Follow guidance and follow rubric.

Description

Security personnel are often asked to implement either a baseline set of security controls or augment an existing baseline. 
Before You Get Started
Use the following resources to complete the assignment:
Texas State Department of Information Resources Security Control Standards Catalog, Version 2.0 (January 2022)Download Texas State Department of Information Resources Security Control Standards Catalog, Version 2.0 (January 2022)
NIST SP 800-53r5: Security and Privacy Controls for Information Systems and OrganizationsDownload NIST SP 800-53r5: Security and Privacy Controls for Information Systems and Organizations

Instructions

State agencies in Texas use the “Texas Department of Information Resources (DIR) Security Control Standards Catalog” document when coming up with a baseline set of security controls. Version 2.0 of this document has 155 baselines from the NIST SP 800-53r5 document with the following breakdown:
LOW (145)
MODERATE (9)
HIGH (1)
This is probably a reasonable “minimum” baseline given the low amount of sensitive data that most state agencies handle.
However, in addition to the “minimum” baselines that the Texas DIR recommends, each state agency can select additional controls or have more stringent baselines or control enhancements.

After reading the webpages associated with the Security Management Practices discussion and skimming the Texas Security Controls catalog and the NIST SP 800-53r5 documents, please answer these three questions:

Should any of the nine (9) moderate or the one (1) high baseline have prevented the Texas Department of Insurance incident? Explain your reasoning.
List the three (3) most important “low” baselines that could have been more stringent to help prevent the TDI incident from happening. Explain your reasoning for choosing the three (3) baselines.
Although we can only speculate on the exact steps the audit took, state three (3) recommendations for testing procedures for state web applications going forward.Security Control
Standards Catalog
Texas Department of Information Resources
Version 2.0
Effective Date: January 20, 2022
Table of Contents
OVERVIEW ………………………………………………………………………………………………………….. 1
AC – ACCESS CONTROL ……………………………………………………………………………………….. 6
AT – AWARENESS AND TRAINING …………………………………………………………………….. 20
AU – ACCOUNTABILITY, AUDIT, AND RISK MANAGEMENT ……………………………….. 24
CA – SECURITY ASSESSMENT AND AUTHORIZATION ………………………………………… 34
CM – CONFIGURATION MANAGEMENT …………………………………………………………….. 43
CP – CONTINGENCY PLANNING ………………………………………………………………………… 52
IA – IDENTIFICATION AND AUTHENTICATION…………………………………………………… 61
IR – INCIDENT RESPONSE ………………………………………………………………………………….. 71
MA – MAINTENANCE ………………………………………………………………………………………… 80
MP – MEDIA PROTECTION…………………………………………………………………………………. 84
PE – PHYSICAL AND ENVIRONMENTAL PROTECTION………………………………………… 88
PL – PLANNING …………………………………………………………………………………………………. 99
PM – PROGRAM MANAGEMENT ……………………………………………………………………… 103
PS – PERSONNEL SECURITY ……………………………………………………………………………… 115
RA – RISK ASSESSMENT …………………………………………………………………………………… 123
SA – SYSTEM AND SERVICE ACQUISITION ……………………………………………………….. 130
SC – SYSTEM AND COMMUNICATION PROTECTION………………………………………… 140
SI – SYSTEM AND INFORMATION INTEGRITY ………………………………………………….. 151
SR – SUPPLY CHAIN RISK MANAGEMENT………………………………………………………… 158
OVERVIEW
PURPOSE
The purpose of the Security Control Standards Catalog (catalog) is to provide Texas state
agencies and institutions of higher education (subsequently referred to as state agencies) with
specific guidance for implementing security controls in a format that easily aligns with the
National Institute of Standards and Technology Special Publication 800-53 Revision 5
(NIST 800-53 Revision 5).
Terms and definitions in this catalog are based on NIST, unless otherwise defined by Texas state
statute, rules, or guidelines. For questions concerning terms or definitions, contact DIR Security
email.
APPLICATION OF MORE STRINGENT STANDARDS
This catalog specifies the minimum baselines for required information security controls for all
State of Texas agencies and their information resources. Controls in this catalog are not
exclusively technical in nature and therefore their application is not inherently limited to
information systems.
Each state agency should select and apply any additional security controls, control baselines, or
control enhancements for information resources or scenarios where an elevated security posture
is required to mitigate risks identified by the agency.
For systems that store, process, or transmit confidential and/or information subject to other
security regulatory requirements, additional security controls or control baselines should be
selected and applied commensurate with the level of risk and confidentiality, integrity, and
availability requirements of the system.
The agency head may employ standards for the cost-effective information security of
information and information resources within or under the supervision of that state agency that
are more stringent than the standards the department prescribes within this catalog if the more
stringent standards:
(1) contain at least the applicable standards issued by the department; or
(2) are consistent with applicable federal law, policies and guidelines issued under state rule,
industry standards, best practices, or deemed necessary to adequately protect the information
held by the agency.
For more information related to information security requirements for state agencies, refer to 1
Texas Administrative Code Chapter 202, concerning Information Security Standards.
Texas Department of Information Resources
1
DOCUMENT LIFECYCLE
DIR works with representatives from state agencies to review and develop the controls
necessary to maintain reasonable security measures to protect state resources.
Prior to publishing new or revised standards, DIR will solicit comments on new controls from
Information Resources Managers and Information Security Officers of state agencies.
REVISION HISTORY
Version
Date
Change Description
0.1
3/23/2014
Released Draft Version 0.1
1.0
10/22/2014
Released Draft Version 1.0
1.1
3/17/2015
Released Final Version 1.0
1.2
4/3/2015
Corrected date on cover; added missing legacy TAC referenced in Appendix A;
ensured pdf is fully searchable
1.3
2/26/2016
Modified or corrected examples for AC-23, AC-24, AC-25, AR-5, CM-8, PM-7;
corrected TAC 202 reference in PL-1, SC-13; Added Program Management
Controls to Appendix A
2.0
1/20/2022
DIR Board approval of Version 2.0. Control language updated to align with NIST
SP 800-53 Revision 5; Introduction of New SR control family.
RISK EXCEPTIONS
Any exception to the following controls shall be approved, justified, and documented in
accordance with 1 Texas Administrative Code Chapter 202.
PRIVACY CONTROLS
While NIST 800-53 Revision 5 took substantial steps to integrate security and privacy
requirements, this catalog has not adopted privacy-specific control families. Security-focused
controls may include privacy-related components, but the defined privacy control families are
not included within this catalog. State agencies should work with the employees or divisions
responsible for privacy-related requirements to determine the appropriate privacy activities and
controls for the needs of their state agency.
For more information on the NIST SP 800-53 Privacy Baseline and Controls, refer to
https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/releasesearch#!/controls?version=5.1&privacy_baseline=Yes
Texas Department of Information Resources
2
REQUIRED IMPLEMENTATION DATES
Each control in this catalog contains a required by date that indicates when the control must be
implemented by each agency. Required by dates were selected based on the following
characteristics of the control changes.
New Controls
Controls that were not required in the previous iteration of the DIR Control Standards Catalog
that have been adopted in this revision are required to be in place no later than 18 months after
the adoption of this catalog.
Existing Controls with More than Administrative Changes
Controls that were required in the previous iteration of the DIR Control Standards Catalog that
have been updated with more than editorial/administrative changes (i.e. require additional or
modified implementation activities) are required to be in place no later than 18 months after the
adoption of this catalog.
Existing Controls with Administrative or Nonsubstantial Changes
Controls that were required in the previous iteration of the DIR Control Standards Catalog that
have been updated with nonsubstantial revisions are required to be in place no later than 12
months after the adoption of this catalog.
