Introduction

Due to the important role that Texas plays in the nation's economy and its large
technology infrastructure, it is essential to study cybersecurity policy there. Texas is
a major hub for industries such as energy, technology and finance where cyber
threats are most likely to be encountered. Not only the government's digital assets,
but also private citizens and businesses, are protected by state cybersecurity policies.

Enhancing the security posture in response to evolving cyber threats, ensuring

continuity of vital services and protection of confidential data are all helped by this
policy knowledge. Moreover, the study of Texas' approach to cyber security can give
insight into efficient strategies for preventing, detecting and responding to threats as
their sophistication increases.

Overview of the policy memo

The Texas Department of Information Resources has crafted the State of Texas
SLCGP Cybersecurity Plan, outlining an approach to enhancing cybersecurity
defenses across different sectors in the state. Upon closer examination, this plan
reveals key aspects that emphasize its thorough nature, strategic focus areas, and
potential areas for further enhancement to align more closely with its proposed
objectives.

The Texas Cybersecurity Framework (TCF) is like a roadmap developed by the

Texas Department of Information Resources (DIR) alongside government bodies
and private companies. Its main job is to help manage cybersecurity risks effectively
without adding extra rules. Instead, it offers a common language for dealing with
these risks practically that fits each business's needs.
The framework revolves around five main functions which are Identify, Protect,
Detect, Respond, and Recover. Each of these functions has specific goals for security
controls aimed at helping organizations spot, assess, and manage cybersecurity risks
in their systems. Currently, there are 42 of these security goals altogether.

To better understand and manage these risks, the TCF includes something called a
Maturity Model. This model helps organizations gauge how well they're
implementing these security controls. It scales from basic, haphazard practices to
fully optimized, effective processes.

This (SLCGP) program provides government funding at various levels to deal with
cybersecurity risks. When organizations apply for grants through this program, they
must show how their projects align with TCF's cybersecurity plan. This way, the
grant money goes towards improving cybersecurity practices in line with the goals
of the Texas Cybersecurity Framework.
Introduction and Collaborative Efforts

The plan starts with a strong introduction that outlines its mission and vision,
emphasizing collaboration among stakeholders from various sectors like local
governments, educational institutions, and public health and safety. This
collaborative strategy is essential due to the diverse cybersecurity challenges
encountered by entities throughout the state. The plan lays a solid foundation for in-
depth conversations about specific strategies and actions by focusing on themes such
as enhancing preparedness and managing cybersecurity risks.(JD Supra 2021)

Addressing Key Themes

While the plan extensively covers IT and operational technology modernization,

stressing the importance of upgrading outdated systems, The strategy emphasizes
updating outdated systems, promoting the discontinuation of unsupported or
obsolete software and hardware that can be accessed online. A central aspect is the
adoption of a zero-trust framework involving measures such as multi-factor
authentication, improved logging, data encryption, and the prohibition of commonly
used passwords. Despite this, the plan's focus on teamwork, sharing information,
and advancement subtly integrates zero-trust concepts by endorsing a cybersecurity
approach that does not inherently trust resources or user accounts depending solely
on where they are located. Collaboration with local government entities is crucial.
The plan outlines roles, responsibilities, and partnerships to ensure adequate
cybersecurity measures are implemented at all levels of government in the future.
Responsibilities and Roles

The Texas State and Local Cybersecurity Grant Program Planning Committee is
central to developing, implementing, and monitoring the Cybersecurity Plan. It
includes members from various government entities to ensure diverse representation.
The Committee is responsible for establishing funding priorities, making project
recommendations, and ensuring cyber risks are addressed effectively across state
and local organizations. (Doe,2021) Partnerships involve representatives from state,
county, city, and town governments, public education institutions, public health
institutions, and other relevant organizations to provide varied perspectives and
guidance.

Funding Breakdown

The State of Texas will distribute funds to geographic regions, with a significant
portion going to local governments. A minimum of 25% of federal funds will be
earmarked for rural areas, but the plan aims to surpass this target as many
municipalities qualify as rural. The plan provides:

 A thorough breakdown of funding sources and allocations.

