Shaded box denotes a new requirement since the last release.
| Control | Texas DIR Required By | TAMUS Required By |
|---|
Access Control (AC) |
| AC-1 Policy and Procedures | 2023-07-20 | |
| AC-2 Account Management | 2023-07-20 | |
| AC-2(3) Disable Accounts | 2024-11-18 | |
| AC-2(7) Privileged User Accounts | | 2022-08-01 |
| AC-3 Access Enforcement | 2023-01-20 | |
| AC-3(7) Role-based Access Control | | 2022-08-01 |
| AC-5 Separation of Duties | 2023-07-20 | |
| AC-6 Least Privilege | 2023-07-20 | |
| AC-7 Unsuccessful Logon Attempts | 2023-07-20 | |
| AC-8 System Use Notification | 2023-01-20 | 2022-08-01 |
| AC-11 Device Lock | | 2024-02-01 |
| AC-14 Permitted Actions Without Identification or Authentication | 2023-01-20 | |
| AC-17 Remote Access | 2023-07-20 | |
| AC-18 Wireless Access | 2023-07-20 | |
| AC-19 Access Control for Mobile Devices | 2023-07-20 | 2022-12-19 |
| AC-20 Use of External Systems | 2023-07-20 | |
| AC-22 Publicly Accessible Content | 2023-01-20 | |
Awareness and Training (AT) |
| AT-1 Policy and Procedures | 2023-07-20 | |
| AT-2 Literacy Training and Awareness | 2023-07-20 | |
| AT-2(2) Insider Threat | 2024-11-18 | |
| AT-3 Role-based Training | 2023-07-20 | |
| AT-4 Training Records | 2023-07-20 | |
Audit and Accountability (AU) |
| AU-1 Policy and Procedures | 2023-07-20 | |
| AU-2 Event Logging | 2023-07-20 | |
| AU-3 Content of Audit Records | 2023-01-20 | |
| AU-4 Audit Log Storage Capacity | 2023-07-20 | |
| AU-5 Response to Audit Logging Process Failures | 2023-07-20 | |
| AU-6 Audit Record Review, Analysis, and Reporting | 2023-07-20 | |
| AU-8 Time Stamps | 2023-07-20 | |
| AU-9 Protection of Audit Information | 2023-07-20 | |
| AU-11 Audit Record Retention | 2023-07-20 | |
| AU-12 Audit Record Generation | 2023-07-20 | |
Assessment, Authorization, and Monitoring (CA) |
| CA-1 Policy and Procedures | 2023-07-20 | |
| CA-2 Control Assessments | 2023-07-20 | |
| CA-3 Information Exchange | 2023-07-20 | |
| CA-5 Plan of Action and Milestones | 2023-01-20 | |
| CA-6 Authorization | 2023-07-20 | |
| CA-7 Continuous Monitoring | 2023-07-20 | |
| CA-7(4) Risk Monitoring | 2023-07-20 | |
| CA-8 Penetration Testing | 2023-07-20 | |
| CA-9 Internal System Connections | 2023-07-20 | |
Configuration Management (CM) |
| CM-1 Policy and Procedures | 2023-07-20 | |
| CM-2 Baseline Configuration | 2023-07-20 | |
| CM-3 Configuration Change Control | 2024-11-18 | 2022-08-01 |
| CM-3(2) Testing, Validation, and Documentation of Changes | | 2022-08-01 |
| CM-4 Impact Analyses | 2023-07-20 | |
| CM-5 Access Restrictions for Change | 2023-07-20 | |
| CM-6 Configuration Settings | 2023-07-20 | 2022-08-01 |
| CM-7 Least Functionality | 2023-07-20 | |
| CM-8 System Component Inventory | 2023-07-20 | |
| CM-10 Software Usage Restrictions | 2023-01-20 | 2022-08-01 |
| CM-11 User-installed Software | 2023-01-20 | 2024-02-01 |
Contingency Planning (CP) |
| CP-1 Policy and Procedures | 2023-07-20 | |
| CP-2 Contingency Plan | 2023-07-20 | |
| CP-2(1) Coordinate with Related Plans | | 2022-08-01 |
| CP-3 Contingency Training | 2023-07-20 | |
| CP-4 Contingency Plan Testing | 2023-01-20 | 2022-08-01 |
| CP-4(1) Coordinate with Related Plans | | 2022-08-01 |
| CP-6 Alternate Storage Site | 2023-01-20 | |
| CP-8 Telecommunications Services | 2024-11-18 | |
| CP-9 System Backup | 2023-07-20 | |
