EncryptedTechnology: Texas Cyber Command (TXCC) FY 2026-27 Certification Pending Learn more →

ComplianceJuly 6, 2026· 6 min read

Meet the Texas Cyber Command: What HB 150 Actually Changed for Your Training Program

If you administer cybersecurity training for a Texas city, county, school district, or state agency, one thing changed this cycle and several things did not. Here is a plain-language guide to the new Texas Cyber Command — what it now handles, what stayed with DIR, and what you should do differently.

By EncryptedTechnology Security Team

The short version: Training program certification moved from DIR to the Texas Cyber Command. Security incident reporting, the Security Control Standards, and the Cloud Security Policy did not. Your annual training obligation is the same — but the agency certifying your training provider is new.

What Is the Texas Cyber Command?

House Bill 150, passed by the 89th Texas Legislature in 2025, created the Texas Cyber Command (TXCC) and transferred the state's cybersecurity training certification function to it. Before HB 150, the Texas Department of Information Resources (DIR) certified the security awareness training programs that state agencies and local governments are required to use. Starting with the FY 2026-27 cycle, that responsibility belongs to the Texas Cyber Command.

The underlying training requirement did not go away or get lighter. It now lives in Texas Government Code Chapter 2063: covered employees, elected and appointed officials, and contractors with access to government information resources must complete a certified cybersecurity training program each year. What changed is who certifies the programs and, this cycle, what those programs must cover.

What Moved to the Texas Cyber Command

For a training administrator, the transfer touches three things you interact with every year:

  • Certification of training programs. Providers now submit their programs to the Texas Cyber Command for certification, not DIR. The FY 2026-27 submission window for providers runs June 1 through July 31, 2026.
  • The certified provider list. The list your organization uses to choose a compliant training program is now published and maintained by the Texas Cyber Command. The FY 2026-27 list is expected on August 31, 2026 — one day before the new training year begins on September 1.
  • The certification standards themselves. The Texas Cyber Command sets the criteria a training program must meet to be certified, and the FY 2026-27 criteria expanded substantially (more on that below).

What Did NOT Move: DIR Still Does These

A common misreading of the transition is that DIR is out of the cybersecurity picture entirely. It is not. Several functions your organization relies on remain with DIR, unchanged:

  • Security incident reporting. The incident reporting obligations under Texas Government Code § 2054.077 still run through DIR. If your organization experiences a security incident, your reporting procedures should continue to point where they always have.
  • The Security Control Standards. The state's baseline security control catalog remains a DIR function. If your security policies reference DIR's Security Control Standards, those references are still correct.
  • The Cloud Security Policy. DIR's cloud security requirements are likewise unaffected by the training certification transfer.

Practically: do not rewrite your incident response plan or your security policy references because of HB 150. The only place "DIR" should change to "Texas Cyber Command" in your documentation is wherever you describe who certifies your annual training program.

The Substantive Change: New Required Training Content

If the agency name were the only change, this would be an administrative footnote. It is not — the FY 2026-27 certification standards also require training programs to cover topic areas that earlier cycles did not:

  • Business email compromise (BEC) — including the specific warning signs of forced urgency, unnatural text, repetitive writing, and unverifiable details.
  • Foreign adversary awareness — including United Front Work Department (UFWD) tactics and methods, resources on UFWD activity in Texas, and how to report concerns to the Texas Ethics Commission.
  • Foreign adversary restrictions — the Texas Government Code § 572.070 prohibitions on accepting travel, gifts, or lodging from foreign adversaries, the 30-day reporting requirement, and the consequences for violations.

This matters when you evaluate providers: a program that was certified by DIR in a prior cycle does not automatically meet the new criteria. The curriculum itself has to have been updated.

What You Should Do Differently This Cycle

For most administrators this comes down to four adjustments:

  • Look for the Texas Cyber Command's certified list, not DIR's. When the FY 2026-27 list publishes on August 31, 2026, that is the authoritative list. Confirm your chosen provider appears on it before relying on their training for compliance.
  • Do not assume last year's provider carries over. Prior DIR certification does not extend into FY 2026-27. Every provider had to resubmit under the new standards during the June 1 – July 31 window.
  • Ask providers specifically about the new content areas. BEC warning signs, foreign adversary awareness, and the § 572.070 restrictions are now required. If a provider cannot show you where their curriculum covers them, that is a red flag.
  • Leave your incident reporting and security policy references alone. Those still point to DIR, and they are still correct.

Where EncryptedTechnology Stands

EncryptedTechnology built its six-module curriculum to the FY 2026-27 certification standards from the start — including the required BEC warning signs, a full module on foreign adversary awareness and UFWD tactics, and dedicated coverage of the § 572.070 restrictions and 30-day reporting requirement. We submitted our program to the Texas Cyber Command during the FY 2026-27 certification window, and the final certification determination rests with the Texas Cyber Command. We will update customers and prospective partners as soon as that determination is made.

Built to the FY 2026-27 standards

Plan your FY 2026-27 training now

Review how our curriculum maps to the new Texas Cyber Command requirements, or see pricing for your organization's size — before the August 31 certified list publishes.