Texas Department of Information Resources
3
NUMBER OF CONTROLS BY FAMILY
ID
Number of
Controls/
Enhancements
Control Family
AC
Access Control
13
AT
Awareness and Training
4
AU
Accountability, Audit, and Risk Management
10
CA
Security Assessment and Authorization
9
CM
Configuration Management
9
CP
Contingency Planning
8
IA
Identification and Authentication
10
IR
Incident Response
9
MA
Maintenance
4
MP
Media Protection
4
PE
Physical and Environmental Protection
11
PL
Planning
3
PM
Program Management
12
PS
Personnel Security
8
RA
Risk Assessment
6
SA
System and Service Acquisition
10
SC
System and Communication Protection
11
SI
System and Information Integrity
7
SR
Supply Chain Risk Management
6
Total
Texas Department of Information Resources
154
4
CONTROL DETAILS AND SAMPLE FORMAT
Each control group is organized under its group identification code and title, e.g., AC – ACCESS
CONTROL
Information about each control is presented in the following format.
[Control ID] [Control Name]
NIST BASELINE: This is the NIST baseline associated with the respective control. This is an
informational field only. The DIR Security Control Standards Catalog does not contain distinct
baselines. As such, agencies should determine whether additional controls or control baselines
are appropriate for a given information system.
PRIVACY BASELINE: This field indicates whether the control is part of the NIST 800-53 Revision
5 Privacy Baseline. This is an informational field only.
NEW REQUIREMENT: This field indicates whether the control is a new requirement of the DIR
Security Control Standards Catalog.
REQUIRED BY: This field indicates the date by which the control must be in place by the agency.
Agencies shall maintain compliance with the prior version of the control standards catalog until
the control description indicated in this catalog has been implemented.
STATE IMPLEMENTATION DETAILS: This field provides Texas-specific guidance or additional
requirements that apply to the control and must be incorporated into the implementation of the
control.
Texas Department of Information Resources
5
AC – ACCESS CONTROL
AC-1 | POLICY AND PROCEDURES
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
roles]:
1. [Selection (one or more): organization-level; mission/business process-level; systemlevel] access control policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations,
policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the access control policy and the
associated access controls;
b. Designate an [Assignment: organization-defined official] to manage the development,
documentation, and dissemination of the access control policy and procedures; and
c. Review and update the current access control:
1. Policy [Assignment: organization-defined frequency]; and
2. Procedures [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
6
AC-2 | ACCOUNT MANAGEMENT
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Define and document the types of accounts allowed for use within the system;
b. Assign account managers;
c. Establish conditions for group and role membership;
d. Specify:
1. Authorized users of the system;
2. Group and role membership; and
3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes
(as required)] for each account;
e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to
create accounts;
f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment:
organization-defined policy, procedures, and conditions];
g. Monitor the use of accounts;
h. Notify account managers and [Assignment: organization-defined personnel or roles] within:
1. [Assignment: organization-defined time-period] when accounts are no longer
required;
2. [Assignment: organization-defined time-period] when users are terminated or
transferred; and
3. [Assignment: organization-defined time-period] when system usage or need-to-know
changes for an individual;
i. Authorize access to the system based on:
1. A valid access authorization;
2. Intended system usage; and
3. [Assignment: organization-defined attributes (as required)];
Texas Department of Information Resources
7
j. Review accounts for compliance with account management requirements [Assignment:
organization-defined frequency];
k. Establish and implement a process for changing shared or group account credentials (if
deployed) when individuals are removed from the group; and
l. Align account management processes with personnel termination and transfer processes.
STATE IMPLEMENTATION DETAILS
Confidential information shall be accessible only to authorized users. An information file or
record containing any confidential information shall be identified, documented, and protected in
its entirety. Information resources assigned from or shared between one state agency to another
or from or between a state agency to a contractor or other third party shall be protected in
accordance with the conditions imposed by the providing state agency at a minimum.
Texas Department of Information Resources
8
AC-3 | ACCESS ENFORCEMENT
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
Enforce approved authorizations for logical access to information and system resources in
accordance with applicable access control policies.
STATE IMPLEMENTATION DETAILS
1. Access to state information resources shall be appropriately managed.
2. Each user of information resources shall be assigned a unique identifier except for situations
where risk analysis demonstrates no need for individual accountability of users. User
identification shall be authenticated before the information resources system may grant that
user access.
Texas Department of Information Resources
9
AC-5 | SEPARATION OF DUTIES
NIST BASELINE: Moderate
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Identify and document [Assignment: organization-defined duties of individuals requiring
separation]; and
b. Define system access authorizations to support separation of duties.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
10
AC-6 | LEAST PRIVILEGE
NIST BASELINE: Moderate
PRIVACY BASELINE: No
NEW REQUIREMENT: Yes
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Employ the principle of least privilege, allowing only authorized accesses for users (or processes
acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
11
AC-7 | UNSUCCESSFUL LOGON ATTEMPTS
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon
attempts by a user during a [Assignment: organization-defined time-period]; and
b. Automatically [Selection (one or more)]: lock the account or node for an [Assignment:
organization-defined time-period]; lock the account or node until released by an administrator;
delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system
administrator; take other [Assignment: organization-defined action] when the maximum number
of unsuccessful attempts is exceeded.
STATE IMPLEMENTATION DETAILS
1. As technology permits, state agencies should enforce account lockouts after, at minimum, 10
failed attempts. This threshold may be lowered for Moderate or High risk systems.
2. Accounts locked out due to multiple incorrect logon attempts should stay locked out for a
minimum of 15 minutes. Accounts for Moderate or High risk systems should remain locked until
reset by an administrator.
Texas Department of Information Resources
12
AC-8 | SYSTEM USE NOTIFICATION
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
a. Display [Assignment: organization-defined system use notification message or banner] to
users before granting access to the system that provides privacy and security notices consistent
with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines
and state that:
1. Users are accessing a U.S. Government or State of Texas Government system;
2. System usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the system is prohibited and subject to criminal and civil
penalties; and
4. Use of the system indicates consent to monitoring and recording;
b. Retain the notification message or banner on the screen until users acknowledge the usage
conditions and take explicit actions to log on to or further access the system; and
c. For publicly accessible systems:
1. Display system use information [Assignment: organization-defined conditions] before
granting further access to the publicly accessible system;
2. Display references, if any, to monitoring, recording, or auditing that are consistent with
privacy accommodations for such systems that generally prohibit those activities; and
3. Include a description of the authorized uses of the system.
STATE IMPLEMENTATION DETAILS
System Identification/Logon Banner. System identification/logon banners shall have warning
statements that include the following topics:
– Unauthorized use is prohibited;
– Usage may be subject to security testing and monitoring;
– Misuse is subject to criminal prosecution; and
– Users have no expectation of privacy except as otherwise provided by applicable privacy laws.
Texas Department of Information Resources
13
AC-14 | PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
a. Identify [Assignment: organization-defined user actions] that can be performed on the system
without identification or authentication consistent with organizational missions and business
functions; and
b. Document and provide supporting rationale in the security plan for the system, user actions
not requiring identification or authentication.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
14
AC-17 | REMOTE ACCESS
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Establish and document usage restrictions, configuration/connection requirements, and
implementation guidance for each type of remote access allowed; and
b. Authorize each type of remote access to the system prior to allowing such connections.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
15
AC-18 | WIRELESS ACCESS
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Establish configuration requirements, connection requirements, and implementation guidance
for each type of wireless access; and
b. Authorize each type of wireless access to the system prior to allowing such connections.
STATE IMPLEMENTATION DETAILS
State agencies shall establish the requirements and security restrictions for installing or
providing access to the state agency’s information resources systems. The wireless policy shall
address the following topic areas:
1. Wireless Local Area Networks. Ensure that Service Set Identifiers (SSID) values are changed
from the manufacturer default setting. Some networks should not include organizational or
location information in the SSID.
2. Transmitting and Encrypting Information. Types of information that may be transmitted via
wireless networks and devices with or without encryption including mission critical information
or sensitive personal information.