| CP-9(3) Separate Storage for Critical Information | | 2022-08-01 |
| CP-10 System Recovery and Reconstitution | 2023-07-20 | |
| CP-11 Alternate Communications Protocols | 2023-07-20 | |
Identification and Authentication (IA) |
| IA-1 Policy and Procedures | 2023-07-20 | |
| IA-2 Identification and Authentication (Organizational Users) | 2023-01-20 | |
| IA-2(1) Multi-factor Authentication to Privileged Accounts | 2024-11-18 | 2021-09-13 |
| IA-2(2) Multi-factor Authentication to Non-privileged Accounts | 2023-07-20 | |
| IA-4 Identifier Management | 2023-07-20 | |
| IA-5 Authenticator Management | 2023-07-20 | |
| IA-5(1) Password-based Authentication | 2024-11-18 | |
| IA-6 Authentication Feedback | 2023-01-20 | |
| IA-7 Cryptographic Module Authentication | 2023-01-20 | |
| IA-8 Identification and Authentication (Non-organizational Users) | 2023-01-20 | |
| IA-11 Re-authentication | 2023-07-20 | 2022-08-01 |
| IA-12 Identity Proofing | | 2022-08-01 |
Incident Response (IR) |
| IR-1 Policy and Procedures | 2023-07-20 | |
| IR-2 Incident Response Training | 2023-07-20 | |
| IR-3 Incident Response Testing | 2023-07-20 | |
| IR-4 Incident Handling | 2023-07-20 | |
| IR-5 Incident Monitoring | 2023-07-20 | |
| IR-6 Incident Reporting | 2023-07-20 | 2022-08-01 |
| IR-7 Incident Response Assistance | 2023-07-20 | |
| IR-8 Incident Response Plan | 2023-07-20 | |
| IR-9 Information Spillage Response | 2023-07-20 | |
Maintenance (MA) |
| MA-1 Policy and Procedures | 2023-07-20 | |
| MA-2 Controlled Maintenance | 2023-07-20 | |
| MA-4 Nonlocal Maintenance | 2023-07-20 | |
| MA-5 Maintenance Personnel | 2023-01-20 | |
Media Protection (MP) |
| MP-1 Policy and Procedures | 2023-07-20 | |
| MP-2 Media Access | 2023-01-20 | |
| MP-3 Media Marking | | 2022-08-01 |
| MP-6 Media Sanitization | 2023-07-20 | |
| MP-6(1) Review, Approve, Track, Document, and Verify | 2024-11-18 | |
| MP-7 Media Use | 2023-07-20 | |
Physical and Environmental Protection (PE) |
| PE-1 Policy and Procedures | 2023-07-20 | |
| PE-2 Physical Access Authorizations | 2023-01-20 | |
| PE-3 Physical Access Control | 2023-07-20 | |
| PE-6 Monitoring Physical Access | 2023-01-20 | |
| PE-6(3) Video Surveillance | | 2022-08-01 |
| PE-8 Visitor Access Records | 2023-07-20 | |
| PE-12 Emergency Lighting | 2023-01-20 | |
| PE-13 Fire Protection | 2023-01-20 | |
| PE-14 Environmental Controls | 2023-07-20 | |
| PE-15 Water Damage Protection | 2023-01-20 | |
| PE-16 Delivery and Removal | 2023-07-20 | |
| PE-17 Alternate Work Site | 2023-07-20 | |
| PE-18 Location of System Components | | 2021-09-13 |
Planning (PL) |
| PL-1 Policy and Procedures | 2023-07-20 | |
| PL-2 System Security and Privacy Plans | 2023-07-20 | |
| PL-4 Rules of Behavior | 2023-07-20 | 2022-08-01 |
| PL-4(1) Social Media and External Site/Application Usage Restrictions | 2024-11-18 | |
| PL-10 Baseline Selection | 2024-11-18 | |
| PL-11 Baseline Tailoring | 2024-11-18 | |
Program Management (PM) |
| PM-1 Information Security Program Plan | 2023-07-20 | |
| PM-2 Information Security Program Leadership Role | 2023-07-20 | |
| PM-3 Information Security and Privacy Resources | 2023-07-20 | |
| PM-4 Plan of Action and Milestones Process | 2023-07-20 | |
| PM-5 System Inventory | 2023-07-20 | 2022-08-01 |
| PM-6 Measures of Performance | 2023-07-20 | |
| PM-7 Enterprise Architecture | 2023-07-20 | |
| PM-9 Risk Management Strategy | 2023-07-20 | |
