From: The Texas Department of Information Resources

TAC 202

First, some background.

Back when it was proposed in 2002, Legacy TAC 202 established a baseline of security standards for Texas state agencies and institutions of higher education.

Setting security standards at the federal level is FISMA, which stands for the Federal Information Security Management Act. FISMA requires federal agencies and their contractors to safeguard their information systems and assets. The National Institute of Standards and Technology, known as NIST, helps develop standards and guidelines for FISMA.

FISMA was updated in 2013.

The committee of state ISOs and others have revised TAC 202 to move it closer to FISMA and NIST 800-53. The Revised TAC covers agency responsibilities and includes a Control Standards Catalog.

The graphic below shows how the Revised TAC 202 aligns more closely with FISMA.

chart displaying how revised TAC 202 aligns with FISMA       The following video and documents offer additional explanation of the Revised TAC 202:

Information about file formats

Since all controls had not yet been implemented when the Revised TAC 202 went into effect in February 2015, DIR is sequencing implementation deadlines according to the NIST priority codes. Only the controls required in Legacy TAC will be required in 2015. The remaining controls will be sequenced according to the chart below:

Implementation Deadlines

Control Standards Catalog

The Control Standards Catalog was initiated by DIR to help state agencies and higher education institutions implement security controls. It specifies the minimum information security requirements that state organizations must employ to provide the appropriate level of security relevant to level of risk. Click to see the new Control Standards Catalog – DOCX (441 KB).

Control Crosswalk

The Control Crosswalk maps Revised TAC 202 to industry standards, regulatory requirements, and compliance mandates. It is meant to relate the controls specified in Revised TAC 202 to other requirements that agencies and higher education institutions may have for protecting information and information systems.

The Control Crosswalk allows you to consolidate a lot of steps. For instance, many agencies must meet state requirements, federal requirements, and even certain industry-specific requirements. With the Control Crosswalk, you’ll be able to see at a glance how those requirements intersect and begin to prioritize your efforts.

Later in 2015, when the Control Crosswalk is integrated into the GRC portal, you’ll be able to input all of the steps you have taken and then, with the click of a button, generate reports showing that you have met state, federal, and industry-specific requirements.

Click here to access the Control Crosswalk.

Rules and Legislation