State agencies shall not transmit confidential information via a wireless connection to or from a
portable computing device unless encryption methods, such as a Virtual Private Network (VPN),
Wi-Fi Protected Access, or other secure encryption protocols that meet appropriate protection
or certification standards as detailed within this Security Control Standards Catalog, are used to
protect the information.
3. Installation or Use of Wireless Personal Area Networks. Prohibit and periodically monitor any
unauthorized installation or use of Wireless Personal Area Networks on state agency IT systems
by individuals without the approval of the state agency information resources manager.
Texas Department of Information Resources
16
AC-19 | ACCESS CONTROL FOR MOBILE DEVICES
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Establish configuration requirements, connection requirements, and implementation guidance
for organization-controlled mobile devices, to include when such devices are outside of
controlled areas; and
b. Authorize the connection of mobile devices to organizational systems.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
17
AC-20 | USE OF EXTERNAL SYSTEMS
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Establish [Selection (one or more)]: [Assignment: organization-defined terms and conditions];
[Assignment: organization-defined controls asserted to be implemented on external systems],
consistent with the trust relationships established with other organizations owning, operating,
and/or maintaining external systems, allowing authorized individuals to:
a. Access the system from external systems; and
b. Process, store, or transmit organization-controlled information using external systems.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
18
AC-22 | PUBLICLY ACCESSIBLE CONTENT
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
a. Designate individuals authorized to make information publicly accessible;
b. Train authorized individuals to ensure that publicly accessible information does not contain
nonpublic information;
c. Review the proposed content of information prior to posting onto the publicly accessible
system to ensure that nonpublic information is not included; and
d. Review the content on the publicly accessible system for nonpublic information [Assignment:
organization-defined frequency] and remove such information, if discovered.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
19
AT – AWARENESS AND TRAINING
AT-1 | POLICY AND PROCEDURES
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
roles]:
1. [Selection (one or more)]: organization-level; mission/business process-level; systemlevel] awareness and training policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations,
policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the awareness and training policy and the
associated awareness and training controls;
b. Designate an [Assignment: organization-defined official] to manage the development,
documentation, and dissemination of the awareness and training policy and procedures;
and
c. Review and update the current awareness and training:
1. Policy [Assignment: organization-defined frequency]; and
2. Procedures [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
Security awareness training shall be delivered in accordance with Texas Government Code §
2054.519.
Texas Department of Information Resources
20
AT-2 | AWARENESS TRAINING
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Provide security and privacy awareness training to system users (including managers, senior
executives, and contractors):
1. As part of initial training for new users and [Assignment: organization-defined
frequency] thereafter; and
2. When required by system changes; and
b. Update awareness training [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
Security awareness training shall be delivered in accordance with Texas Government Code §
2054.519.
Texas Department of Information Resources
21
AT-3 | ROLE-BASED TRAINING
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Provide role-based security and privacy training to personnel with the following roles and
responsibilities: [Assignment: organization-defined roles and responsibilities]:
1. Before authorizing access to the system, information, or performing assigned duties,
and [Assignment: organization-defined frequency] thereafter; and
2. When required by system changes; and
b. Update role-based training [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
Security awareness training shall be delivered in accordance with Texas Government Code §
2054.519.
Texas Department of Information Resources
22
AT-4 | TRAINING RECORDS
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Document and monitor information security and privacy training activities, including security
and privacy awareness training and specific role-based security and privacy training; and
b. Retain individual training records for [Assignment: organization-defined time-period].
STATE IMPLEMENTATION DETAILS
Security awareness training shall be delivered in accordance with Texas Government Code §
2054.519.
Texas Department of Information Resources
23
AU – ACCOUNTABILITY, AUDIT, AND RISK MANAGEMENT
AU-1 | POLICY AND PROCEDURES
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
roles]:
1. [Selection (one or more)]: organization-level; mission/business process-level; systemlevel] audit and accountability policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations,
policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the audit and accountability policy and
the associated audit and accountability controls;
b. Designate an [Assignment: organization-defined official] to manage the development,
documentation, and dissemination of the audit and accountability policy and procedures; and
c. Review and update the current audit and accountability:
1. Policy [Assignment: organization-defined frequency]; and
2. Procedures [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
24
AU-2 | EVENT LOGGING
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Identify the types of events that the system is capable of logging in support of the audit
function: [Assignment: organization-defined event types that the system is capable of logging];
b. Coordinate the event logging function with other organizational entities requiring auditrelated information to guide and inform the selection criteria for events to be logged;
c. Specify the following event types for logging within the system: [Assignment: organizationdefined event types (subset of the event types defined in AU-2 a.) along with the frequency of
(or situation requiring) logging for each identified event type];
d. Provide a rationale for why the event types selected for logging are deemed to be adequate
to support after-the-fact investigations of incidents; and
e. Review and update the event types selected for logging [Assignment: organization-defined
frequency].
STATE IMPLEMENTATION DETAILS
Information resources systems shall provide the means whereby authorized personnel have the
ability to audit and establish individual accountability for any action that can potentially cause
access to, generation or modification of, or affect the release of confidential information.
Appropriate audit trails shall be maintained to provide accountability for updates to mission
critical information, hardware and software, and for all changes to automated security or access
rules.
Based upon astate agency’s assessment of the risk, the state agency shall maintain a sufficiently
complete history of transactions to permit an audit of the information resources system by
logging and tracing the activities of individuals through the system.
Texas Department of Information Resources
25
AU-3 | CONTENT OF AUDIT RECORDS
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
Ensure that audit records contain information that establishes the following:
a. What type of event occurred;
b. When the event occurred;
c. Where the event occurred;
d. Source of the event;
e. Outcome of the event; and
f. Identity of any individuals, subjects, or objects/entities associated with the event.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
26
AU-4 | AUDIT LOG STORAGE CAPACITY
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit
log retention requirements].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
27
AU-5 | RESPONSE TO AUDIT LOGGING PROCESS FAILURES
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Alert [Assignment: organization-defined personnel or roles] within [Assignment: organizationdefined time-period] in the event of an audit logging process failure; and
b. Take the following additional actions: [Assignment: organization-defined additional actions].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
28
AU-6 | AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Review and analyze system audit records [Assignment: organization-defined frequency] for
indications of [Assignment: organization-defined inappropriate or unusual activity];
b. Report findings to [Assignment: organization-defined personnel or roles]; and
c. Adjust the level of audit record review, analysis, and reporting within the system when there is
a change in risk based on law enforcement information, intelligence information, or other
credible sources of information.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
29
AU-8 | TIME STAMPS
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
a. Use internal system clocks to generate time stamps for audit records; and
b. Record time stamps for audit records that meet [Assignment: organization-defined granularity
of time measurement] and that use Coordinated Universal Time, have a fixed local time offset
from Coordinated Universal Time, or that include the local time offset as part of the time stamp.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
30
AU-9 | PROTECTION OF AUDIT INFORMATION
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Protect audit information and audit logging tools from unauthorized access, modification, and
deletion.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
31
AU-11 | AUDIT RECORD RETENTION
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Retain audit records for [Assignment: organization-defined time-period consistent with records
retention policy] to provide support for after-the-fact investigations of incidents and to meet
regulatory and organizational information retention requirements.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
32
AU-12 | AUDIT RECORD GENERATION
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Provide audit record generation capability for the event types the system is capable of
auditing as defined in AU-2a on [Assignment: organization-defined system components];
b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are
to be logged by specific components of the system; and
c. Generate audit records for the event types defined in AU-2c that include the audit record
content defined in AU-3.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
33
CA – SECURITY ASSESSMENT AND AUTHORIZATION
CA-1 | POLICY AND PROCEDURES
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
roles]:
1. [Selection (one or more): organization-level; mission/business process-level; systemlevel] assessment, authorization, and monitoring policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations,
policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the assessment, authorization, and
monitoring policy and the associated assessment, authorization, and monitoring
controls;
b. Designate an [Assignment: organization-defined official] to manage the development,
documentation, and dissemination of the assessment, authorization, and monitoring policy and
procedures; and
c. Review and update the current assessment, authorization, and monitoring:
1. Policy [Assignment: organization-defined frequency]; and
2. Procedures [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
34
CA-2 | CONTROL ASSESSMENTS
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop a control assessment plan that describes the scope of the assessment including:
1. Controls and control enhancements under assessment;
2. Assessment procedures to be used to determine control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Ensure the control assessment plan is reviewed and approved by the authorizing official or
designated representative prior to conducting the assessment;
c. Assess the controls in the system and its environment of operation [Assignment: organizationdefined frequency] to determine the extent to which the controls are implemented correctly,
operating as intended, and producing the desired outcome with respect to meeting established
security and privacy requirements;
d. Produce a control assessment report that document the results of the assessment; and
e. Provide the results of the control assessment to [Assignment: organization-defined individuals
or roles].
