Cybersecurity for Texas Local Governments and Municipalities

Texas municipalities, counties, school districts, and special districts operate as primary targets for ransomware actors, phishing campaigns, and data exfiltration attacks due to their combination of sensitive citizen data, aging IT infrastructure, and limited security budgets. This page covers the regulatory obligations, operational frameworks, and incident-response structures that govern cybersecurity practice for Texas local governments. It addresses the legal authorities that apply, how compliance and risk-management programs are structured, the failure modes most common in the municipal sector, and the decision points that determine which frameworks and reporting obligations apply to a given entity.

Definition and scope

Local government cybersecurity in Texas encompasses all policies, technical controls, personnel practices, and incident-response procedures that public-sector entities below the state agency level must maintain to protect government information systems and the citizen data those systems hold. Covered entities include general-purpose governments (cities, counties), special-purpose districts (utility districts, emergency service districts, hospital districts), and regional planning commissions.

The primary statutory anchor for local government cybersecurity obligations is Texas Government Code, Chapter 2054, administered by the Texas Department of Information Resources (DIR). Subchapter N-1, added by HB 3834 during the 86th Legislature (2019), established mandatory cybersecurity training for all state employees — but local governments are not automatically subject to the same training mandates unless they participate in DIR programs or receive state funding with cybersecurity conditions attached. This creates a compliance boundary that distinguishes state agencies from local bodies.

Data breach notification obligations under Texas Business & Commerce Code §521.053 apply to any person or entity that conducts business in Texas and owns or licenses sensitive personal information — a definition broad enough to capture most local governments that hold resident data. The notification window is no more than 60 days after discovery of a breach (Texas B&C Code §521.053).

Scope and coverage limitations: This page addresses cybersecurity obligations and frameworks as they apply to Texas local governments under Texas law and voluntary federal guidance. Federal obligations — including HIPAA for municipal health departments, IRS Publication 1075 for entities processing federal tax information, and CJIS Security Policy for law enforcement agencies — operate independently of state law and are not fully addressed here. Multi-state data flows, private sector obligations, and federal civilian agency requirements are outside the scope of this page. For the full statutory and regulatory architecture, see Regulatory Context for Texas Cybersecurity.

How it works

Local government cybersecurity programs in Texas are structured around four discrete operational phases:

  1. Risk assessment and baseline controls — Entities adopt a recognized security framework, typically the NIST Cybersecurity Framework (CSF) or the Center for Internet Security (CIS) Controls, to inventory assets, identify vulnerabilities, and establish baseline configurations. DIR's Texas Cybersecurity Framework is aligned to NIST CSF and provides a voluntary reference standard for local entities. The CIS Controls, particularly the first 6 Implementation Group 1 controls, are widely used by small municipalities operating with constrained IT staff.

  2. Policy adoption and training — Governing bodies — city councils, county commissioners courts, or district boards — formally adopt information security policies. Texas Education Code §11.175 mandates that public school boards adopt cybersecurity policies; analogous requirements for general-purpose local governments exist under DIR's voluntary frameworks rather than as binding mandates, though this distinction is increasingly relevant as DIR expands its outreach programs.

  3. Continuous monitoring and vulnerability management — The Cybersecurity and Infrastructure Security Agency (CISA) offers free vulnerability scanning services, including its Cyber Hygiene (CyHy) program, to state and local government entities at no cost (CISA Cyber Hygiene). This program performs external attack surface assessments and delivers weekly reports. Participation requires only a service agreement with CISA.

  4. Incident detection, reporting, and response — When a security incident occurs, local governments must assess whether it triggers statutory notification under Texas B&C Code §521.053 or federal reporting obligations (e.g., CISA's 72-hour reporting requirement under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 for covered critical infrastructure entities). The Texas Division of Emergency Management (TDEM) coordinates response for incidents that affect critical infrastructure or escalate to emergency declarations.

The contrast between DIR-regulated state agencies and local governments is material: state agencies must comply with DIR security standards as a binding obligation under Texas Government Code §2054.133, while most local governments access DIR resources — including cooperative contracts for security tools and managed services — on a voluntary basis. This voluntary participation model means that program quality varies significantly across Texas's 254 counties and more than 1,200 municipalities.

Common scenarios

The Texas local government sector presents four recurring cybersecurity scenarios:

Ransomware attacks on municipal networks — The 2019 coordinated ransomware attack on 22 Texas local governments, documented by DIR and CISA, demonstrated the scale of risk facing smaller entities. Attackers exploited managed service provider (MSP) access to propagate ransomware simultaneously across multiple jurisdictions. Texas Ransomware Threats and Response addresses the technical and legal dimensions of this threat in detail.

Data breach involving citizen records — Municipal utility billing systems, property tax databases, and permit management platforms routinely hold sensitive personal information. A breach of any system holding data covered by Texas B&C Code §521.002 — including Social Security numbers, financial account numbers, or driver's license numbers — triggers the 60-day notification requirement. The Texas Office of the Attorney General (OAG) maintains a breach notification portal and holds civil enforcement authority.

Phishing and credential compromise — Credential theft via phishing remains the entry vector for the majority of public-sector intrusions. CISA's annual advisory data consistently identifies phishing as the leading initial access technique against government entities. Local government email systems that lack DMARC, DKIM, and SPF enforcement are disproportionately represented in these statistics.

Supply chain and third-party vendor risk — Local governments procure services from shared IT vendors, cloud providers, and regional cooperatives. A compromise at the vendor level — as illustrated in the 2019 MSP incident — can propagate laterally to all client jurisdictions simultaneously. Texas Supply Chain Cybersecurity covers the vendor risk management frameworks applicable to public-sector procurement.

Decision boundaries

Determining which obligations apply to a specific Texas local government requires resolving three classification questions:

Is the entity a "covered entity" under a federal sector-specific framework? Municipal hospitals and health departments may be HIPAA-covered entities. County sheriff offices and municipal police departments must comply with the FBI Criminal Justice Information Services (CJIS) Security Policy. Municipal utilities that qualify as bulk electric system operators fall under NERC CIP standards enforced by the Electric Reliability Council of Texas (ERCOT) and the North American Electric Reliability Corporation. These federal obligations are separate from and may be more stringent than state-level requirements.

Does the entity receive federal grants or funding with cybersecurity conditions? The State and Local Cybersecurity Grant Program (SLCGP), authorized under the Infrastructure Investment and Jobs Act (2021) and administered by CISA, requires grant recipients to develop cybersecurity plans aligned to CISA's guidelines. Texas receives an annual allocation under this program; local entities that participate as sub-recipients accept those plan requirements. Texas Cybersecurity Grants and Funding details the current program structure.

What is the entity's size and resource profile? DIR classifies local governments differently from state agencies for the purpose of voluntary assistance programs. Small municipalities — those under 50,000 population — have access to DIR's shared services catalog and cooperative contracts under Texas Government Code §2054.0593, which authorizes DIR to provide cybersecurity services to local governments. Larger cities and counties with dedicated IT departments typically engage independent security assessors and maintain their own security operations capabilities; a structured approach to those assessments is described in Texas Cybersecurity Audits and Assessments.

Entities navigating this landscape for the first time will find the full index of reference materials useful for locating the applicable statutory texts, regulatory contacts, and framework documentation relevant to their sector and size.

References

📜 2 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Services & Options Key Dimensions and Scopes of Texas Cybersecurity Regulations & Safety Texas Cybersecurity in Local Context Tools & Calculators Password Strength Calculator FAQ Texas Cybersecurity: Frequently Asked Questions