Cybersecurity Frameworks and Standards Applied in Texas

Texas organizations operating across public and private sectors navigate a layered landscape of cybersecurity frameworks, federal standards, and state-specific mandates. This page maps the principal frameworks applied in Texas, their regulatory grounding, the entities to which each applies, and the boundaries that determine which standards govern a given organization. Frameworks range from voluntary federal guidance published by the National Institute of Standards and Technology to mandatory controls imposed on state agencies by the Texas Department of Information Resources (DIR).

Definition and scope

A cybersecurity framework is a structured set of policies, controls, and procedural guidelines that define how an organization identifies, protects against, detects, responds to, and recovers from cyber threats. In Texas, frameworks operate at three distinct levels: federal mandates that apply regardless of state law, state-statutory requirements enforced by Texas agencies, and voluntary standards that organizations adopt to demonstrate due diligence or satisfy contractual obligations.

The primary federal reference is the NIST Cybersecurity Framework (CSF), maintained by the National Institute of Standards and Technology. The CSF organizes cybersecurity activities into five core functions — Identify, Protect, Detect, Respond, and Recover — and is widely referenced in Texas DIR guidance as the baseline for state agency risk management. A companion document, NIST SP 800-53, provides a catalog of 20 control families covering access control, audit and accountability, incident response, and supply chain risk management, among others.

At the state level, Texas Government Code, Chapter 2054, Subchapter N-1 (enacted through HB 3834, 86th Legislature, 2019) requires state agencies and institutions of higher education to implement cybersecurity programs aligned with DIR-published standards. DIR issues the Texas Cybersecurity Framework, a state-specific adaptation that draws from NIST CSF and maps requirements to Texas statutory obligations. For the full statutory and regulatory architecture governing these requirements, see Regulatory Context for Texas Cybersecurity.

Scope and coverage: DIR's framework authority applies directly to Texas state agencies, public universities, and — under specific statutory provisions — qualifying local governments. Private sector entities, federally chartered institutions, and organizations not contracting with state government fall outside DIR's direct authority. Federal frameworks such as HIPAA (enforced by the U.S. Department of Health and Human Services) and the Gramm-Leach-Bliley Act (GLBA, enforced by the FTC and federal banking regulators) apply to healthcare and financial entities operating in Texas irrespective of DIR's scope. Multi-state data flows and international regulatory obligations — including GDPR — are not covered by Texas-specific framework mandates and are not addressed on this page.

How it works

Texas cybersecurity framework compliance operates through a tiered implementation process. DIR publishes the Texas Cybersecurity Framework and conducts biennial security control assessments for covered agencies. The process follows four phases:

Inventory and classification — Agencies catalog information systems, assign sensitivity classifications, and identify applicable control baselines under DIR's data classification standards.
Control selection and implementation — Based on system classification, agencies select controls from the DIR control catalog, which cross-references NIST SP 800-53 Rev 5 control families. High-impact systems are subject to a larger control set than low-impact systems.
Assessment and gap analysis — DIR or its authorized assessors evaluate implemented controls against the required baseline. The Texas State Auditor's Office (SAO) independently audits state agency information security programs and publishes findings publicly.
Remediation and continuous monitoring — Agencies address identified gaps through plans of action and milestones (POA&Ms) and implement continuous monitoring tools. DIR's Security Operations Center (SOC) provides threat intelligence and monitoring support to covered entities.

For critical infrastructure sectors, additional framework layers apply. Electric utilities operating within the ERCOT interconnection are subject to NERC CIP (Critical Infrastructure Protection) standards, enforced by the North American Electric Reliability Corporation and the Federal Energy Regulatory Commission (FERC) — distinct from and parallel to DIR requirements. Organizations operating in this space should consult Texas Cybersecurity for the Energy Sector for sector-specific obligations.

Federal contractors operating in Texas may also be subject to the NIST SP 800-171 control set, which governs protection of Controlled Unclassified Information (CUI) in nonfederal systems, and — for Department of Defense contractors — the Cybersecurity Maturity Model Certification (CMMC) framework administered by the DoD.