 Presenting precise figures and percentages for federal funds.
 Matching funds.
 The progression of required matching fund percentages from FY22 to FY25.

This detailed information promotes transparency, aids in better resource planning

for local entities, and establishes a financial framework for sustainable cybersecurity
improvements statewide. ( Texas comptroller of public accounts,2021)
Comprehensive Risk Strategies

The plan's extensive coverage of cybersecurity risk and threat strategies, specially
tailored for rural communities, underscores its commitment to inclusivity and
ensuring comprehensive protection across all parts of the state. The outlined strategy
for fund distribution to local governments and methods for assessing capabilities are
practical and acknowledge varying levels of cybersecurity maturity among entities.

Goals

The main goal of the detailed cybersecurity plan is to check and improve how well
local groups can protect against cyber threats. It's a tough job because these groups
often need more trust, resources, and knowledge. To solve this, there's a push to
communicate better and build trust between the central cybersecurity team and the
local groups. An essential part of the plan is ensuring these groups are ready to
handle cyber-attacks. They're encouraged to set up and test their plans for responding
to such incidents regularly. This is crucial for making them more secure and able to
deal with cyber-attacks quickly and efficiently.

Also, the plan stresses the importance of sharing information about cyber threats. It
suggests using platforms like TX-ISAO to share data on cyber threats, which helps
strengthen the state's defense against cyber-attacks. The plan also pays special
attention to rural areas, recognizing and addressing their unique cybersecurity
challenges. This ensures that every part of the state is protected.

Additionally, the plan outlines how funds should be given to local governments and
how to evaluate their cybersecurity strength. It does this, understanding that different
groups have different levels of ability to protect against cyber threats. This strategy
ensures that resources are used wisely and that cybersecurity efforts are suited to
each group's specific needs and readiness.

Texas SLCGP Program Metrics

The table provided details of the aims, targets, and measurements of the Texas State,
Local, Tribal, and Territorial Cybersecurity Preparedness (SLCGP) initiative, which
seeks to improve cybersecurity defenses across different organizations in Texas.

Focus Area Key Initiatives Progress Indicators

Cybersecurity Plan Align with statewide

Statewide plan approval status
Enhancement cybersecurity needs

Cyber Awareness Outreach and resource

Resources distributed
Development distribution

Expansion of cyber
Community membership count
defense community

Authentication and Access Promote stronger access

Adoption rate of access controls
Control controls

Implement data
Data Protection and Privacy Projects utilizing data protection
protection measures

Software and Hardware Transition away from Upgrades and replacements

Management outdated technology completed

Password and Credential Implement secure Entities with secure credential

Management credential policies policies

System Resilience and Enhance system recovery

Systems with recovery solutions
Recovery capabilities
 Domain Security and Transition to secure Transitions to secure domains
Management domain completed

Incident Response Develop and test

Entities with response plans
Improvement response strategies

Collaboration and Enhance information-

Information sharing frequency
Intelligence Sharing sharing networks

Elements of a Cybersecurity Plan

The State of Texas SLCGP Cybersecurity Plan, approved on September 14, 2023,
lays out essential steps to ensure that local government organizations in Texas are
better protected against cyber threats. Here's a breakdown of what the plan focuses
on:

Manage, Monitor, and Track: This means controlling who has access to critical
information, allowing access only to those who need it for their job, and keeping
track of who accesses what to stop any unauthorized activity.

Assessment and Mitigation: Regularly check IT systems for weaknesses to ensure

security measures are working correctly and manage any risks that might arise over
time.

Best Practices and Methodologies: Giving priority to projects that make systems
more secure by using methods like requiring multiple steps for logging in, keeping
detailed records of activity, encrypting data, stopping the use of outdated software,
not allowing commonly known passwords, making backups, and using the ".gov"
domain for official online services.(Data guidance,”n.d”)
Safe Online Services: Make sure that government services offered online are hosted
on the ".gov" domain to make them more trustworthy for people to use.

Continuity of Operations: Creating plans to ensure essential government functions

can continue despite cyberattack disruptions.

