Complete Cybersecurity Training or you could lose access to systems!

UCSF will begin to limit or revoke access to systems for anyone whose Cybersecurity training has expired as of May 21, 2025.

In response to the increasing threat of cyberattacks, University of California President Dr. Michael Drake and the UC Regents issued a system-wide cybersecurity mandate. As part of this, all UC faculty and staff are required to complete annual cybersecurity training. UCSF has taken steps to streamline compliance, including more accurate reporting, to help achieve this 100% completion mandate.

Your vigilance helps keep UCSF resilient and secure!

Cybersecurity training is available to complete in the UC Learning Center.

UC Cyber Security Awareness Fundamentals

Version for all Health, Campus employees, staff, faculty and Office of Graduate Medical Education

UCSF Cyber Security Awareness Training for students, BCH Oakland and Affiliates

Version for registered students and Affiliates

What happens if you don’t complete training?

To protect our systems and data, UCSF will enforce the following steps for expired training:
  1. Reminder emails - You will receive notifications as your training nears expiration.
  2. Missed deadline - If you do not meet the training deadline, your MyAccess account will be disabled, blocking access to systems like BearBuy, HBS/MyTime, DocuSign and MyExpense.
  3. 30 days overdue - You’ll be required to change your Active Directory account password daily.
  4. 60 days overdue - Your Active Directory account will be disabled, effectively revoking access to all UCSF systems including email and Apex. To maintain patient care, an emergency process is in place to help those with revoked access.
Cybersecurity Training Noncompliance Systems Access Consequences FAQs
Who is impacted by these cybersecurity consequences?

All members of the UCSF workforce including faculty/academics, staff, and learners at UCSF; UCSF Fresno; and UCSF Health, including Benioff Children’s, Hyde and Stanyan hospitals, clinics and affiliates.  

What are the consequences if I am noncompliant with cybersecurity training?

To protect our systems and data, UCSF will enforce the following steps for expired training: 

  1. Reminder emails - You will receive notifications as your training nears expiration. You may also check your status anytime in the UC Learning Center.
  2. Missed deadline - If you do not meet the training deadline, your MyAccess account will be disabled, blocking access to systems like BearBuy, HBS/MyTime, DocuSign, and MyExpense.  You will only be able to access Learning Management System (LMS) training and UCPath from the MyAccess landing page. You will still retain access to critical systems like the LMS, email, APeX, and more.
  3. 30 days overdue - You’ll be required to change your Active Directory account password daily. 
  4. 60 days overdue - Your Active Directory account will be disabled, effectively revoking access to all UCSF systems, including UCSF email and APex. To maintain patient care, an emergency process is in place to help those with revoked access. 

Along with system access being disabled, employees may be subject to performance management as a result of non-compliance.  

How do I regain access to UCSF systems if MyAccess or Active Directory is disabled?

You can regain access by completing your assigned cyber awareness training. Once you have completed the training your access will be restored the following morning.

Additionally, you can contact the ServiceDesk and they will restore your access for one day. You must complete your training that same day or your account will be disabled again. 

I’ve lost access to patient care systems that I need immediately. What do I do?

Contact the ServiceDesk to restore your access. You must complete the training that same day or your account will be disabled the following morning at 8am. 

I don’t use MyAccess often. What systems can I lose access to if I don’t complete the training?

If your access to MyAccess is restricted, the only systems and applications that will be available on MyAccess is the LMS training site and UCPath.

What does it mean to have my Active Directory disabled?

This means that your login credentials will be disabled.

You will have to contact the ServiceDesk to restore your access to all UCSF applications and systems.  You must complete the required training the same day to avoid having your login credentials disabled again.

Can I get reciprocal credit for similar training from other organizations? If so, how?

Please submit a support form ticket to the Learning & Organization Development's Learning Management System (LMS) team to see if you/the given training is eligible.

I work at BCH Oakland. Where do I take the cyber awareness training?
If I am an employee of BCH on both sides of the bay, where do I check my cyber awareness training compliance?

Our recommendation is to ensure that you are compliant for your cyber awareness training in the UC Learning Center.

Who is cyber awareness training assigned to?

All employees who are assigned cyber awareness training have to take said training every year.

There are some exceptions such as those without salary, Emeritus, Volunteers, Clinical Volunteers, etc.

UC Learning Center Guidance