STATE IMPLEMENTATION DETAILS
A review of the agency’s information security program for compliance with these standards will
be performed at least biennially, based on business risk management decisions, by individual(s)
independent of the information security program and designated by the agency head or his or
her designated representative(s).
Texas Department of Information Resources
35
CA-3 | INFORMATION EXCHANGE
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Approve and manage the exchange of information between the system and other systems
using [Selection (one or more)]: interconnection security agreements; information exchange
security agreements; memoranda of understanding or agreement; service level agreements; user
agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement];
b. Document, as part of each exchange agreement, the interface characteristics, security and
privacy requirements, controls, and responsibilities for each system, and the impact level of the
information communicated; and
c. Review and update the agreements [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
36
CA-5 | PLAN OF ACTION AND MILESTONES
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
a. Develop a plan of action and milestones for the system to document the planned remediation
actions of the organization to correct weaknesses or deficiencies noted during the assessment
of the controls and to reduce or eliminate known vulnerabilities in the system; and
b. Update existing plan of action and milestones [Assignment: organization-defined frequency]
based on the findings from control assessments, audits, and continuous monitoring activities.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
37
CA-6 | AUTHORIZATION
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Assign a senior official as the authorizing official for the system;
b. Assign a senior official as the authorizing official for common controls available for
inheritance by organizational systems;
c. Ensure that the authorizing official for the system, before commencing operations:
1. Accepts the use of common controls inherited by the system; and
2. Authorizes the system to operate;
d. Ensure that the authorizing official for common controls authorizes the use of those controls
for inheritance by organizational systems;
e. Update the authorizations [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
38
CA-7 | CONTINUOUS MONITORING
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Develop a system-level continuous monitoring strategy and implement continuous monitoring
in accordance with the organization-level continuous monitoring strategy that includes:
a. Establishing the following system-level metrics to be monitored: [Assignment: organizationdefined system-level metrics];
b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment:
organization-defined frequencies] for assessment of control effectiveness;
c. Ongoing control assessments in accordance with the continuous monitoring strategy;
d. Ongoing monitoring of system and organization-defined metrics in accordance with the
continuous monitoring strategy;
e. Correlation and analysis of information generated by control assessments and monitoring;
f. Response actions to address results of the analysis of control assessment and monitoring
information; and
g. Reporting the security and privacy status of the system to [Assignment: organization-defined
personnel or roles] [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
39
CA-7 (4) CONTINUOUS MONITORING | RISK MONITORING
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: Yes
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes
the following:
(a) Effectiveness monitoring;
(b) Compliance monitoring; and
(c) Change monitoring.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
40
CA-8 | PENETRATION TESTING
NIST BASELINE: High
PRIVACY BASELINE: No
NEW REQUIREMENT: Yes
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment:
organization-defined systems or system components].
STATE IMPLEMENTATION DETAILS
Texas Government Code § 2054.516(a)(2) requires each state agency implementing an Internet
website or mobile application that processes any sensitive personal or personally identifiable
information or confidential information to subject the website or application to a vulnerability
and penetration test and address any vulnerability identified in the test.
Texas Department of Information Resources
41
CA-9 | INTERNAL SYSTEM CONNECTIONS
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Authorize internal connections of [Assignment: organization-defined system components or
classes of components] to the system;
b. Document, for each internal connection, the interface characteristics, security and privacy
requirements, and the nature of the information communicated;
c. Terminate internal system connections after [Assignment: organization-defined conditions];
and
d. Review [Assignment: organization-defined frequency] the continued need for each internal
connection.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
42
CM – CONFIGURATION MANAGEMENT
CM-1 | POLICY AND PROCEDURES
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
roles]:
1. [Selection (one or more): organization-level; mission/business process-level; systemlevel] configuration management policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations,
policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the configuration management policy
and the associated configuration management controls;
b. Designate an [Assignment: organization-defined official] to manage the development,
documentation, and dissemination of the configuration management policy and procedures;
and
c. Review and update the current configuration management:
1. Policy [Assignment: organization-defined frequency]; and
2. Procedures [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
43
CM-2 | BASELINE CONFIGURATION
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop, document, and maintain under configuration control, a current baseline
configuration of the system; and
b. Review and update the baseline configuration of the system:
1. [Assignment: organization-defined frequency];
2. When required due to [Assignment: Assignment organization-defined circumstances];
and
3. When system components are installed or upgraded.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
44
CM-4 | IMPACT ANALYSES
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Analyze changes to the system to determine potential security and privacy impacts prior to
change implementation.
STATE IMPLEMENTATION DETAILS
All security-related information resources changes shall be approved by the information owner
through a change control process.
Approval shall occur prior to implementation by the state agency or independent contractors.
Texas Department of Information Resources
45
CM-5 | ACCESS RESTRICTIONS FOR CHANGE
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: Yes
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Define, document, approve, and enforce physical and logical access restrictions associated with
changes to the system.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
46
CM-6 | CONFIGURATION SETTINGS
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Establish and document configuration settings for components employed within the system
using [Assignment: organization-defined common secure configurations] that reflect the most
restrictive mode consistent with operational requirements;
b. Implement the configuration settings;
c. Identify, document, and approve any deviations from established configuration settings for
[Assignment: organization-defined system components] based on [Assignment: organizationdefined operational requirements]; and
d. Monitor and control changes to the configuration settings in accordance with organizational
policies and procedures.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
47
CM-7 | LEAST FUNCTIONALITY
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Configure the system to provide only [Assignment: organization-defined mission essential
capabilities]; and
b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or
services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols,
software, and/or services].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
48
CM-8 | SYSTEM COMPONENT INVENTORY
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop and document an inventory of system components that:
1. Accurately reflects the system;
2. Includes all components within the system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes the following information to achieve system component accountability:
[Assignment: organization-defined information deemed necessary to achieve effective
system component accountability]; and
b. Review and update the system component inventory [Assignment: organization-defined
frequency].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
49
CM-10 | SOFTWARE USAGE RESTRICTIONS
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
a. Use software and associated documentation in accordance with contract agreements and
copyright laws;
b. Track the use of software and associated documentation protected by quantity licenses to
control copying and distribution; and
c. Control and document the use of peer-to-peer file sharing technology to ensure that this
capability is not used for the unauthorized distribution, display, performance, or reproduction of
copyrighted work.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
50
CM-11 | USER-INSTALLED SOFTWARE
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
a. Establish [Assignment: organization-defined policies] governing the installation of software by
users;
b. Enforce software installation policies through the following methods: [Assignment:
organization-defined methods]; and
c. Monitor policy compliance [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
51
CP – CONTINGENCY PLANNING
CP-1 | POLICY AND PROCEDURES
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
roles]:
1. [Selection (one or more): organization-level; mission/business process-level; systemlevel] contingency planning policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations,
policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the contingency planning policy and
the associated contingency planning controls;
b. Designate an [Assignment: organization-defined official] to manage the development,
documentation, and dissemination of the contingency planning policy and procedures; and
c. Review and update the current contingency planning:
1. Policy [Assignment: organization-defined frequency]; and
2. Procedures [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
State agencies shall maintain written Continuity of Operations Plans in compliance with Texas
Labor Code § 412.054 that address information resources so that the effects of a disaster will be
minimized and the state agency will be able either to maintain or quickly resume mission-critical
functions.
