Cyber Risk Management for Texas Public Sector Entities
Texas public sector entities — state agencies, local governments, school districts, and public universities — operate under a structured cyber risk management framework administered primarily by the Texas Department of Information Resources (DIR). This framework defines how government organizations identify, assess, prioritize, and respond to cybersecurity threats against public infrastructure and citizen data. The regulatory architecture spans Texas Government Code Chapter 2054, federal standards from NIST, and federal agency guidance from CISA, creating layered obligations that vary by entity type and sector. Understanding this structure is essential for procurement officers, agency IT leads, information security officers, and elected officials overseeing public technology assets.
Definition and scope
Cyber risk management in the Texas public sector refers to the formalized process by which government entities evaluate threats to their information systems and implement controls proportionate to the risk exposure. Under Texas Government Code §2054.0593, state agencies and institutions of higher education are required to adopt a cybersecurity framework aligned with the standards published by the Texas DIR. DIR's adopted framework draws directly from NIST SP 800-53 (Rev. 5), which catalogs over 1,000 security and privacy controls organized across 20 control families.
The scope of mandatory compliance covers:
- State agencies subject to DIR authority under Chapter 2054
- Public universities and community colleges as institutions of higher education
- K–12 school districts under Texas Education Code §11.175, which requires boards of trustees to adopt cybersecurity policies
- Local governments that voluntarily adopt DIR's Texas Cybersecurity Framework or receive state funding tied to cybersecurity conditions
Private entities, federally regulated utilities, and non-public organizations are outside the mandatory scope of DIR's state cybersecurity rules. The full Texas Cybersecurity Frameworks and Standards reference covers how these frameworks are structured and aligned to federal baselines.
This page covers Texas state-law-based cyber risk management obligations. Federal law — including HIPAA for covered healthcare entities and NERC CIP for bulk electric system operators in the ERCOT region — imposes parallel requirements not fully addressed here. Multi-state or international data flow scenarios are similarly outside this page's coverage. For the broader statutory and regulatory landscape, see Regulatory Context for Texas Cybersecurity.
How it works
Cyber risk management in the Texas public sector follows a lifecycle structured around five discrete phases aligned to the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover):
-
Risk Identification — Agencies catalog information assets, data classifications, and threat vectors. DIR requires state agencies to conduct a biennial security assessment and submit results as part of the Texas Cybersecurity Biennium Report process.
-
Risk Assessment — Each identified threat is evaluated for likelihood and potential impact. Agencies apply control baselines from NIST SP 800-53 to determine gaps between current posture and required controls. DIR's Security Control Standards (SCS) prescribe the minimum baseline for Texas state systems.
-
Risk Treatment — Agencies select from four treatment options: accept, mitigate, transfer, or avoid. Risk transfer increasingly involves Texas Cybersecurity Insurance products, though coverage terms for public sector entities differ substantially from commercial policies.
-
Implementation and Authorization — Controls are deployed, documented, and tested. Systems handling sensitive data must undergo an authorization-to-operate (ATO) process before production deployment.
-
Continuous Monitoring — DIR operates the Texas Security Operations Center (SOC), which provides 24/7 monitoring services to enrolled state agencies. Agencies are required to report qualifying incidents to DIR within 48 hours under Texas Government Code §2054.1125.
The Texas Cybersecurity Audits and Assessments reference details how agencies document and validate compliance across these phases.
Common scenarios
Ransomware incidents at local government entities represent the most operationally disruptive category of cyber risk facing Texas public bodies. The 2019 coordinated ransomware attack struck 22 Texas local governments simultaneously, prompting DIR to activate a statewide coordinated response — one of the first of its kind in the United States. Local governments without formalized risk management programs experienced recovery times measured in weeks rather than days. Texas Ransomware Threats and Response provides sector-specific response guidance.
Phishing-driven credential compromise at school districts frequently originates from spear-phishing campaigns targeting payroll and student-record systems. Texas Education Code §11.175 mandates that school districts adopt cybersecurity policies, but the statute does not prescribe specific technical controls, leaving implementation variance across the state's 1,200-plus independent school districts. See Texas Cybersecurity for School Districts for the applicable framework.
Third-party vendor and supply chain exposure affects agencies relying on managed service providers, cloud platforms, and integrated software vendors. DIR's rules require state agencies to apply security requirements to major third-party contracts. The Texas Supply Chain Cybersecurity reference covers contract language standards and vendor assessment protocols.
Healthcare data held by public hospitals and county health authorities sits at the intersection of DIR requirements and HIPAA, creating dual-compliance obligations. Public hospital districts must manage risk under both frameworks simultaneously. Texas Cybersecurity for Healthcare Organizations addresses this intersection.
Decision boundaries
The primary decision axis in Texas public sector cyber risk management is entity classification, which determines which standards apply at mandatory versus voluntary levels:
| Entity Type | Primary Standard | Enforcement Authority |
|---|---|---|
| State agency | DIR SCS + NIST SP 800-53 | Texas DIR |
| Public university | DIR SCS + NIST SP 800-53 | Texas DIR |
| K–12 school district | Texas Ed. Code §11.175 | TEA / Local Board |
| Municipality / County | Voluntary DIR framework | No state enforcement |
| Public utility (ERCOT) | NERC CIP + DIR (if state-connected) | PUCT / NERC |
A second decision boundary involves incident reporting thresholds. Under Texas Government Code §2054.1125, reportable security incidents include unauthorized access to state data, ransomware deployment, and denial-of-service attacks against agency systems. The 48-hour reporting window to DIR is distinct from the 60-day breach notification window to affected individuals and the Office of the Attorney General under Texas Business & Commerce Code §521.053. Conflating these two separate timelines is a documented compliance failure mode. The Texas Cybersecurity Incident Response and Reporting Cyber Incidents in Texas references detail the procedural distinctions.
A third boundary separates risk acceptance from risk transfer. Public sector entities cannot transfer liability for statutory compliance failures through insurance alone — cyber insurance covers financial losses and remediation costs but does not satisfy DIR reporting or control requirements. Texas Cybersecurity Insurance covers what public sector policies typically do and do not cover.
For a structured map of how all these dimensions interact across the Texas public sector, the site's index provides cross-referenced entry points to each sector and topic area. Professionals assessing their organization's position within this framework should also consult Texas Cybersecurity for State Agencies and Texas Cybersecurity for Local Governments for entity-specific control requirements.
References
- Texas Department of Information Resources (DIR) — Texas Cybersecurity Framework, Security Control Standards, Texas SOC
- Texas Government Code Chapter 2054 — Cybersecurity framework, incident reporting, and DIR authority
- Texas Business & Commerce Code §521.053 — Breach notification obligations, 60-day notification window
- NIST SP 800-53 Rev. 5 — Security and Privacy Controls — Control baseline adopted by DIR
- NIST Cybersecurity Framework (CSF) — Five-function lifecycle (Identify, Protect, Detect, Respond, Recover)
- CISA — Cybersecurity and Infrastructure Security Agency — Federal advisories, free vulnerability scanning for state and local government
- Texas Office of the Attorney General — Data Security Breaches — Breach notification portal and enforcement
- Texas State Auditor's Office (SAO) — Information security audit reports for state agencies
- Texas Education Code §11.175 — School district cybersecurity policy mandate