Common scenarios

State agency compliance: A Texas executive branch agency undergoes a DIR security control assessment every two years. The agency maps its implemented controls to the DIR framework, submits a self-assessment report, and receives a DIR-issued finding report. Deficiencies are tracked through the agency's information security officer and reported to DIR as required under Texas Government Code §2054.511.

K–12 public schools: Texas public school districts are required under Texas Education Code §11.175 to adopt a cybersecurity policy and designate a cybersecurity coordinator. Districts typically reference NIST CSF as the operational framework, though the statute does not mandate a specific framework by name. The Texas Cybersecurity for School Districts reference covers this sector's obligations in full.

Healthcare organizations: A Texas-based hospital network applies HIPAA's Security Rule (45 CFR Part 164), which mandates administrative, physical, and technical safeguards for electronic protected health information. The HIPAA Security Rule does not specify a named framework but HHS guidance recognizes NIST CSF as a recognized approach for demonstrating compliance. State breach notification under Texas Business & Commerce Code §521.053 applies concurrently, requiring notification within 60 days of breach discovery.

Financial institutions: Banks and credit unions operating in Texas follow GLBA's Safeguards Rule, updated by the FTC in 2023 to align more closely with NIST SP 800-53 control categories. State-chartered banks also face oversight from the Texas Department of Banking, which incorporates federal interagency cybersecurity guidance into its examination standards.

Decision boundaries

Selecting the applicable framework depends on three classification axes:

Entity type: State agencies and public universities → DIR Texas Cybersecurity Framework (mandatory). K–12 public schools → Texas Education Code §11.175 policy requirement (framework choice is local). Private sector entities → voluntary frameworks unless sector-specific federal mandates apply.

Sector: Healthcare → HIPAA Security Rule. Financial services → GLBA Safeguards Rule, federal banking regulator guidance. Electric utilities → NERC CIP. Defense contractors → NIST SP 800-171 / CMMC. All others in the private sector → voluntary adoption of NIST CSF or ISO/IEC 27001.

System impact level: Within NIST-aligned frameworks, the impact classification (low, moderate, high) determines the control baseline. A moderate-impact system requires implementation of approximately 325 controls under NIST SP 800-53 Rev 5, compared to roughly 125 for a low-impact baseline — a distinction that materially affects implementation cost and timeline.

NIST CSF and ISO/IEC 27001 address overlapping domains but differ structurally: NIST CSF is outcome-based and organized by function, while ISO/IEC 27001 is a certifiable management system standard with formal audit and certification requirements. Organizations seeking third-party certification typically pursue ISO/IEC 27001; those aligning with federal or Texas state requirements typically operate under NIST CSF.

For organizations assessing their posture across these dimensions, Texas Cybersecurity Audits and Assessments describes the assessment service landscape and professional qualification standards applicable in Texas. The site index provides a full reference map across Texas cybersecurity sectors and topics.

References

NIST Cybersecurity Framework (CSF) — National Institute of Standards and Technology
NIST SP 800-53 Rev 5, Security and Privacy Controls for Information Systems — NIST Computer Security Resource Center
NIST SP 800-171, Protecting CUI in Nonfederal Systems — NIST CSRC
Texas Department of Information Resources (DIR) — Texas Cybersecurity Framework and state agency program oversight
Texas Government Code, Chapter 2054 — Statutory basis for DIR cybersecurity authority over state agencies
Texas Business & Commerce Code, §521.053 — Breach notification requirement
Texas State Auditor's Office (SAO) — Independent information security audits of state agencies
CISA Cybersecurity and Infrastructure Security Agency — Federal critical infrastructure guidance and free scanning resources
FTC Gramm-Leach-Bliley Act Safeguards Rule — Financial sector cybersecurity requirements
HIPAA Security Rule, 45 CFR Part 164 — HHS electronic protected

📜 1 regulatory citation referenced · 🔍 Monitored by ANA Regulatory Watch · View update log

Explore This Site

Services & Options Key Dimensions and Scopes of Texas Cybersecurity Regulations & Safety Texas Cybersecurity in Local Context Tools & Calculators Password Strength Calculator FAQ Texas Cybersecurity: Frequently Asked Questions