Texas Department of Information Resources
52
CP-2 | CONTINGENCY PLAN
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop a contingency plan for the system that:
1. Identifies essential missions and business functions and associated contingency
requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact
information;
4. Addresses maintaining essential missions and business functions despite a system
disruption, compromise, or failure;
5. Addresses eventual, full system restoration without deterioration of the controls
originally planned and implemented; and
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distribute copies of the contingency plan to [Assignment: organization-defined key
contingency personnel (identified by name and/or by role) and organizational elements];
c. Coordinate contingency planning activities with incident handling activities;
d. Review the contingency plan for the system [Assignment: organization-defined frequency];
e. Update the contingency plan to address changes to the organization, system, or environment
of operation and problems encountered during contingency plan implementation, execution, or
testing;
f. Communicate contingency plan changes to [Assignment: organization-defined key
contingency personnel (identified by name and/or by role) and organizational elements]; and
g. Protect the contingency plan from unauthorized disclosure and modification.
STATE IMPLEMENTATION DETAILS
The plan shall be distributed to key personnel and a copy stored offsite. Elements of the plan for
information resources shall include:
Texas Department of Information Resources
53
a. Business Impact Analysis to systematically assess the potential impacts of a loss of business
functionality due to an interruption of computing and/or infrastructure support services
resulting from various events or incidents. The analysis shall identify the following elements:
1. Mission-Critical Information Resources (specific system resources required to perform
critical functions) to include:
A. Internal and external points of contact for personnel that provide or receive
data or support interconnected systems.
B. Supporting infrastructure such as electric power, telecommunications
connections, and environmental controls.
2. Disruption impacts and allowable outage times to include:
A. Effects of an outage over time to assess the maximum allowable time that a
resource may be denied before it prevents or inhibits the performance of an
essential function.
B. Effects of an outage across related resources and dependent systems to assess
cascading effects on associated systems or processes.
3. Recovery priorities that consider geographic areas, accessibility, security, environment,
and cost and may include a combination of:
A. Preventative controls and processes such as backup power, excess capacity,
environmental sensors and alarms.
B. Recovery techniques and technologies such as backup methodologies,
alternate sites, software and hardware equipment replacement, implementation
roles and responsibilities.
b. Risk Assessment to weigh the cost of implementing preventative measures against the risk of
loss from not taking action.
c. Implementation, testing, and maintenance management program addressing the initial and
ongoing testing and maintenance activities of the plan.
d. Disaster Recovery Plan–Each state agency shall maintain a written disaster recovery plan for
major or catastrophic events that deny access to information resources for an extended period.
Information learned from tests conducted since the plan was last updated will be used in
updating the disaster recovery plan. The disaster recovery plan will:
1. Contain measures which address the impact and magnitude of loss or harm that will
result from an interruption;
2. Identify recovery resources and a source for each;
3. Contain step-by-step implementation instructions;
4. Include provisions for annual testing.
Texas Department of Information Resources
54
CP-3 | CONTINGENCY TRAINING
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Provide contingency training to system users consistent with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time-period] of assuming a contingency role or
responsibility;
b. When required by system changes; and
c. [Assignment: organization-defined frequency] thereafter.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
55
CP-4 | CONTINGENCY PLAN TESTING
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
a. Test the contingency plan for the system [Assignment: organization-defined frequency] using
the following tests to determine the effectiveness of the plan and the readiness to execute the
plan: [Assignment: organization-defined tests].
b. Review the contingency plan test results; and
c. Initiate corrective actions, if needed.
STATE IMPLEMENTATION DETAILS
Each state agency’s written disaster recovery plan shall include provisions for annual testing.
Texas Department of Information Resources
56
CP-6 | ALTERNATE STORAGE SITE
NIST BASELINE: Moderate
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
a. Establish an alternate storage site, including necessary agreements to permit the storage and
retrieval of system backup information; and
b. Ensure that the alternate storage site provides controls equivalent to that of the primary site.
STATE IMPLEMENTATION DETAILS
Mission-critical information shall be backed up on a scheduled basis and stored off site in a
secure, environmentally safe, locked facility accessible only to authorized state agency
representatives.
Texas Department of Information Resources
57
CP-9 | SYSTEM BACKUP
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Conduct backups of user-level information contained in [Assignment: organization-defined
system components] [Assignment: organization-defined frequency consistent with recovery time
and recovery point objectives];
b. Conduct backups of system-level information contained in the system [Assignment:
organization-defined frequency consistent with recovery time and recovery point objectives];
c. Conduct backups of system documentation, including security and privacy-related
documentation [Assignment: organization-defined frequency consistent with recovery time and
recovery point objectives]; and
d. Protect the confidentiality, integrity, and availability of backup information.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
58
CP-10 | SYSTEM RECOVERY AND RECONSTITUTION
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Provide for the recovery and reconstitution of the system to a known state within [Assignment:
organization-defined time-period consistent with recovery time and recovery point objectives]
after a disruption, compromise, or failure.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
59
CP-11 | ALTERNATE COMMUNICATIONS PROTOCOLS
NIST BASELINE: None
PRIVACY BASELINE: No
NEW REQUIREMENT: Yes
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Provide the capability to employ [Assignment: organization-defined alternative communications
protocols] in support of maintaining continuity of operations.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
60
IA – IDENTIFICATION AND AUTHENTICATION
IA-1 | POLICY AND PROCEDURES
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
roles]:
1. [Selection (one or more): organization-level; mission/business process-level; systemlevel] identification and authentication policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations,
policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the identification and authentication
policy and the associated identification and authentication controls;
b. Designate an [Assignment: organization-defined official] to manage the development,
documentation, and dissemination of the identification and authentication policy and
procedures; and
c. Review and update the current identification and authentication:
1. Policy [Assignment: organization-defined frequency]; and
2. Procedures [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
61
IA-2 | IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
Uniquely identify and authenticate organizational users and associate that unique identification
with processes acting on behalf of those users.
STATE IMPLEMENTATION DETAILS
Each user of information resources shall be assigned a unique identifier except for situations
where risk analysis demonstrates no need for individual accountability of users. User
identification shall be authenticated before the information resources system may grant that
user access.
Texas Department of Information Resources
62
IA-2 (1) | MULTIFACTOR AUTHENTICATION TO PRIVILEGED ACCOUNTS
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: Yes
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Implement multifactor authentication for access to privileged accounts for [organization-defined
information systems or system categorizations].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
63
IA-2 (2) | MULTIFACTOR AUTHENTICATION TO NON-PRIVILEGED ACCOUNTS
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: Yes
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Implement multifactor authentication for access to non-privileged accounts for selection
[organization-defined systems; organization-defined system categorizations].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
64
IA-4 | IDENTIFIER MANAGEMENT
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Manage system identifiers by:
a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign
an individual, group, role, service, or device identifier;
b. Selecting an identifier that identifies an individual, group, role, service, or device;
c. Assigning the identifier to the intended individual, group, role, service, or device; and
d. Preventing reuse of identifiers for [Assignment: organization-defined time-period].
STATE IMPLEMENTATION DETAILS
A user’s access authorization shall be appropriately modified or removed when the user’s
employment or job responsibilities within the state agency change.
