Texas Security Authority - State Cybersecurity Authority Reference

Texas operates one of the most complex state-level cybersecurity regulatory environments in the United States, governing agencies, critical infrastructure operators, and private entities under a layered framework of statutory mandates and administrative rules. This page documents the scope, mechanisms, and operational boundaries of Texas cybersecurity authority, drawing on named public sources and connecting readers to the broader reference network anchored at the National Cybersecurity Authority hub. Understanding Texas-specific authority matters because the state's size — 254 counties, more than 1,400 local governments, and a GDP exceeding $2 trillion — means that compliance failures here carry outsized national consequence.

Definition and Scope

Texas cybersecurity authority refers to the statutory and administrative powers granted to state agencies — principally the Texas Department of Information Resources (DIR) — to set, enforce, and coordinate cybersecurity standards across public-sector entities and regulated industries. The primary statutory foundation is Texas Government Code, Chapter 2054, which assigns DIR the mandate to establish a statewide cybersecurity framework, conduct risk assessments, and require agencies to report security incidents (Texas Legislature Online, Gov. Code §2054).

The scope of Texas DIR authority covers all state agencies, institutions of higher education, and — under expanded provisions enacted in Senate Bill 820 (87th Legislature, 2021) — local governments and independent school districts. Private-sector entities subject to Texas cybersecurity authority include those operating critical infrastructure sectors defined by the Texas Infrastructure Protection Act and businesses subject to the Texas Identity Theft Enforcement and Protection Act (Business & Commerce Code, Chapter 521).

For national comparative context, readers working across multiple jurisdictions can reference the California Security Authority, which documents how California's CPRA and AB 1280 framework compares structurally, and the New York Security Authority, which covers the NYDFS 23 NYCRR 500 cybersecurity regulation — one of the most prescriptive state-level financial-sector frameworks in the country.

The Texas Security Authority site provides jurisdiction-specific reference documentation covering DIR rulemaking, the Texas Cybersecurity Framework (TCF), and incident-reporting obligations at the state level.

For terminology alignment across jurisdictions, the cybersecurity terminology and definitions reference provides a standardized vocabulary applicable to state-level frameworks including Texas.

How It Works

Texas cybersecurity authority operates through 4 distinct operational layers:

1. Rulemaking and Standards Adoption — DIR publishes the Texas Cybersecurity Framework, which adapts the NIST Cybersecurity Framework (CSF) 2.0 (NIST CSF) for state agency use. Agencies are required to perform annual security control assessments against this framework and submit results to DIR.

2. Incident Reporting — Under Texas Government Code §2054.1125, state agencies must report cybersecurity incidents to DIR within 48 hours of discovery. DIR then assesses severity and coordinates with the Texas Division of Emergency Management (TDEM) when events meet critical infrastructure thresholds.

3. Risk Assessment and Audit — DIR conducts Security Control Assessments (SCAs) on a rotating basis. Agencies rated at higher risk tiers face mandatory remediation plans with defined milestones. For an audit-process reference, the Cyber Audit Authority documents how state-level security audits are structured, including evidence collection and finding classification.

4. Workforce and Training Requirements — SB 475 (86th Legislature, 2019) requires all state employees with access to government information to complete annual cybersecurity training through DIR-approved programs. Failure to comply creates audit findings that can affect an agency's risk classification.

The how cybersecurity works conceptual overview provides a framework-neutral explanation of how these layers interact in practice across public and private sector environments.

The Cloud Compliance Authority documents cloud-specific compliance obligations relevant to Texas state agencies that have migrated workloads to commercial cloud environments, including FedRAMP alignment requirements applicable under Texas cloud procurement policy.

The Network Security Authority covers perimeter and internal network security standards that align with DIR's required security controls for state infrastructure.