Workforce: Developing rules and practices based on cybersecurity guidelines to

attract and keep skilled workers and ensuring they receive training to handle
cybersecurity issues.

Continuity of Communications and Data Networks: Planning for how to keep

communication going during emergencies and understanding how different systems
are connected to respond better to cyber incidents.

Assess and Mitigate Cybersecurity Risks: Identifying and dealing with risks to
vital infrastructure to keep systems running smoothly.

Cyber Threat Indicator Information Sharing: Improving the ability to share

information about cyber threats with other organizations.

Leverage CISA Services: Using cybersecurity services provided by the Department

for better protection against cyber threats.(State scoop,2022)

Overall, these steps aim to ensure that local government organizations in Texas are
better prepared to handle cyber threats, raise awareness about cybersecurity, prepare
for cyber incidents, improve their ability to deal with cyber problems, share
information about threats, and become more resilient against cyber-attacks.
 IIJA GUIDELINES

I will evaluate the state of Texas SLCGP cybersecurity plan based on four guidelines
provided in the Infrastructure and Investment and Jobs Act or IIJA". Here is the
detailed discussion.

Part (vii) of IIJA talks about how states and local government should ensure their
operations during a cyber security incident. Its main area of focus is the following: -

Ensuring continuity of Conducting Importance of Co-ordination and

operations cybersecurity preparedness collaboration
exercises

One of Its primary objectives Its purpose is to Preparedness Intra-organization

is to maintain uninterrupted mitigate the impact through drill and co operations and
operations before and after a of cybersecurity simulation is collaboration:
cybersecurity attack. Its main attacks through especially ensuring that
approach focuses upon practical exercises. important to different
implementing robust disaster Simulations and respond quickly departments work
recovery plans to reduce the drills help to test and effectively to together during
downtime and interruption in the readiness and cybersecurity cybersecurity drills
services. response abilities of attacks which helps and simulations and
the organization in reducing the if the entity is state,
damage and it should encompass
recovery time. local government in
its jurisdiction for
an effective
response.
Question 1: - Does the current cybersecurity plan of Texas ensure continuity of
operations in the event of a cybersecurity attack?

Answer: - The current cybersecurity plan of Texas briefly talks about the continuity
of operations in the wake of cybersecurity attacks. The plan mandates that state and
local government entities should be attentive with the help of drills and simulations
to prevent any service interruption. Some critical functions require the continuation
of services at all costs, and the plan briefly addresses issues like continuity of
services and resumption of services after disruptions of regular operation. The plan
also discusses the following: -

Assessment and Mitigation: - It addresses issues like assessing and mitigating

cybersecurity risks. Additionally, it mentions "cybersecurity incident response team"
(CIRT) and "volunteer incident response team" (VIRT) for cybersecurity attack
response support. CIRT helps in Mitigation, incident response, and communication,
and VIRT helps in awareness and education, community-based response, and
expertise sharing.

Continuity of communication and data network: - This plan also talks about crisis
communication services such as a web emergency operation center for crisis
management. It discusses how better continuity of communication and data network
prevents any additional impacts and helps in speedy recovery to continue business
activities during challenging times.

Part (v) IIJA talks about the implementation of advanced cybersecurity practices.
 Integration of NIST Adoption of NIST’s Employing knowledge
cybersecurity practices for cyber bases for adversary
framework supply chain risk tools and tactics
management
Eligible entities like Apart from helping with It is particularly
state and local normal cyber security important to have a
government are threats NIST also helps in detailed knowledge of
encouraged to adopt managing risk in cyber tools, tactics and
cybersecurity supply chain. NIST helps processes used by
standards established in secured supply of attackers. This
by the National software, hardware and information is important
institute of standard services flow and make for proactive defense and
technology (NIST). sure that there is no helps in understanding
NIST is a set of tempering with them enemy capabilities. All
standards which help before reaching the this helps in staying
organizations to organization. It also ahead of attackers and
reduce and manage involves thorough secure the organization.
cybersecurity threats. checking of suppliers and
vendors.

Question 2: - Does the current cyber-security plan discuss the adoption of the
National Institute of Standards and Technology (NIST) framework?