Texas Department of Information Resources
65
IA-5 | AUTHENTICATOR MANAGEMENT
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Manage system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group,
role, service, or device receiving the authenticator;
b. Establishing initial authenticator content for any authenticators issued by the organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
d. Establishing and implementing administrative procedures for initial authenticator distribution,
for lost or compromised or damaged authenticators, and for revoking authenticators;
e. Establishing minimum and maximum lifetime restrictions and reuse conditions for
authenticators;
f. Changing default authenticators prior to first use;
g. Changing or refreshing authenticators [Assignment: organization-defined time-period by
authenticator type];
h. Protecting authenticator content from unauthorized disclosure and modification;
i. Requiring individuals to take, and having devices implement, specific controls to protect
authenticators; and
j. Changing authenticators for group or role accounts when membership to those accounts
changes.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
66
IA-6 | AUTHENTICATOR FEEDBACK
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
Obscure feedback of authentication information during the authentication process to protect
the information from possible exploitation and use by unauthorized individuals.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
67
IA-7 | CRYPTOGRAPHIC MODULE AUTHENTICATION
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
Implement mechanisms for authentication to a cryptographic module that meet the
requirements of applicable laws, executive orders, directives, policies, regulations, standards, and
guidelines for such authentication.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
68
IA-8 | IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
Uniquely identify and authenticate non-organizational users or processes acting on behalf of
non-organizational users.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
69
IA-11 | RE-AUTHENTICATION
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: Yes
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Require users to re-authenticate when [Assignment: organization-defined circumstances or
situations requiring re-authentication].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
70
IR – INCIDENT RESPONSE
IR-1 | POLICY AND PROCEDURES
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
roles]:
1. [Selection (one or more): organization-level; mission/business process-level; systemlevel] incident response policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations,
policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the incident response policy and the
associated incident response controls;
b. Designate an [Assignment: organization-defined official] to manage the development,
documentation, and dissemination of the incident response policy and procedures; and
c. Review and update the current incident response:
1. Policy [Assignment: organization-defined frequency]; and
2. Procedures [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
State agencies shall assess the significance of a security incident based upon the business
impact on the affected resources and the current and potential technical effect of the incident,
e.g., loss of revenue, productivity, access to services, reputation, unauthorized disclosure of
confidential information, or propagation to other networks.
Texas Department of Information Resources
71
IR-2 | INCIDENT RESPONSE TRAINING
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Provide incident response training to system users consistent with assigned roles and
responsibilities:
a. Within [Assignment: organization-defined time-period] of assuming an incident response role
or responsibility or acquiring system access;
b. When required by system changes; and
c. [Assignment: organization-defined frequency] thereafter.
STATE IMPLEMENTATION DETAILS
The state agency trains personnel in their incident response roles and responsibilities with
respect to the information system and provides refresher training at least annually.
Texas Department of Information Resources
72
IR-3 | INCIDENT RESPONSE TESTING
NIST BASELINE: Moderate
PRIVACY BASELINE: Yes
NEW REQUIREMENT: Yes
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Test the effectiveness of the incident response capability for the system [Assignment:
organization-defined frequency] using the following tests: [Assignment: organization-defined
tests].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
73
IR-4 | INCIDENT HANDLING
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Implement an incident handling capability for incidents that is consistent with the incident
response plan and includes preparation, detection and analysis, containment, eradication, and
recovery;
b. Coordinate incident handling activities with contingency planning activities;
c. Incorporate lessons learned from ongoing incident handling activities into incident response
procedures, training, and testing, and implement the resulting changes accordingly; and
d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable
and predictable across the organization.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
74
IR-5 | INCIDENT MONITORING
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Track and document security, privacy, and supply chain incidents.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
75
IR-6 | INCIDENT REPORTING
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Require personnel to report suspected security, privacy, and supply chain incidents to the
organizational incident response capability within [Assignment: organization-defined timeperiod]; and
b. Report security, privacy, and supply chain incident information to [Assignment: organizationdefined authorities].
STATE IMPLEMENTATION DETAILS
Reporting of security incidents and the investigation and restoration of operations following a
security incident assessed to involve suspected criminal activity shall comply with 1 Texas
Administrative Code § 202.23(b).
Texas Department of Information Resources
76
IR-7 | INCIDENT RESPONSE ASSISTANCE
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Provide an incident response support resource, integral to the organizational incident response
capability, that offers advice and assistance to users of the system for the handling and
reporting of security, privacy, and supply chain incidents.
STATE IMPLEMENTATION DETAILS
The state agency provides an incident response support resource that offers advice and
assistance to users of the information system for the handling and reporting of security
incidents. The support resource is an integral part of the agency’s incident response capability.
Texas Department of Information Resources
77
IR-8 | INCIDENT RESPONSE PLAN
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response
capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the
overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size,
structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the
organization;
7. Defines the resources and management support needed to effectively maintain and
mature an incident response capability;
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles]
[Assignment: organization-defined frequency]; and
9. Explicitly designates responsibility for incident response to [Assignment: organizationdefined entities, personnel, or roles].
b. Distribute copies of the incident response plan to [Assignment: organization-defined incident
response personnel (identified by name and/or by role) and organizational elements];
c. Update the incident response plan to address system and organizational changes or problems
encountered during plan implementation, execution, or testing;
d. Communicate incident response plan changes to [Assignment: organization-defined incident
response personnel (identified by name and/or by role) and organizational elements]; and
e. Protect the incident response plan from unauthorized disclosure and modification.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
78
IR-9 | INFORMATION SPILLAGE RESPONSE
NIST BASELINE: None
PRIVACY BASELINE: No
NEW REQUIREMENT: Yes
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Respond to information spills by:
a. Assigning [Assignment: organization-defined personnel or roles] with responsibility for
responding to information spills;
b. Identifying the specific information involved in the system contamination;
c. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a
method of communication not associated with the spill;
d. Isolating the contaminated system or system component;
e. Eradicating the information from the contaminated system or component;
f. Identifying other systems or system components that may have been subsequently
contaminated; and
g. Performing the following additional actions: [Assignment: organization-defined actions].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
79
MA – MAINTENANCE
MA-1 | POLICY AND PROCEDURES
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
roles]:
1. [Selection (one or more): organization-level; mission/business process-level; systemlevel] maintenance policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations,
policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the maintenance policy and the
associated maintenance controls;
b. Designate an [Assignment: organization-defined official] to manage the development,
documentation, and dissemination of the maintenance policy and procedures; and
c. Review and update the current maintenance:
1. Policy [Assignment: organization-defined frequency]; and
2. Procedures [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
80
MA-2 | CONTROLLED MAINTENANCE
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Schedule, document, and review records of maintenance, repair, or replacement on system
components in accordance with manufacturer or vendor specifications and/or organizational
requirements;
b. Approve and monitor all maintenance activities, whether performed on site or remotely and
whether the system or system components are serviced on site or removed to another location;
c. Require that [Assignment: organization-defined personnel or roles] explicitly approve the
removal of the system or system components from organizational facilities for off-site
maintenance, repair, or replacement;
d. Sanitize equipment to remove the following information from associated media prior to
removal from organizational facilities for off-site maintenance, repair, or replacement:
[Assignment: organization-defined information];
e. Check all potentially impacted controls to verify that the controls are still functioning properly
following maintenance, repair, or replacement actions; and
f. Include the following information in organizational maintenance records: [Assignment:
organization-defined information].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
81
MA-4 | NONLOCAL MAINTENANCE
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
a. Approve and monitor nonlocal maintenance and diagnostic activities;
b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with
organizational policy and documented in the security plan for the system;
c. Employ strong authenticators in the establishment of nonlocal maintenance and diagnostic
sessions;
d. Maintain records for nonlocal maintenance and diagnostic activities; and
e. Terminate session and network connections when nonlocal maintenance is completed.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
82
MA-5 | MAINTENANCE PERSONNEL
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
a. Establish a process for maintenance personnel authorization and maintain a list of authorized
maintenance organizations or personnel;
b. Verify that non-escorted personnel performing maintenance on the system possess the
required access authorizations; and
c. Designate organizational personnel with required access authorizations and technical
competence to supervise the maintenance activities of personnel who do not possess the
required access authorizations.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
83
MP – MEDIA PROTECTION
MP-1 | POLICY AND PROCEDURES
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
roles]:
1. [Selection (one or more): organization-level; mission/business process-level; systemlevel] media protection policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations,
policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the media protection policy and the
associated media protection controls;
b. Designate an [Assignment: organization-defined official] to manage the development,
documentation, and dissemination of the media protection policy and procedures; and
c. Review and update the current media protection:
1. Policy [Assignment: organization-defined frequency]; and
2. Procedures [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
84
MP-2 | MEDIA ACCESS
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
Restrict access to [Assignment: organization-defined types of digital and/or non-digital media]
to [Assignment: organization-defined personnel or roles].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
85
MP-6 | MEDIA SANITIZATION
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Sanitize [Assignment: organization-defined system media] prior to disposal, release out of
organizational control, or release for reuse using [Assignment: organization-defined sanitization
techniques and procedures]; and
b. Employ sanitization mechanisms with the strength and integrity commensurate with the
security category or classification of the information.
