DIR now points state contracts at the Texas Cybersecurity Framework and TAC 202. Here is what Texas vendors must document, attest, and prove to win and keep public-sector work in 2026.
If your Texas business sells software, hosting, staffing, or professional services to a state agency, university, or public-sector entity, the Texas Department of Information Resources (DIR) is quietly rewriting your security obligations. Contract language that used to say "use commercially reasonable safeguards" now points to the Texas Cybersecurity Framework (TCF), Texas Administrative Code Chapter 202, and a growing list of vendor attestations that must be current before an award is signed. Miss one, and your bid gets set aside no matter how competitive your price.
This guide breaks down what DIR actually expects from contractors in 2026, how the Texas Cybersecurity Framework maps to controls you may already run, and where a Texas-based IT partner shortens the path from "interested vendor" to "awarded and compliant."
DIR sets statewide information security policy for Texas government. Its reach extends past agencies to the private companies that serve them. You are almost certainly in scope if any of the following is true:
The trap for small firms is assuming that "we're just a subcontractor" or "we only sell hardware" gets them off the hook. Data-handling language and TAC 202 flow-downs increasingly appear in every tier of the supply chain.
The TCF is Texas's adaptation of the NIST Cybersecurity Framework. It organizes 40+ security objectives under five familiar functions — Identify, Protect, Detect, Respond, Recover — and asks each organization to rate its maturity against them. For contractors, the practical takeaway is that DIR speaks NIST. If you have already done work toward NIST 800-171 control mapping for a federal contract, you have a substantial head start on the TCF.
The five functions translate to concrete questions an evaluator will ask:
Texas Administrative Code Chapter 202 is the binding rule that makes the framework more than a suggestion. It requires state entities to implement a security program — and, critically, to hold their vendors to compatible controls. When a contract references TAC 202, you are agreeing that your safeguards will not be the weak link in the state's program. That means documented policies, a named security officer or equivalent, risk assessments, and evidence you actually follow what you wrote down.
DIR and its customer agencies increasingly require paperwork up front rather than after an incident. Expect requests for some or all of:
The firms that win are the ones with these artifacts already assembled. Scrambling to produce them after an RFP drops usually means missing the deadline.
State contracts frequently distinguish between public, sensitive, and confidential data, and they attach handling rules to each tier. If your systems commingle agency data with everything else, you inherit the strictest handling requirement across your whole environment. Segmenting state data — logically or physically — keeps your compliance scope small and your audit cheap. This is the same discipline that makes an Active Directory tiering model pay off: contain the sensitive systems so a compromise elsewhere cannot reach them.
DIR reviewers pay special attention to who can touch what. Multi-factor authentication on every remote and administrative login is table stakes. Beyond that, they want to see least-privilege enforcement and control over the accounts that can change your environment. A privileged access management program — or at minimum a documented process for granting, reviewing, and revoking admin rights — answers the toughest questions in the Protect function. If you are new to the concept, our explainer on what privileged access management is covers the fundamentals.
Small contractors most often fall short on the Detect function. It is easy to buy antivirus; it is harder to prove that someone or something is watching the alerts. DIR-aligned buyers want evidence of continuous monitoring, centralized logging, and a response path when something fires. This is exactly where managed IT services with a monitoring stack close the gap without you standing up a 24/7 team of your own.
A tested incident response plan is non-negotiable. "Tested" is the operative word — an evaluator can tell the difference between a template downloaded last week and a plan your team has actually walked through. Run a tabletop exercise, document the results, and keep the notification-timeline commitments in your contract realistic. If your contract says 24 hours and your team cannot detect an intrusion for a week, you have signed up for a liability you cannot meet.
If you sell to both state and federal customers, the good news is that the frameworks overlap heavily. Work you do for CMMC scoping or CIS Controls implementation groups feeds directly into the Texas Cybersecurity Framework. Map your controls once, then present the same evidence to different auditors. That reuse is where a security partner earns their fee — building a single control set that satisfies multiple masters instead of chasing each regime separately.
Begin with a gap assessment against the five TCF functions. You cannot fix — or truthfully attest to — what you have not measured. A focused two-week assessment produces three things: a maturity score per function, a prioritized remediation list, and the artifacts you will hand to your next agency evaluator. From there, close the highest-risk gaps (usually MFA coverage, logging, and a tested IR plan) before you chase the long tail. If you would rather not run this in-house, LayerLogix builds and maintains this exact evidence package for Texas contractors as part of outsourced IT and security. Not sure whether you need a full program or a lighter touch? Our guide to what an IT consultant does helps you scope the engagement.
LayerLogix supports state contractors and public-sector vendors across Texas with framework-aligned security programs and DIR-ready documentation. We serve Austin — home to most agency headquarters — along with Houston, Dallas, San Antonio, and The Woodlands. Compare your options with our guide to the best IT support companies before you commit.
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.