UCSF will begin to limit or revoke access to systems for anyone whose Cybersecurity training has expired as of May 21, 2025.
In response to the increasing threat of cyberattacks, University of California President Dr. Michael Drake and the UC Regents issued a system-wide cybersecurity mandate. As part of this, all UC faculty and staff are required to complete annual cybersecurity training. UCSF has taken steps to streamline compliance, including more accurate reporting, to help achieve this 100% completion mandate.
Your vigilance helps keep UCSF resilient and secure!
Cybersecurity training is available to complete in the UC Learning Center.
- Assigned Activities: You can check your individual “Assigned Activities” in the Training Analysis section of the UC Learning Center at any time to see which trainings are required for you and when they are due.
- There are two different versions of this training, depending on your UCSF role:
What happens if you don’t complete training?
To protect our systems and data, UCSF will enforce the following steps for expired training:
- Reminder emails - You will receive notifications as your training nears expiration.
- Missed deadline - If you do not meet the training deadline, your MyAccess account will be disabled, blocking access to systems like BearBuy, HBS/MyTime, DocuSign and MyExpense.
- 30 days overdue - You’ll be required to change your Active Directory account password daily.
- 60 days overdue - Your Active Directory account will be disabled, effectively revoking access to all UCSF systems including email and Apex. To maintain patient care, an emergency process is in place to help those with revoked access.
Cybersecurity Training Noncompliance Systems Access Consequences FAQs
Who is impacted by these cybersecurity consequences?
What are the consequences if I am noncompliant with cybersecurity training?
How do I regain access to UCSF systems if MyAccess or Active Directory is disabled?
I’ve lost access to patient care systems that I need immediately. What do I do?
I don’t use MyAccess often. What systems can I lose access to if I don’t complete the training?
What does it mean to have my Active Directory disabled?
Can I get reciprocal credit for similar training from other organizations? If so, how?