have started with a single staff member clicking the wrong link. Training won’t catch every phishing or social engineering attempt, but the data on awareness training pretty consistently shows it cuts the success rate of those attempts.

Who needs the training under §2054.5191: This is where most CADs get the rule slightly wrong, because §2054.5192 (state agencies) and §2054.5191 (local government) read similarly but cover different staff. For local government — which is what CADs fall under — the requirement applies to:

• CAD employees with access to district systems — ✅ Yes. The local government rule doesn’t use the 25% computer-use threshold that applies to state agencies under §2054.5192. If a staff member has access to the CAD’s computer systems or databases at all — administrators, appraisers, customer service, IT — they’re in scope. This is broader than many CADs realize, and it’s the most common audit miss.
• Board of Directors — ✅ Yes. Elected or appointed officials who have access to the district’s information resources are required to complete the training. Whether they actively log in regularly or not, if they have credentials, they’re in scope.
• Field staff with no system access — Possibly exempt, but the exception is narrow. If a field appraiser genuinely has no access to CAD systems (no login, no shared file access, no district email account), they’re outside the requirement. In practice, most field staff have at least an email account, which puts them back in scope. The cleaner approach for most districts is to train everyone — the cost difference is negligible and it removes the audit gray area.

⚠️ The Real Cost of Missing the August 31 Deadline

Districts certify compliance to the state by August 31 each year. Missing the certification has both compliance and audit consequences. Non-certification can trigger administrative review from the state and can affect grant eligibility — the cybersecurity-related grant programs CADs sometimes draw from carry compliance prerequisites tied to §2054.5191 certification. Trading grant access for a forgotten training video is the kind of trade no Chief Appraiser wants to explain to the board.

Beyond compliance, there’s the operational side. CADs hold taxpayer PII, exemption records, and county financial data — exactly the kind of records ransomware groups have learned to target in local government. As critical infrastructure for county tax collection, a CAD going offline doesn’t just disrupt your office; it slows the certification of tax rolls that fund the entire county.

This isn’t theoretical for Texas CADs. Three districts have been hit between 2022 and 2024 — Dallas CAD (Royal ransomware, with the district paying about $170K), Travis CAD (also Royal), and Tarrant Appraisal District (a $700K demand TAD refused to pay). Recovery costs ran well into six figures in each case, on top of weeks of operational disruption. Awareness training isn’t a guarantee against any of that, but it’s the lowest-cost meaningful intervention you can make against the most common attack vector: an employee clicking the wrong link.

😫 The Hidden Time-Tax of Manual Tracking

Knowing the rule is the easy part. Enforcing it across staff, board members, and seasonal new hires is where the time hit comes from, and most CADs are absorbing 20-40 hours of leadership and HR time on it every year. Manual compliance usually looks like this:

1. Verify the training program is on the current state-certified list. The list changes year to year, so last year’s choice isn’t automatically valid this year.
2. Announce the requirement to staff and board members and push them toward a deadline most won’t hit on the first reminder.
3. Run a tracker — usually a spreadsheet — logging who has completed and who hasn’t.
4. Follow up with the last 20% of staff who didn’t act on the first three emails. This part usually happens in the final two weeks of August.
5. Collect individual completion certificates, organize them as supporting evidence, and submit the compliance attestation to the state.

None of this is the highest use of a Chief Appraiser’s time, and the workload doesn’t reduce in a busy year — it just gets crammed into less time.

💡 Automating the Compliance Cycle

The full compliance cycle — training delivery, enrollment, reminders, tracking, certificate collection, attestation — is something a managed IT partner that works with CADs can handle as part of standard service. Here’s what the automated version looks like in practice:

• Always-current state-certified curriculum. The training platform stays on the state-certified list, with content updated as new threat patterns emerge — phishing, credential theft, social engineering, business email compromise.
• Automated enrollment and reminders. Staff and board members are enrolled by the platform, and reminder emails go out on a schedule the system manages. Your office isn’t the one doing the chasing.
• New hires assigned automatically. When a new appraiser or admin starts, training assignment is part of the IT onboarding — no separate step for HR or your office to remember.
• Phishing simulations between training cycles. Awareness training once a year is the floor. Periodic simulated phishing emails throughout the year give you visibility into which staff might need a refresh before an actual attacker tests them.
• Attestation-ready reporting. On August 31, you have a single report showing completion status for every covered employee and board member, ready to submit to the state.

🛡️ Beyond Training: Securing the Whole District

Training is one layer of the compliance and security picture, but it’s only one layer. A staff member who recognizes a phishing email and doesn’t click is your last layer of defense. The earlier layers — the ones that keep the phishing email from landing in the inbox, or from succeeding if it does — matter at least as much.

For CADs that’s a defense-in-depth setup: 24/7 endpoint detection and response on workstations, modern email security that filters phishing before it lands, multi-factor authentication enforced across CAMA and Microsoft 365, and immutable cloud backups of CAMA databases and GIS files. When a staff member does click something they shouldn’t (it’ll happen eventually), the goal is for the next layer to catch it before it spreads across the network.

And the IT side needs to own CAMA performance too — not bounce the ticket back to TrueAutomation, Tyler, or Spatialest when something’s slow. That coordination piece is half the job for a CAD’s IT partner. We hold a 15-minute response window for appraiser-blocking issues during business hours.

Let’s Make This Year Easy

If your compliance spreadsheet is a recurring summer headache, it’s worth knowing this part of the work is offloadable. safemode IT handles cybersecurity training compliance — state-certified curriculum, enrollment, reminders, completion tracking, and the August 31 attestation report — as part of our managed IT service for Texas appraisal districts.

If you’d like to talk about how it would work for your district specifically, reach out to safemode IT. We work with Texas CADs specifically, so the conversation doesn’t start with explaining what a CAMA system is.