This page is an index. The actionable items are the requirements below.
Standards this Texas adopts
Texas Government Code Chapter 2054 (Information Resources)
Official sourceTexas state agency information security requirements including TX-RAMP for cloud services.
Adopts: FedRAMP— TX-RAMP modeled on FedRAMP.Adopts: NIST 800-53— TX-RAMP draws from NIST 800-53 control baselines.
Requirements
- CA-7 — Continuous MonitoringTX Ch. 2054
- CP-9 — System BackupTX Ch. 2054
- SC-13 — Cryptographic ProtectionTX Ch. 2054
Cybersecurity statutes (background)
In plain terms. Texas runs statewide cybersecurity through the Department of Information Resources under the Information Resources Management Act, with extra rules for large IT and outsourced contracts. Purchasing is centralized in the Comptroller's Statewide Procurement Division.
Who it applies to. State agencies and the IT vendors that serve them — especially vendors on major outsourced or high-value contracts. Texas references NIST/FIPS and participates in StateRAMP.
What it requires. The Information Resources Management Act and its Cybersecurity subchapter direct agency information-security programs and Department of Information Resources oversight. Separate provisions govern major outsourced contracts and add contracting requirements for information resources. State computer-crime law backs it with criminal penalties for unauthorized access.
Why it matters. Selling IT to Texas — particularly on big or outsourced contracts — means meeting the state's information-security program requirements and the added contracting provisions, with StateRAMP expected for cloud services.
Citation. Tex. Gov't Code §§ 2054 (Information Resources Management Act, including the Cybersecurity subchapter 2054 Subch. N-1), 2054-O (Major Outsourced Contracts), 2054-P, and 2054-R; § 552 (Public Information); Tex. Penal Code § 33 (Computer Crimes). References NIST/FIPS; participates in StateRAMP.
Regulations & policies (background)
In plain terms. Texas codifies its security expectations in formal information-security standards and a state cybersecurity framework that systems must meet.
Who it applies to. State agencies and their IT vendors.
What it requires. The state's Information Security Standards set required controls for state information systems, and the Texas Cybersecurity Framework defines the security objectives agencies — and the vendors building their systems — are expected to satisfy.
Why it matters. Vendors should design to the Texas Cybersecurity Framework and the state's information-security standards, not just contract minimums.
Citation. 1 Tex. Admin. Code § 202 (Information Security Standards); Texas Cybersecurity Framework (TCSF).