Texas cybersecurity framework (TCF) compliance guide for 2025
The Texas Cybersecurity Framework (TCF) provides a structured, NIST-aligned roadmap for improving cybersecurity across Texas state agencies and higher education institutions. Whether you’re preparing for a DIR audit, strengthening third-party contracts, or aligning your IT policies, understanding the TCF is essential.
This guide breaks down the key domains, compliance expectations, and how cybersecurity practices, like penetration testing, fit into your TCF implementation strategy.
What you'll learn about the Texas Cybersecurity Framework (TCF)
- What the Texas Cybersecurity Framework is and who it applies to
- How TCF aligns with NIST Cybersecurity Framework (CSF) standards
- How to assess your maturity level and meet DIR expectations
- The role of penetration testing in validating your cybersecurity controls
What is the Texas Cybersecurity Framework?
The Texas Cybersecurity Framework (TCF) is a set of standards developed by the Texas Department of Information Resources (DIR) to help public entities strengthen their cybersecurity posture. It’s primarily based on the NIST Cybersecurity Framework (CSF) and tailored for Texas-specific statutory and regulatory requirements. The TCF helps organizations: identify cybersecurity weaknesses, align security activities with business goals, measure cybersecurity maturity across 5 functional areas, report compliance status to the Texas DIR.
Who must comply with the Texas Cybersecurity Framework?
The Texas Cybersecurity Framework (TCF) is mandatory for a defined group of public sector organizations in Texas. These entities are required to assess, document, and report their cybersecurity posture annually to the Texas Department of Information Resources (DIR) in accordance with Texas Government Code Chapter 2054.
Entities Required to Use the TCF:
- Texas state agencies, including executive branch departments
- Public institutions of higher education, such as universities and colleges
- Public retirement systems managing benefits for state employees
- Other public entities specifically named under Texas law or DIR administrative rules
Each covered organization must conduct a self-assessment using the TCF’s control objectives and report their cybersecurity maturity levels using the DIR’s Capability Maturity Model (CCMM).
Indirect Compliance for Private Sector Vendors
While private sector organizations, such as managed service providers, SaaS vendors, and cybersecurity firms, are not directly mandated to use the TCF, many are increasingly held to its standards contractually.
Key components of the Texas Cybersecurity Framework
The Texas Cybersecurity Framework (TCF) is built upon the widely recognized NIST Cybersecurity Framework (CSF) and tailored to meet the compliance and operational needs of Texas government entities. It is structured around five functional areas, known as the Core Functions, which serve as the foundation for a holistic and risk-based cybersecurity program.
Each of these functions contains eight Control Objectives, resulting in a total of 40 required controls that organizations must assess and address. Each of the five core functions is broken down into eight measurable control objectives, which must be evaluated based on the organization’s cybersecurity maturity.
Establish the organizational understanding needed to manage cybersecurity risk. This includes:
- Asset management
- Business environment understanding
- Governance and policy development
- Risk assessments
- Supply chain and vendor risk management
Implement safeguards to ensure the delivery of critical infrastructure and services. Controls include:
- Access control mechanisms
- Data security (encryption, classification)
- User awareness training
- Secure development practices
- Maintenance and protective technologies
Develop and implement activities to identify the occurrence of cybersecurity events. This function includes:
- Continuous monitoring
- Security event detection and correlation
- Anomaly identification
- Logging and auditing practices
Take action regarding detected cybersecurity incidents. Required practices include:
- Incident response planning
- Communication protocols
- Incident analysis and forensics
- Legal, regulatory, and reputational response coordination
Develop and implement plans for resilience and restoration after an incident. Controls focus on:
- Recovery planning and testing
- Communication with stakeholders post-incident
- Continuous improvement based on lessons learned
How is TCF Maturity measured?
Organizations assess each control using the Texas Cybersecurity Capability Maturity Model (CCMM), a scale from Level 0 (Nonexistent) to Level 5 (Optimized):
- Level 0 – Nonexistent
- Level 1 – Ad Hoc
- Level 2 – Repeatable
- Level 3 – Defined
- Level 4 – Managed
- Level 5 – Optimized
This self-assessment approach helps entities identify areas for improvement, prioritize investments, and demonstrate compliance in annual reports submitted to the Texas Department of Information Resources (DIR).
Need a TCF-aligned security assessment?
Ensure your organization meets Texas DIR expectations. Schedule a meeting to explore how our penetration testing services can validate your control maturity, support your TCF reporting, and reduce cybersecurity risk across all 5 core functions.
- Call 1-877-805-7475
What happens if you don’t comply?
While the Texas Cybersecurity Framework (TCF) is principles-based and does not impose fixed penalties like some federal regulations, failure to comply can still expose your organization to significant operational, financial, and reputational risk.
Here’s what noncompliance can trigger:
Increased Cybersecurity Risk
Without TCF-aligned controls, your organization is more vulnerable to breaches, ransomware, and operational disruption
Negative Audit Findings & Funding Delays
Incomplete or stagnant self-assessments can trigger DIR audits, corrective action plans, or delayed funding
Vendor & Contract Risks
Weak compliance oversight can lead to contract issues, shared liability in breaches, and vendor disqualification
Legal and Reputational Fallout
Noncompliance may damage public trust, attract leadership scrutiny, or breach overlapping state and federal laws
How penetration testing supports TCF compliance
Penetration testing helps validate the technical controls required in the Protect and Detect domains of the Texas Cybersecurity Framework.
Here’s how pentesting contributes to TCF compliance:
- Demonstrates proactive risk management
- Validates access control and privilege escalation defenses
- Identifies gaps in detection and response mechanisms
- Provides audit-ready evidence of technical safeguards
- Supports maturity improvements in multiple control objectives
Explore other state-level cybersecurity regulations
The Texas Cybersecurity Framework is part of a growing landscape of state-driven compliance initiatives. If your organization operates beyond Texas, explore our U.S. Cybersecurity Compliance Guide, including:
- Massachusetts 201 CMR 17.00
- California CCPA / CPRA
- New York NYDFS 23 NYCRR 500
- NIST, SOC 2, CMMC, and ISO 27001
Need a Quote for TCF-Aligned Penetration Testing?
Answer a few questions regarding your needs, project scope and objectives to quickly receive a tailored quote. No engagement.
- You can also call us directly: 1-877-805-7475
Featured Cybersecurity Compliance Resources
Gain insight on emerging hacking trends, recommended best practices and tips to improve your cybersecurity:
