2022 Biennial Performance Report

Accelerating the Next Generation of Technology in Texas

2022-2026 State Strategic Plan
Goal 1: Secure IT Service Delivery

Texans entrust government with some of their most sensitive and confidential information. State agencies bear the responsibility for ensuring that information is not compromised.
The 2022-2026 State Strategic Plan identifies four objectives to help guide state agency efforts to minimize security risks to technology and evolve cybersecurity practices. Desired outcomes for agency alignment with the IT security objectives below include mature, risk-based security programs; cybersecurity-aware organizations; on-going investment in cybersecurity staff; reduced exposure to cyberattacks; and regional approaches to preparedness that build resilience.

Objectives

  1. Create scalable, integrated tactics for cybersecurity based on cost-effective security tools
  2. Reinforce risk-based security practices, including continuous prediction, prevention, detection, and response to cybersecurity threats.
  3. Form a resilience mindset and a vigilant organizational culture through cybersecurity education and training.
  4. Develop regional approaches to cybersecurity engagement and response.

Assessment

The State of Texas has made great strides to address complex cyber threats targeting the public sector. To continue this progress, state agencies must evolve cybersecurity practices and identify security priorities specific to their agencies’ missions. 
State agencies identified data protection, security training, and disaster recovery among their top security initiatives for the next biennium.
Agencies must have mature, risk-based cybersecurity programs to protect against increasingly sophisticated cyber threats. In 2022, state agencies are showing progress in the following areas. 
When cybersecurity incidents, natural disasters, pandemics, or other events disrupt IT systems, organizations must respond quickly. Because Texas covers more than 268,000 square miles, regional approaches can help facilitate the rapid restoration of government operations and services.
State agencies reported that they are prepared to respond to and recover from a security incident with 82% of agencies indicating they regularly review or revise their security incident response plans. Furthermore, over half of agencies say they have adequate resources to address the impacts of a security incident. Importantly, all state agencies now have security incident response plans in place; many of these entities are reviewing and testing them regularly – some as often as every six months.

Concerns

Agencies reported the same top five barriers to addressing security issues in 2022 as they did in 2020. The increasing sophistication of threats remains the top issue, with approximately 10% more agencies identifying this as a barrier than in 2020, followed by a lack of sufficient funding and a shortage of cybersecurity professionals. More agencies also reported a lack of documented processes as one of their top barriers.

Recommendations

The Texas Legislature prioritized cybersecurity in the 87th Legislative Session by funding new initiatives and passing forward-thinking legislation to improve the state’s cybersecurity posture. The bills passed created regional security operations centers, professional and volunteer cybersecurity incident response teams, the Texas Risk Authorization and Management Program for cloud computing services, and expanded security awareness training.
For the next biennium, DIR recommends that the legislature consider the following actions:
1. Require local governments and school districts to report cybersecurity incidents to DIR within a minimum reporting timeframe.
2. Require government entities to use the standardized “.gov” domain suffix when establishing a new domain name to reduce website spoofing.
3. Allow state agencies and institutions of higher education (IHEs) to designate a joint information security officer.