Answer: - By recognizing the (NCSR) Nationwide Cybersecurity Review findings,

2021which indicate the need to focus on all areas of NIST CSF for local government,
the cybersecurity plan of Texas integrates the principles and standards of NIST to
enhance the performance of state and local government entities. The plan uses
(NCSR) "nationwide cybersecurity review" as an assessment tool which aligns with
NIST and cyber security framework. The NCSR evaluates local government entities
by assessing them on NIST CFS's five core principles, which are

Identify: - It helps an organization to understand and manage cybersecurity risk to

system, data, and capabilities.

Protect: - Implementing safeguards to ensure the safe delivery of critical

infrastructure services.

Detect: - It helps detect any activities that might result in cybersecurity attacks.

Respond: - Ensure timely and spontaneous action if an attack happens.

Recover: - Proper planning of restoration of services hampered by cybersecurity

attacks.

The plan also talks about the NCR's assessment of entities on a scale of 1 to 7, which
reflects their preparedness for each NIST CSF's function. It helps detect areas where
more improvements are needed so that any disastrous attack effect can be tackled.

By incorporating NIST CSF into the plan, the Texas government made sure of the
protection of critical infrastructure and a coordinated response to cybersecurity
threats and incidents. The plan also ensures that resources are efficiently located to
improve the overall cybersecurity maturity of local government within the taxes.

Part (viii) of IIJA guidelines talks about how to identify and address the gap in the
cybersecurity workforce to enhance the protection against any cybersecurity attack
because an educated and aware staff is required to function smoothly.
 Identifying and Enhancing and Bolstering knowledge Local government and
mitigating workforce recruitment and skills and abilities collaboration
gaps retention
The key points are Attractive Continuous training – It is also important to
assessment and opportunities like regular training and encompass the local
comparison of creative career paths exercises are conducted government within the
workforce, where after and community to keep the workforce jurisdiction of larger
assessing the capabilities engagement to build a kills sharp and up to entities.
of the workforce they pipeline of future date. Sharing resources like
are compared against cybersecurity Cybersecurity training materials and
NICE frameworks to professionals hygiene: -training in other expertise with
find out any areas of basic cybersecurity local government is
improvement. practices like how to important. Apart from
To mitigate the gaps secure the password these joint initiatives to
strategies like training and how to recognize improve the overall
plans and hiring fresh phishing attempts is security posture of the
staff according to the important region is also
required skill set is important.
standard procedure.

Question 3: - Does the current cybersecurity plan discuss cybersecurity

workforce issues and the use of the National Initiative for Cybersecurity
Education Workforce Framework for Cybersecurity?

Answer: - The current cybersecurity plan places great significance on addressing

cybersecurity workforce issues by recognizing the critical roles played by a skilled
workforce in safeguarding digital assets for national security. This focus is evident
in several key aspects of the plan, including workforce development strategies and
using the "National Initiative for Cybersecurity Education" (NICE) framework for
cybersecurity.

Workforce development strategies: - One of the main focuses of the Texas

cybersecurity plan is to fill the existing gap in the cybersecurity workforce, which
involves training plans, educational initiatives, and attractive opportunities to retain
the skilled workforce.

By investing in workforce development, the plan aims to improve cybersecurity

resilience. Utilization of NICE framework: - The plan uses the NICE workforce
framework as a workforce management and development base tool. By following
the standards of NICE, the Texas cybersecurity plan enables organizations to

Define competency requirements: - Defining competency requirements plan

clarifies what knowledge is required for each role. This clarity helps organizations
to develop targeted training programs to fill the skill gaps.

Support career development: - The current cybersecurity plan helps in career

development by finding progression opportunities, which helps professionals
navigate their career paths and acquire the necessary skills and certification.

Enhance recruitment and Retention: - The plan uses the NICE framework as a
benchmark to improve the recruitment process and Retention of employees, which
helps organizations retain talent.

In conclusion, the plan briefly discusses issues related to cybersecurity workforce

challenges and adopts strategies to address them by using the NICE workforce
framework for cybersecurity. All these developments help organizations to mitigate
the evolving cyber threats effectively.

