CISA’s New Cyber Guidelines Could Help Texas Manage Growing Threats

As cyber threats continue to test the resilience of Texas infrastructure and public systems, new voluntary guidance from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is drawing attention as a potential benchmark for risk management across the state.

CISA on Thursday released version 2.0 of its Cross-Sector Cybersecurity Performance Goals, or CPG 2.0. These updated guidelines offer a baseline framework for reducing cybersecurity risks across sectors such as water, energy, transportation and government services. While adoption is not mandatory, the guidance outlines practical, outcome-focused strategies for improving resilience.

Key changes in CPG 2.0 include the addition of a governance function that links cybersecurity planning to executive leadership and accountability. The framework also unifies goals across IT and operational technology environments and expands its focus on third-party risk, incident response and zero-trust architecture.

Other updates include streamlined and clarified goal language, new guidance on incident communications, stronger expectations for supply chain risk management and enhanced documentation to help organizations assess cost, effort and impact.

Texas agencies are not required to adopt the updated goals. However, recent cybersecurity events within the state demonstrate the kinds of risks the framework is designed to address. In early 2024, cyber attacks targeted water utilities in Muleshoe and Hale Center. Both utilities were forced to revert to manual operations after intrusions into their control systems, which officials attributed to foreign-linked actors.

Other incidents have involved state agency systems. The Texas Department of Transportation experienced a data breach that exposed hundreds of thousands of crash records. The General Land Office disclosed a 2025 breach that compromised personal information for more than 44,000 disaster relief applicants.

These events point to a pattern of risk that spans both physical infrastructure and administrative systems. CPG 2.0 aims to help organizations close those gaps by outlining clear steps for asset management, monitoring, response coordination and internal controls.

For Texas entities that receive federal cybersecurity funding, the updated guidelines may serve as a reference for demonstrating alignment with national risk management expectations. Programs such as the State and Local Cybersecurity Grant Program often prioritize recipients who can show progress toward standardized practices.

For smaller cities and rural utilities, the federal guidelines offer a ready-made structure for building or improving cybersecurity programs. CISA has emphasized that the goals are scalable, allowing organizations with limited resources to focus on high-impact protections.

Procurement dynamics may also play a role. As vendors adopt practices consistent with federal guidance, Texas agencies may find it useful to mirror certain controls in order to ensure system compatibility and maintain trust with service providers.

Cyber insurers are another consideration. As risk assessments grow more complex, insurers are increasingly using frameworks such as CPG 2.0 to evaluate cybersecurity posture. Public-sector organizations that opt not to align with such frameworks could face more scrutiny in underwriting processes or higher premiums following a breach.