Texas DIR Cybersecurity Star Program: What State Contractors Need to Know in 2026

The DIR Cybersecurity Star Program is a Texas-specific certification framework administered by the Texas DIR Office of the Chief Information Security Officer. It evaluates vendor cybersecurity posture on a three-tier scale (Tier 1 / Tier 2 / Tier 3) using control criteria drawn from NIST 800-171, NIST 800-53, the Texas Cybersecurity Framework, and CMMC 2.0. Certification is currently voluntary for most procurement categories but increasingly weighted in evaluation scoring and required outright for solicitations involving Confidential or Sensitive Personal Information.

Tier 1 — Foundational

Targets vendors handling Public Information only. Requires:

• Documented information security policy reviewed annually
• MFA on all administrative accounts
• Antivirus/EDR on all endpoints
• Patch management with documented timeliness for critical CVEs
• Annual security awareness training for all staff
• Incident response plan
• Backup and recovery program with documented test restores

Most established Texas IT vendors with reasonable security hygiene already satisfy Tier 1 — it formalizes baseline practice rather than requiring new investment.

Tier 2 — Enhanced

Targets vendors handling Confidential Information. Tier 1 plus:

• Privileged Access Management for administrative accounts
• Phishing-resistant MFA for administrators (FIDO2 or certificate-based)
• SIEM with 90-day log retention
• Vulnerability management with documented Mean Time To Patch
• Vendor risk management program
• Annual third-party security assessment or penetration test
• Encryption of Confidential Information at rest and in transit
• Tabletop exercise within last 12 months (see our tabletop exercise design guide)

Tier 3 — Advanced

Targets vendors handling Sensitive Personal Information or operating in regulated verticals (healthcare, financial). Tier 2 plus:

• 24/7 SOC monitoring (in-house or via MDR/MSSP)
• Data Loss Prevention deployed across endpoints and email
• Identity Threat Detection and Response (see our ITDR coverage)
• Privileged session recording for administrator activity
• Independent security assessment annually with findings remediated within 90 days
• Compliance with applicable regulatory framework (HIPAA, PCI-DSS, FedRAMP, CJIS)
• Documented Software Bill of Materials for any software products provided

The Cyber Star tiers correlate roughly to:

• Tier 1 ≈ NIST 800-171 partial compliance (~60% of controls), CMMC Level 1
• Tier 2 ≈ NIST 800-171 full compliance, CMMC Level 2 (self-attested), SOC 2 Type I
• Tier 3 ≈ CMMC Level 2 (third-party assessed), SOC 2 Type II, ISO 27001-equivalent

Texas vendors already pursuing CMMC Level 2 for federal defense work typically satisfy Cyber Star Tier 2-3 with minimal additional effort — the control sets overlap heavily.

1. Self-assessment against the appropriate tier checklist published by DIR
2. Documentation package compiled — policies, procedures, evidence artifacts, attestations
3. Third-party assessment (required for Tier 2 and Tier 3) by an approved assessor
4. Submission to DIR with assessor report and supporting documentation
5. Certification grant with annual renewal requirement

Typical timeline: 4-6 months from start to Tier 2 certification for a vendor with reasonable existing security posture; 8-12 months to Tier 3.

• SIEM at SMB scale — most vendors use EDR but lack the broader log aggregation Tier 2 requires. Microsoft Sentinel addresses this affordably for M365 customers (see our Sentinel deployment guide)
• Phishing-resistant MFA — most have push or TOTP; Tier 2 requires FIDO2 for admins (see MFA bypass attacks 2026)
• Privileged Access Management — frequently missing entirely; Tier 2 requires application allowlisting (see our 2026 PAM tools comparison)
• Documented vulnerability management — most vendors run scans but lack measured Mean Time To Patch (see our EPSS prioritization guide)
• Vendor risk management program — typically absent at SMB scale; Tier 2 requires documented inventory + annual review

Two forces are pushing Cyber Star from voluntary to required:

• Texas DIR is increasingly tying procurement scoring to certification level — a Tier 2 vendor receives 10-20 points of evaluation advantage over an uncertified competitor on relevant solicitations
• Several state agencies have moved to require minimum tier certification in their solicitation language outright — particularly Health and Human Services, the Office of Court Administration, and the Department of Public Safety

For Texas IT vendors that derive 10%+ of revenue from state, university, or DIR Co-op contracts, certification is now a multi-year defensive necessity rather than an optional credential.

For Texas IT vendors evaluating certification: pull the DIR Cyber Star Tier 2 checklist, score yourself honestly, and identify your top three gaps. Most vendors discover that PAM deployment, FIDO2 admin MFA, and SIEM with 90-day retention are the three most common gaps. Each is closable within 60-90 days.

For organizations also pursuing CMMC: align the assessments. The same control evidence frequently satisfies both. See our CMMC 2.0 compliance service and Texas defense contractor CMMC preparation guide.

• Austin managed IT — state capitol vendor community
• Houston cybersecurity
• The Woodlands cybersecurity
• Sugar Land cybersecurity