STATE IMPLEMENTATION DETAILS
Prior to the sale or transfer of data processing equipment, to other than another Texas state
agency or agent of the state, state agencies shall assess whether to remove data from any
associated storage device.
Electronic state records shall be destroyed in accordance with Texas Government Code §
441.185 and in compliance with the state agency’s records retention schedule. If the record
retention period applicable for an electronic state record has not expired at the time the record
is removed from data process equipment, the state agency shall retain a hard copy or other
electronic copy of the record for the required retention period.
If it is possible that restricted personal information, confidential information, mission critical
information, intellectual property, or licensed software is contained on the storage device, the
storage device should be sanitized or the storage device should be removed and destroyed.
Additional information on sanitization tools and methods of destruction (that comply with the
Department of Defense 5220.22-M standard) are provided in the “Sale or Transfer of Computers
and Software” guidelines available at https://dir.texas.gov/resource-library-item/sale-or-transfercomputers-and-software.
State agencies shall keep a record/form (electronic or hard copy) documenting the removal and
completion of the process with the following information:
• date;
• description of the item(s) and serial number(s);
• inventory number(s);
• the process and sanitization tools used to remove the data or method of destruction; and
• the name and address of the organization the equipment was transferred to.
Texas Department of Information Resources
86
MP-7 | MEDIA USE
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system
media] on [Assignment: organization-defined systems or system components] using
[Assignment: organization-defined controls]; and
b. Prohibit the use of portable storage devices in organizational systems when such devices have
no identifiable owner.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
87
PE – PHYSICAL AND ENVIRONMENTAL PROTECTION
PE-1 | POLICY AND PROCEDURES
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
roles]:
1. [Selection (one or more)]: organization-level; mission/business process-level; systemlevel] physical and environmental protection policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations,
policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the physical and environmental
protection policy and the associated physical and environmental protection controls;
b. Designate an [Assignment: organization-defined official] to manage the development,
documentation, and dissemination of the physical and environmental protection policy and
procedures; and
c. Review and update the current physical and environmental protection:
1. Policy [Assignment: organization-defined frequency]; and
2. Procedures [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
88
PE-2 | PHYSICAL ACCESS AUTHORIZATIONS
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
a. Develop, approve, and maintain a list of individuals with authorized access to the facility
where the system resides;
b. Issue authorization credentials for facility access;
c. Review the access list detailing authorized facility access by individuals [Assignment:
organization-defined frequency]; and
d. Remove individuals from the facility access list when access is no longer required.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
89
PE-3 | PHYSICAL ACCESS CONTROL
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Enforce physical access authorizations at [Assignment: organization-defined entry and exit
points to the facility where the system resides] by:
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress and egress to the facility using [Selection (one or more)]:
[Assignment: organization-defined physical access control systems or devicesor guards];
b. Maintain physical access audit logs for [Assignment: organization-defined entry or exit
points];
c. Control access to areas within the facility designated as publicly accessible by implementing
the following controls: [Assignment: organization-defined controls];
d. Escort visitors and monitor visitor activity [Assignment: organization-defined circumstances
requiring visitor escorts and monitoring];
e. Secure keys, combinations, and other physical access devices;
f. Inventory [Assignment: organization-defined physical access devices] every [Assignment:
organization-defined frequency]; and
g. Change combinations and keys [Assignment: organization-defined frequency] and/or when
keys are lost, combinations are compromised, or when individuals possessing the keys or
combinations are transferred or terminated.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
90
PE-6 | MONITORING PHYSICAL ACCESS
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
a. Monitor physical access to the facility where the system resides to detect and respond to
physical security incidents;
b. Review physical access logs [Assignment: organization-defined frequency] and upon
occurrence of [Assignment: organization-defined events or potential indications of events]; and
c. Coordinate results of reviews and investigations with the organizational incident response
capability.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
91
PE-8 | VISITOR ACCESS RECORDS
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Maintain visitor access records to the facility where the system resides for [Assignment:
organization-defined time-period];
b. Review visitor access records [Assignment: organization-defined frequency]; and
c. Report anomalies in visitor access records to [Assignment: organization-defined personnel].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
92
PE-12 | EMERGENCY LIGHTING
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
Employ and maintain automatic emergency lighting for the system that activates in the event of
a power outage or disruption and that covers emergency exits and evacuation routes within the
facility.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
93
PE-13 | FIRE PROTECTION
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
Employ and maintain fire detection and suppression systems that are supported by an
independent energy source.
STATE IMPLEMENTATION DETAILS
Information resources shall be protected from environmental hazards. Designated employees
shall be trained to monitor environmental control procedures and equipment and shall be
trained in desired response in case of emergencies or equipment problems.
Texas Department of Information Resources
94
PE-14 | ENVIRONMENTAL CONTROLS
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Maintain [Selection (one or more)]: temperature; humidity; pressure; radiation; [Assignment:
organization-defined environmental control] levels within the facility where the system resides at
[Assignment: organization-defined acceptable levels]; and
b. Monitor environmental control levels [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
95
PE-15 | WATER DAMAGE PROTECTION
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
Protect the system from damage resulting from water leakage by providing master shutoff or
isolation valves that are accessible, working properly, and known to key personnel.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
96
PE-16 | DELIVERY AND REMOVAL
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Authorize and control [Assignment: organization-defined types of system components]
entering and exiting the facility; and
b. Maintain records of the system components.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
97
PE-17 | ALTERNATE WORK SITE
NIST BASELINE: Moderate
PRIVACY BASELINE: No
NEW REQUIREMENT: Yes
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Determine and document the [Assignment: organization-defined alternate work sites] allowed
for use by employees;
b. Employ the following controls at alternate work sites: [Assignment: organization-defined
controls];
c. Assess the effectiveness of controls at alternate work sites; and
d. Provide a means for employees to communicate with information security and privacy
personnel in case of incidents.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
98
PL – PLANNING
PL-1 | POLICY AND PROCEDURES
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
roles]:
1. [Selection (one or more)]: organization-level; mission/business process-level; systemlevel] planning policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations,
policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the planning policy and the associated
planning controls;
b. Designate an [Assignment: organization-defined official] to manage the development,
documentation, and dissemination of the planning policy and procedures; and
c. Review and update the current planning:
1. Policy [Assignment: organization-defined frequency]; and
2. Procedures [Assignment: organization-defined frequency].
STATE IMPLEMENTATION DETAILS
The state agency information security officer reports annually on state agency information
security program in compliance with 1 Texas Administrative Code §§ 202.23(a), 202.73(a).