| PM-10 Authorization Process | 2023-07-20 | |
| PM-14 Testing, Training, and Monitoring | 2023-07-20 | 2022-08-01 |
| PM-15 Security and Privacy Groups and Associations | 2023-07-20 | |
| PM-16 Threat Awareness Program | 2023-07-20 | |
Personnel Security (PS) |
| PS-1 Policy and Procedures | 2023-07-20 | |
| PS-2 Position Risk Designation | 2023-01-20 | |
| PS-3 Personnel Screening | 2023-01-20 | |
| PS-4 Personnel Termination | 2023-07-20 | |
| PS-5 Personnel Transfer | 2023-01-20 | |
| PS-6 Access Agreements | 2023-01-20 | |
| PS-7 External Personnel Security | 2023-01-20 | |
| PS-8 Personnel Sanctions | 2023-01-20 | |
| PS-9 Position Descriptions | 2024-11-18 | |
Personally Identifiable Information Processing and Transparency (PT) |
| PT-3 Personally Identifiable Information Processing Purposes | | 2022-08-01 |
Risk Assessment (RA) |
| RA-1 Policy and Procedures | 2023-07-20 | |
| RA-2 Security Categorization | 2023-07-20 | 2022-08-01 |
| RA-3 Risk Assessment | 2023-07-20 | |
| RA-3(1) Supply Chain Risk Assessment | 2023-07-20 | |
| RA-5 Vulnerability Monitoring and Scanning | 2023-07-20 | |
| RA-5(2) Update Vulnerabilities to Be Scanned | 2024-11-18 | |
| RA-5(11) Public Disclosure Program | 2024-11-18 | |
| RA-7 Risk Response | 2023-07-20 | |
System and Services Acquisition (SA) |
| SA-1 Policy and Procedures | 2023-07-20 | |
| SA-2 Allocation of Resources | 2023-07-20 | |
| SA-3 System Development Life Cycle | 2023-07-20 | 2022-08-01 |
| SA-4 Acquisition Process | 2023-07-20 | 2022-08-01 |
| SA-5 System Documentation | 2023-07-20 | |
| SA-8 Security and Privacy Engineering Principles | 2023-07-20 | |
| SA-9 External System Services | 2023-07-20 | |
| SA-10 Developer Configuration Management | 2023-07-20 | |
| SA-11 Developer Testing and Evaluation | 2023-07-20 | |
| SA-22 Unsupported System Components | 2023-07-20 | |
System and Communications Protection (SC) |
| SC-1 Policy and Procedures | 2023-07-20 | |
| SC-5 Denial-of-service Protection | 2023-07-20 | |
| SC-7 Boundary Protection | 2023-07-20 | |
| SC-8 Transmission Confidentiality and Integrity | 2023-01-20 | |
| SC-12 Cryptographic Key Establishment and Management | 2023-01-20 | |
| SC-13 Cryptographic Protection | 2023-07-20 | |
| SC-15 Collaborative Computing Devices and Applications | 2023-07-20 | |
| SC-20 Secure Name/Address Resolution Service (Authoritative Source) | 2023-01-20 | |
| SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver) | 2023-01-20 | |
| SC-22 Architecture and Provisioning for Name/Address Resolution Service | 2023-01-20 | |
| SC-39 Process Isolation | 2023-01-20 | |
System and Information Integrity (SI) |
| SI-1 Policy and Procedures | 2023-07-20 | |
| SI-2 Flaw Remediation | 2023-01-20 | |
| SI-3 Malicious Code Protection | 2023-07-20 | |
| SI-4 System Monitoring | 2023-07-20 | 2022-08-01 |
| SI-5 Security Alerts, Advisories, and Directives | 2023-01-20 | |
| SI-10 Information Input Validation | 2023-07-20 | |
| SI-12 Information Management and Retention | 2023-07-20 | |
Supply Chain Risk Management (SR) |
| SR-1 Policy and Procedures | 2023-07-20 | |
| SR-2 Supply Chain Risk Management Plan | 2023-07-20 | |
| SR-3 Supply Chain Controls and Processes | 2023-07-20 | |
| SR-5 Acquisition Strategies, Tools, and Methods | 2023-07-20 | |
| SR-8 Notification Agreements | 2023-07-20 | |
| SR-12 Component Disposal | 2023-07-20 | |