Part (vi) of IIJA guidelines mentions how to encourage safe and reliable online
services. It mentions that state and local governments should use .gov internet
domain names within their authority.
Ensuring safety Enhancing Building trust Collaboration with
recognition local government

The eligible entities By using the .gov By continuously and State and local
should be careful domain eligible consistently government under
about that the online entities can help providing safe and eligible entities
services they are users to easily recognizable should also
providing are secure determine the services eligible participate in these
and free from any original site which entities can build efforts of trust
kind of risks reduce chances of trust among users. building to promote
fraud safety in online
services

Question 4: - Does the current cybersecurity plan discuss ensuring that e-

government sites are safe, recognizable, and trustworthy using the *.gov
domain?

Answer: - The cybersecurity plan outlines the steps to ensure e-government sites are
safe, recognizable, and trustworthy, focusing on migrating to the *.gov domain.
Here's how the plan achieves this:

Adopting Best Practices and Methodologies

The plan emphasizes adopting best practices, including migrating to the .gov
domain, which signifies a trusted and secure online presence for government entities.
Prioritizing Safe Online Services

Utilizing the .gov domain is a priority to promote safe, recognizable, and trustworthy
online services. The plan mandates that projects for entities not on the .gov domain
include migration to be considered for funding, demonstrating a commitment to
secure and verifiable government digital presence.

Promoting Compliance and Standards

Local government entities are encouraged to adhere to cybersecurity training

requirements and to participate in information-sharing networks, enhancing overall
cybersecurity awareness and response capabilities.

Continuous Improvement and Capability Assessment

The plan recognizes the need to continuously assess and improve cybersecurity
capabilities, including adopting the .gov domain, to maintain a secure and trusted
digital environment for government services.
References

1. National Institute of Standards and Technology. (2018). Framework for

Improving Critical Infrastructure Cybersecurity (Version 1.1). National Institute of
Standards and Technology.

https://www.nist.gov/cyberframework

2. Cybersecurity and Infrastructure Security Agency (CISA). (2022).

Cybersecurity Best Practices for Local Governments. U.S. Department of Homeland
Security. https://www.cisa.gov/cybersecurity-best-practices-local-governments

3. Texas Department of Information Resources. (2021). Texas State

Cybersecurity Strategic Plan. https://dir.texas.gov/cybersecurity-strategic-plan

4. Nationwide Cybersecurity Review (NCSR). (2021). 2021 Nationwide

Cybersecurity Review Summary Report. Homeland Security.
https://www.dhs.gov/ncsr

5. National Initiative for Cybersecurity Education (NICE). (2020). NICE

Cybersecurity Workforce Framework. U.S. Department of Commerce, National
Institute of Standards and Technology.
https://csrc.nist.gov/publications/detail/sp/800-181/final
6. Infrastructure Investment and Jobs Act (IIJA). (2021). Public Law No: 117-
58. https://www.congress.gov/bill/117th-congress/house-bill/3684/text.

Dwards, J. 2024). The Department of Defense is issuing a memorandum on

cybersecurity activities related to cloud service offerings. ExecutiveGov. Retrieved
from https://www.executivegov.com/2024/02/dod-issues-memo-on-cybersecurity-
activities-for-cloud-service-offerings/

Bradley. (n.d.). Texas and its cybersecurity and data privacy laws are not to be
messed with. Retrieved from
https://www.bradley.com/insights/publications/2021/07/dont-mess-with-texas-or-
its-cybersecurity-and-data-privacy-laws

Texas Business Leadership Council. (2024). The Texas Cybersecurity Act has been
signed by Governor Abbott. Retrieved from https://txblc.org/in-the-press/governor-
abbott-signs-texas-cybersecurity-act-law/

Goslin, H.2020; pp. What you need to know about the Texas Cybercrime Act.
Veracode Blog. Retrieved from https://www.veracode.com/blog/research/texas-
cybersecurity-act-what-you-need-know StateScoop. (2022). Texas Cybersecurity:
Potential Revisions in 2022. Retrieved from https://statescoop.com/texas-
cybersecurity-possible-changes-2022/