Texas Department of Information Resources
99
PL-2 | SYSTEM SECURITY AND PRIVACY PLANS
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop security and privacy plans for the system that:
1. Are consistent with the organization’s enterprise architecture;
2. Explicitly define the constituent system components;
3. Describe the operational context of the system in terms of missions and business
processes;
4. Provide the security categorization of the system, including supporting rationale;
5. Describe any specific threats to the system that are of concern to the organization;
6. Provide the results of a privacy risk assessment for systems processing personally
identifiable information;
7. Describe the operational environment for the system and any dependencies on or
connections to other systems or system components;
8. Provide an overview of the security and privacy requirements for the system;
9. Identify any relevant control baselines or overlays, if applicable;
10. Describe the controls in place or planned for meeting the security and privacy
requirements, including a rationale for any tailoring decisions;
11. Include risk determinations for security and privacy architecture and design decisions;
12. Include security- and privacy-related activities affecting the system that require
planning and coordination with [Assignment: organization-defined individuals or
groups]; and
13. Are reviewed and approved by the authorizing official or designated representative
prior to plan implementation.
b. Distribute copies of the plans and communicate subsequent changes to the plans to
[Assignment: organization-defined personnel or roles];
c. Review the plans [Assignment: organization-defined frequency];
d. Update the plans to address changes to the system and environment of operation or
problems identified during plan implementation or control assessments; and
Texas Department of Information Resources
100
e. Protect the plans from unauthorized disclosure and modification.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
101
PL-4 | RULES OF BEHAVIOR
NIST BASELINE: Low
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Establish and provide to individuals requiring access to the system, the rules that describe
their responsibilities and expected behavior for information and system usage, security, and
privacy;
b. Receive a documented acknowledgment from such individuals, indicating that they have read,
understand, and agree to abide by the rules of behavior, before authorizing access to
information and the system;
c. Review and update the rules of behavior [Assignment: organization-defined frequency]; and
d. Require individuals who have acknowledged a previous version of the rules of behavior to
read and re-acknowledge [Selection (one or more)]: [Assignment: organization-defined
frequency]; [when the rules are revised or updated].
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
102
PM – PROGRAM MANAGEMENT
PM-1 | INFORMATION SECURITY PROGRAM PLAN
NIST BASELINE: None
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop and disseminate an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description
of the security program management controls and common controls in place or planned
for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management
commitment, coordination among organizational entities, and compliance;
3. Reflects the coordination among organizational entities responsible for information
security; and
4. Is approved by a senior official with responsibility and accountability for the risk being
incurred to organizational operations (including mission, functions, image, and
reputation), organizational assets, individuals, other organizations, and the Nation;
b. Review the organization-wide information security program plan [Assignment: organizationdefined frequency];
c. Update the information security program plan to address organizational changes and
problems identified during plan implementation or control assessments; and
d. Protect the information security program plan from unauthorized disclosure and modification.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
103
PM-2 | INFORMATION SECURITY PROGRAM LEADERSHIP ROLE
NIST BASELINE: None
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
Appoint a senior agency information security officer with the mission and resources to
coordinate, develop, implement, and maintain an organization-wide information security
program.
STATE IMPLEMENTATION DETAILS
The Information Security Officer is charged with the responsibilities enumerated at Texas
Government Code § 2054.136 and 1 Texas Administrative Code § 202.21.
Texas Department of Information Resources
104
PM-3 | INFORMATION SECURITY AND PRIVACY RESOURCES
NIST BASELINE: None
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Include the resources needed to implement the information security and privacy programs in
capital planning and investment requests and document all exceptions to this requirement;
b. Prepare documentation required for addressing information security and privacy programs in
capital planning and investment requests in accordance with applicable laws, executive orders,
directives, policies, regulations, standards; and
c. Make available for expenditure, the planned information security and privacy resources.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
105
PM-4 | PLAN OF ACTION AND MILESTONES PROCESS
NIST BASELINE: None
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Implement a process to ensure that plans of action and milestones for the information
security and privacy programs and associated organizational systems:
1. Are developed and maintained;
2. Document the remedial information security and privacy actions to adequately
respond to risk to organizational operations and assets, individuals, other organizations,
the State of Texas, and the Nation; and
3. Are reported in accordance with established reporting requirements.
b. Review plans of action and milestones for consistency with the organizational risk
management strategy and organization-wide priorities for risk response actions.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
106
PM-5 | SYSTEM INVENTORY
NIST BASELINE: None
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Develop and update [Assignment: organization-defined frequency] an inventory of
organizational systems.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
107
PM-6 | MEASURES OF PERFORMANCE
NIST BASELINE: None
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Develop, monitor, and report on the results of information security and privacy measures of
performance.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
108
PM-7 | ENTERPRISE ARCHITECTURE
NIST BASELINE: None
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Develop and maintain an enterprise architecture with consideration for information security,
privacy, and the resulting risk to organizational operations and assets, individuals, other
organizations, the State of Texas, and the Nation.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
109
PM-9 | RISK MANAGEMENT STRATEGY
NIST BASELINE: None
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develops a comprehensive strategy to manage:
1. Security risk to organizational operations and assets, individuals, other organizations,
the State of Texas, and the Nation associated with the operation and use of
organizational systems; and
2. Privacy risk to individuals resulting from the authorized processing of personally
identifiable information;
b. Implement the risk management strategy consistently across the organization; and
c. Review and update the risk management strategy [Assignment: organization-defined
frequency] or as required, to address organizational changes.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
110
PM-10 | AUTHORIZATION PROCESS
NIST BASELINE: None
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Manage the security and privacy state of organizational systems and the environments in
which those systems operate through authorization processes;
b. Designate individuals to fulfill specific roles and responsibilities within the organizational risk
management process; and
c. Integrate the authorization processes into an organization-wide risk management program.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
111
PM-14 | TESTING, TRAINING, AND MONITORING
NIST BASELINE: None
PRIVACY BASELINE: Yes
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Implement a process for ensuring that organizational plans for conducting security and
privacy testing, training, and monitoring activities associated with organizational systems:
1. Are developed and maintained; and
2. Continue to be executed; and
b. Review testing, training, and monitoring plans for consistency with the organizational risk
management strategy and organization-wide priorities for risk response actions.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
112
PM-15 | SECURITY AND PRIVACY GROUPS AND ASSOCIATIONS
NIST BASELINE: None
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
Establish and institutionalize contact with selected groups and associations within the security
and privacy communities:
a. To facilitate ongoing security and privacy education and training for organizational personnel;
b. To maintain currency with recommended security and privacy practices, techniques, and
technologies; and
c. To share current security and privacy information, including threats, vulnerabilities, and
incidents.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
113
PM-16 | THREAT AWARENESS PROGRAM
NIST BASELINE: None
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 01/20/2023
CONTROL DESCRIPTION
Implement a threat awareness program that includes a cross-organization information-sharing
capability for threat intelligence.
STATE IMPLEMENTATION DETAILS
N/A
Texas Department of Information Resources
114
PS – PERSONNEL SECURITY
PS-1 | POLICY AND PROCEDURES
NIST BASELINE: Low
PRIVACY BASELINE: No
NEW REQUIREMENT: No
REQUIRED BY: 07/20/2023
CONTROL DESCRIPTION
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or
roles]:
1. [Selection (one or more): organization-level; mission/business process-level; systemlevel] personnel security policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations,
policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the personnel security policy and the
associated…
Purchase answer to see full
attachment

We offer the bestcustom writing paper services. We have done this question before, we can also do it for you.

Why Choose Us

  • 100% non-plagiarized Papers
  • 24/7 /365 Service Available
  • Affordable Prices
  • Any Paper, Urgency, and Subject
  • Will complete your papers in 6 hours
  • On-time Delivery
  • Money-back and Privacy guarantees
  • Unlimited Amendments upon request
  • Satisfaction guarantee

How it Works

  • Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
  • Fill in your paper’s requirements in the "PAPER DETAILS" section.
  • Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
  • Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
  • From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.