The new System Policy 29.02, Information Security, was released today.

In accordance with Governor Greg Abbott’s directive to block access to prohibited technologies and their affiliated companies from state networks, the DIR Cybersecurity Operations team researched the prohibited technologies to identify their internet assets and compiled a list of IP addresses, IP CIDRs, and domain names that should be blocked. The resulting list included 96,251 hostnames from 399 domains.

There has been recent interest from members on a "how to get started" roadmap for securing operational technology (OT) at the institutional level. We are assembling a more formalized set of recommendations, but in the interim, courtesy of NotebookLM, I offer...

DIR has added seven new security control standards in version 2.2 of their security control standards catalog. These have been incorporated into the A&M System Security Control Standards Catalog, published at https://www.cyber.tamus.edu/catalog/. All controls have a required implementation date of February 28, 2027, and are listed below:

We have added a new section to the Cybersecurity website to serve as a central landing place for all information relating to identity security.

The page is available at https://www.cyber.tamus.edu/identity.

The Texas A&M System Security Control Standards Catalog was updated today to incorporate NIST SP 800-53 Release 5.2.0. The update also included a cosmetic change to the catalog generation code to zero-pad control and enhancement numbers, consistent with NIST SP 800-53.

Effective immediately, the Texas A&M System is updating its guidance on multi-factor authentication (MFA) to enhance security across all system members.

The guidance is published at https://www.cyber.tamus.edu/restricted/guidelines/mfa.

As a result of recent federal and state government requirements and recommendation from General Counsel, the Texas A&M System has implemented a minimum standard of blocked countries for all publicly-accessible system information resources. This standard is reflected in the newly added system required control SC-07(11). The list of blocked countries is published at https://sso.tamus.edu/BlockedCountries.aspx and may be updated as circumstances dictate.

System Regulation 29.01.06 was released last week, which implements what was previously a policy letter from the System CIO to all members addressing covered applications and prohibited technology.

The guidelines page at https://www.cyber.tamus.edu/policy/guidelines/prohibited-technology/ has been updated to reflect these changes. The regulation is also available at https://policies.tamus.edu/29-01-06.pdf.

Today, TAMUS Cybersecurity released updated incident notification guidance for members to report incidents where the confidentiality, integrity, or availability of a member high-impact information system, or a system processing confidential information, is potentially compromised.

The updated guidance is available at https://www.cyber.tamus.edu/policy/guidelines/incident-notification/.