DIR’s Cybersecurity Report Offers Insights for Vendors

The Department of Information Resources (DIR) 2024 Cybersecurity Report includes valuable insights for vendors, including recommendations the agency plans to make to the Legislature for the upcoming biennium.

According to the report, the 2023-2024 biennium saw multiple attacks exploiting operational systems of water utilities, resulting in significant system disruptions and thefts of sensitive customer information. Due to the size and scope of Texas’ public sector, with more than 150 state agencies and thousands of local government entities, DIR emphasizes “a more distributed approach” to cybersecurity.

To meet the needs of agencies and entities scattered across the state, DIR recommends expanding the regional security operations center program, which provides smaller entities with no-cost access to cybersecurity support and network security providers. At last year’s State of Technology — Texas Industry Forum, hosted by Industry Insider, DIR Deputy Executive Director Steve Pier emphasized the need for an RSOC program expansion as a proactive solution.

Three RSOCs are currently operational in the state: one at Angelo State University, one at the University of Texas at Austin and another at the University of Texas Rio Grande Valley. In the agency’s Legislative Appropriations Request, DIR is requesting funding for four additional RSOCs.

DIR also recommends the 89th Legislature provide additional funds for cybersecurity tools, aligning with recommendations made in the Texas Sunset Advisory Commission’s staff report on DIR. Specifically, DIR recommends state agencies be required to “obtain a state-funded, DIR-selected third-party information security assessment and penetration test every two years.”

The report includes a request for “clear statutory authority to contract with a third party to produce a statewide public service announcement” with the goal of developing a cybersecurity-focused public awareness program similar to campaigns produced by other agencies in partnership with third-party firms, such as the Texas Department of Transportation’s “Don’t Mess with Texas” and “Click It or Ticket.”

The following is a comprehensive list of DIR’s legislative recommendations:

• Require all government employees to complete cybersecurity training
• Clarify the statutory definition of public-sector critical infrastructure
• Require public entity ransomware payment reporting to state leadership
• Require cybersecurity liability insurance policies and other contracts to allow state agencies and local government to share threat information with DIR

The full report can be found on the DIR website.