Texas DIR Cybersecurity Program and Standards

The Texas Department of Information Resources (DIR) administers the state's primary cybersecurity compliance framework, setting binding standards for state agencies, institutions of higher education, and an expanding set of public-sector entities under Texas Government Code Chapter 2054. This page covers the structure, scope, regulatory mechanics, classification boundaries, and operational tensions of the DIR cybersecurity program — functioning as a reference for procurement officers, compliance professionals, agency leadership, and researchers navigating Texas public-sector security requirements.

Definition and Scope

The DIR cybersecurity program is the statutory compliance architecture under which Texas state agencies and institutions of higher education manage information security risks. Its legal foundation is Texas Government Code, Chapter 2054, which designates DIR as the lead authority for statewide information technology policy, including security standards. Subchapter N-1, added by House Bill 3834 during the 86th Texas Legislature (2019), expanded DIR's authority specifically to mandate cybersecurity training for all state employees who use a computer in the performance of their duties.

The program's primary instruments are the Texas Cybersecurity Framework (TX-CSF) — aligned to the NIST Cybersecurity Framework (CSF) — and the Texas Cybersecurity Council, which advises DIR on statewide policy. The Statewide Information Security Assessment, conducted biennially, measures aggregate compliance posture across covered entities and is published through DIR's information security portal.

Scope of coverage: The program applies directly to Texas state agencies, state-funded institutions of higher education, and, under 2023 legislative expansions, certain local governments and critical infrastructure operators when they access state systems or participate in DIR-administered programs. It does not directly regulate private businesses (those obligations arise under Texas Business & Commerce Code Chapter 521), healthcare-specific entities under federal HIPAA frameworks, or federally chartered financial institutions governed by OCC or FDIC rules. For the broader statutory and regulatory architecture, the regulatory context for Texas cybersecurity provides a comprehensive treatment. The main site index maps additional reference materials across the full Texas cybersecurity domain.

Core Mechanics or Structure

The DIR cybersecurity program operates through four primary structural mechanisms:

1. Minimum Security Standards. Under Texas Government Code §2054.133, DIR establishes minimum security standards that covered entities must implement. These standards are benchmarked against NIST Special Publication 800-53 (NIST SP 800-53, Rev. 5), which organizes controls into 20 control families including Access Control, Incident Response, and Supply Chain Risk Management. DIR does not wholesale adopt NIST SP 800-53 but maps its state standards to the NIST framework to ensure federal compatibility.

2. Biennial Security Plans and Assessments. Each covered entity must submit a biennial information security plan to DIR, documenting current controls, identified gaps, and remediation timelines. The Statewide Information Security Assessment aggregates these submissions to produce a risk profile for state government as a whole.

3. Mandatory Cybersecurity Training. All state agency employees whose job functions involve computer use must complete DIR-certified cybersecurity training annually. Training providers and course content must meet certification criteria established by DIR under HB 3834 (86th Legislature, 2019). This requirement extends to contractors operating within state agency environments under certain conditions.

4. Incident Reporting and Response Coordination. Covered entities are required to report cybersecurity incidents to DIR within 48 hours of discovery under Texas Government Code §2054.1125. DIR coordinates with the Texas Division of Emergency Management (TDEM) for incidents with potential emergency management implications, and with CISA for incidents touching federal systems or critical infrastructure. The incident reporting and response structure is detailed further at Texas Cybersecurity Incident Response.

5. Procurement and Vendor Standards. DIR administers cooperative contracts (DIR Cooperative Contracts) through which state agencies procure IT products and services. Vendors participating in these contracts must meet security baseline requirements, bringing supply chain security into the DIR compliance structure. See Texas Supply Chain Cybersecurity for extended treatment.

Causal Relationships or Drivers

The current structure of the DIR cybersecurity program reflects a specific sequence of legislative and incident-driven expansions:

The 2019 ransomware attack on 22 Texas local government entities — one of the largest coordinated ransomware events targeting a single U.S. state at that time — directly accelerated legislative activity leading to Senate Bill 64 and associated measures in the 87th Legislature (2021), which expanded DIR's coordination authority and formalized incident response protocols. Texas Ransomware Threats and Response covers this incident class in detail.

Federal alignment creates a secondary driver: CISA's Known Exploited Vulnerabilities (KEV) Catalog and Binding Operational Directives (BODs) apply directly to federal civilian agencies, but their practical effect on state programs is substantial because state agencies that receive federal funding or operate shared infrastructure must demonstrate alignment with federal standards to maintain grant eligibility.