Common Scenarios

Texas cybersecurity authority generates operational questions across 3 recurring scenario categories:

Scenario 1 — State Agency Breach Notification
When a state agency experiences unauthorized access to a system containing sensitive personal information, the 48-hour reporting clock to DIR begins at the point of confirmed discovery, not at the point of initial detection. Parallel obligations may arise under Texas Business & Commerce Code §521.053, which governs breach notification to affected individuals. The Data Security Authority provides a reference framework for breach classification and notification sequencing applicable to Texas public-sector entities.

Scenario 2 — Ransomware Incident Response
Texas experienced one of the most documented multi-entity ransomware events in U.S. history in August 2019, when 22 local government entities were simultaneously attacked. This event triggered activation of the Texas A&M University System Cyber Operations emergency response team under a DIR coordinating role. The Ransomware Authority documents the technical and procedural anatomy of ransomware incidents, including recovery sequencing relevant to Texas local government environments. The Data Recovery Authority addresses the backup restoration and forensic documentation requirements that follow a ransomware containment decision.

Scenario 3 — Cloud Migration Compliance
State agencies migrating to cloud infrastructure must comply with DIR's Cloud Security Guidelines, which require alignment with the NIST SP 800-144 guidance on public cloud security (NIST SP 800-144). The Cloud Security Authority covers cloud-specific control sets and shared-responsibility model documentation. The Cloud Defense Authority addresses threat detection architectures for cloud workloads, and the Cloud Backup Authority documents redundancy and retention standards applicable to state data classification tiers.

Scenario 4 — Identity and Access Management
Texas agencies handling regulated data categories — including criminal justice information, health data, and financial records — must implement identity controls aligned with DIR's Identity Management standards. The Identity Security Authority documents authentication tier requirements, and the Identity Protection Authority covers consumer-facing identity protection obligations under Texas Business & Commerce Code Chapter 521. The National Identity Theft Authority provides cross-state comparative reference on identity theft regulatory frameworks.

Decision Boundaries

Understanding where Texas state cybersecurity authority ends and other regulatory frameworks begin is operationally critical. The following classification boundaries define scope edges:

Texas DIR Authority vs. Federal Preemption
DIR authority applies to state agencies and state-funded entities. Federal civilian agencies operating within Texas are governed by FISMA (44 U.S.C. §3551) and NIST SP 800-53 Rev. 5 (NIST SP 800-53) rather than Texas DIR rules. Entities that receive federal funding — including Texas universities receiving NIH or DOD grants — must also satisfy applicable federal cybersecurity conditions, which may exceed DIR requirements.

Private Sector vs. Public Sector Obligations
Private companies operating in Texas are not subject to DIR rulemaking but may face obligations under:
- Texas Business & Commerce Code §521 (breach notification, identity theft protections)
- Texas Insurance Code cybersecurity provisions modeled on the NAIC Insurance Data Security Model Law
- Sector-specific federal overlays (HIPAA, PCI DSS, GLBA)

The Regulatory Context for Cybersecurity page maps these layered obligations at the national level, providing the structural vocabulary for understanding how Texas-specific rules nest within federal frameworks.

Local Government vs. State Agency
Following SB 820, local governments and school districts gained expanded obligations under DIR authority, but enforcement mechanisms differ from those applied to state agencies. DIR lacks direct penalty authority over local governments but can restrict access to state technology resources. The Florida Security Authority and Miami Security Authority document comparable local-government cybersecurity authority structures in Florida for jurisdictional comparison.

Geographic vs. Topical Authority
Texas DIR authority is geographically bounded but topically comprehensive within its scope. Topically specialized frameworks — such as endpoint security, encryption, and application security — each carry their own standards layers. The Endpoint Security Authority covers device-level control requirements. The Encryption Authority documents data-at-rest and data-in-transit encryption standards, including FIPS 140-3 validation requirements relevant to Texas state systems. The Application Security Authority addresses secure software development lifecycle (SDLC) requirements applicable to state-developed or state-procured applications.

Additional topical reference resources in the network include:

• The Information Security Authority and InfoSec Authority, which cover information governance and classification frameworks applicable across jurisdictions.
• The Digital Security Authority and [National Digital Security Authority](https://