The Texas State Auditor's Office (SAO) generates a third structural pressure through its information security audit program. SAO publishes findings on individual agency compliance with DIR standards, and repeated audit failures create legislative record that historically precedes statutory tightening of DIR authority.

DIR's own threat intelligence function — operating in coordination with CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC) — feeds observed threat patterns back into standard updates, creating a feedback loop between the Texas cybersecurity threat landscape and the standards themselves.

Classification Boundaries

The DIR program distinguishes covered entities across three primary dimensions:

By Entity Type:
- State agencies — fully subject to all DIR standards, training mandates, and reporting obligations under Chapter 2054.
- Institutions of higher education — subject to DIR standards with limited carve-outs for research environments. The University of Texas System and Texas A&M System each maintain their own security offices but must conform to DIR minimums.
- K–12 public school districts — governed primarily by Texas Education Code §11.175, which requires school boards to adopt cybersecurity policies. DIR standards do not apply directly; see Texas Cybersecurity for School Districts.
- Local governments — not automatically subject to DIR standards unless they access state systems, participate in DIR cooperative contracts, or receive state grants with cybersecurity conditions. See Texas Cybersecurity for Local Governments.

By Data Classification:
DIR standards apply tiered controls based on data sensitivity, distinguishing at minimum between public information, confidential information (as defined under Texas Government Code §552), and categories subject to federal overlay requirements (HIPAA, FERPA, FedRAMP).

By System Criticality:
Systems designated as critical to state operations receive heightened control requirements, including more frequent vulnerability scanning, mandatory penetration testing cycles, and elevated incident reporting thresholds. The Texas Critical Infrastructure Protection framework further subdivides criticality for infrastructure sectors including energy, water, and transportation.

For compliance professionals assessing whether a given entity or system falls under DIR jurisdiction, the Texas Cybersecurity Frameworks and Standards reference page provides a comparative matrix.

Tradeoffs and Tensions

Centralization vs. Agency Autonomy. DIR's authority to set minimum standards creates tension with large agencies — particularly the Health and Human Services Commission and the Texas Department of Transportation, each of which operates complex, heterogeneous IT environments — that argue their operational requirements exceed what a uniform statewide standard accommodates. DIR addresses this through risk acceptance processes, but the asymmetry between DIR's standards-setting role and agencies' operational realities remains structurally unresolved.

Compliance Reporting vs. Security Outcomes. The biennial assessment model measures documented compliance posture. Agencies that invest in documentation infrastructure can demonstrate compliance without achieving equivalent operational security maturity. SAO audits have surfaced this gap — finding, in multiple agency-specific reports, that documented plans did not reflect actual implemented controls. For an extended treatment of audit and assessment dynamics, see Texas Cybersecurity Audits and Assessments.

Speed of Threat Evolution vs. Regulatory Update Cycles. DIR standards update on cycles measured in years; threat actors operate on cycles measured in days. The 48-hour incident reporting requirement reflects an attempt to compensate through operational responsiveness, but the underlying control standards can lag material threat shifts by 18 to 36 months.

Federal Overlay Complexity. CISA directives, FedRAMP requirements, and sector-specific federal standards (NERC CIP for electric utilities, for example) create compliance stacks that exceed DIR's authority to harmonize. Agencies operating under multiple frameworks must manage reconciliation independently, a burden that falls disproportionately on smaller agencies with limited security staff. The Texas Public Sector Cyber Risk Management framework addresses this multi-standard environment.

Common Misconceptions

Misconception: DIR standards apply to all Texas businesses.
Correction: DIR authority under Chapter 2054 applies to state agencies and institutions of higher education. Private-sector businesses in Texas are governed by Texas Business & Commerce Code Chapter 521 and applicable federal frameworks, not by DIR standards. Confusion arises because DIR administers cooperative contracts used by both public and private entities in some procurement contexts.

Misconception: Completing annual cybersecurity training satisfies all DIR compliance obligations.
Correction: Mandatory training under HB 3834 is one component of a multi-element compliance structure. Covered entities must also maintain current security plans, meet minimum technical controls, conduct risk assessments, and report incidents within required timeframes. Training completion does not substitute for technical or administrative controls.

Misconception: The Texas Cybersecurity Framework is identical to NIST CSF.
Correction: The TX-CSF is aligned to NIST CSF 1.1/2.0 but incorporates Texas-specific requirements and maps to state statutory obligations that have no direct NIST counterpart. An entity certified or compliant under NIST CSF is not automatically compliant with DIR standards.

Misconception: A 48-hour incident report to DIR satisfies all notification obligations.
Correction: DIR notification satisfies the state agency reporting requirement under §2054.1125. It does not substitute for breach notifications to affected individuals under Texas B&C Code §521.053, federal breach reporting under HIPAA (if applicable), or CISA reporting under federal requirements. See Reporting Cyber Incidents in Texas for the full notification matrix.

Misconception: Local governments are automatically covered by the DIR program.
Correction: Local governments in Texas are not automatically subject to DIR standards. Coverage depends on specific contractual, grant, or statutory relationships with state systems. Many Texas municipalities develop independent security policies, sometimes voluntarily aligned to DIR standards, but without a legal mandate to comply absent a triggering relationship.

Checklist or Steps

The following sequence describes the compliance cycle structure for covered entities under the DIR program. This is a structural reference, not advisory guidance.

DIR Compliance Cycle — Covered Entity Process

  1. Confirm Entity Classification — Determine whether the entity qualifies as a state agency or institution of higher education under Texas Government Code Chapter 2054 definitions.

  2. Assign Information Security Officer (ISO) — Designate an ISO as required under §2054.136. Document ISO credentials and reporting structure.

  3. Conduct Risk Assessment — Perform a risk assessment aligned to DIR standards and NIST SP 800-30 (NIST SP 800-30, Rev. 1), identifying assets, threats, vulnerabilities, and risk ratings.

  4. Develop or Update Security Plan — Draft the biennial information security plan incorporating risk assessment results, current control inventory, gap analysis, and remediation milestones.

  5. Implement Minimum Security Controls — Map implemented controls to DIR minimum security standards, identifying any controls requiring risk acceptance documentation.

  6. Enroll Employees in DIR-Certified Training — Verify all computer-using employees are enrolled in and complete DIR-certified annual cybersecurity training. Maintain completion records.

  7. Submit Security Plan to DIR — File the biennial security plan through the DIR submission portal on the required schedule.

  8. Establish Incident Response Procedures — Document incident detection, classification, internal escalation, and 48-hour DIR notification procedures in alignment with Texas Government Code §2054.1125.

  9. Conduct Ongoing Monitoring — Implement continuous monitoring mechanisms consistent with DIR standards; participate in DIR/CISA vulnerability scanning programs where available.

  10. Prepare for SAO Audit Cycle — Maintain documentation supporting compliance assertions; address prior SAO findings before audit recurrence.

Reference Table or Matrix

DIR Cybersecurity Program — Key Instruments and Coverage

Instrument Statutory Authority Applies To Frequency Administering Body
Texas Cybersecurity Framework (TX-CSF) Tex. Gov't Code §2054.133 State agencies, higher ed Ongoing DIR
Biennial Information Security Plan Tex. Gov't Code §2054.135 State agencies, higher ed Every 2 years DIR
Annual Cybersecurity Training Mandate Tex. Gov't Code §2054.519 (HB 3834, 2019) All state agency employees using computers Annual DIR (certified providers)
48-Hour Incident Reporting Tex. Gov't Code §2054.1125 State agencies Per incident DIR / TDEM
Statewide Information Security Assessment Tex. Gov't Code §2054.138 All covered entities Biennial DIR
Information Security Audit Tex. Gov't Code §321.0136 State agencies Per SAO schedule Texas State Auditor's Office
Breach Notification Obligation Tex. B&C Code §521.053 Private entities, state entities holding personal info Within 60 days of discovery Texas OAG
CISA Known Exploited Vulnerabilities Catalog Federal (DHS/CISA authority) Federal agencies (advisory to state) Continuous updates CISA

For workforce and certification standards applicable to cybersecurity professionals operating within the DIR program environment, see Texas Cybersecurity Certifications and Licensing. For the intersection of DIR requirements and cloud platform use, see Texas Cloud Security Considerations.

References

Explore This Site

Services & Options Key Dimensions and Scopes of Texas Cybersecurity Regulations & Safety Texas Cybersecurity in Local Context Tools & Calculators Password Strength Calculator FAQ Texas Cybersecurity: Frequently Asked Questions