At last the new TAC 202 has been adopted and is in effect for the State of Texas! With it, there is a close alignment of cybersecurity policies, standards and practices to the NIST 800-53 standards and it allows us to benchmark ourselves against real-world standards that other industries use. It also let’s us speak a common language when we’re attempting to describe how we do cybersecurity at A&M. Also, it is important to note that it aligns very nicely with Federal Information Security Management Act (FISMA) of 2002. This helps us know we’re compliant (or not) with certain Federal requirements for cybersecurity, even if they don’t actually apply to us. Since we’re becoming a research-heavy institution, this is an important distinction since we’re working with federal agencies. Many federal agencies want to know that the universities they are dealing with have addressed cybersecurity and are contractually in compliance with these standards.
When getting an understanding of just how the change has occurred and what changed, start here. Once you understand TAC 202 and what it does, then you need to consider the controls that are tied to TAC 202 and how that impacts your organization and how you should implement those controls. Again, they are closely tied to FISMA and NIST standards and are not overly burdensome in most cases. To see the controls related to the new TAC 202, click here. If you are really curious about how these controls map or compare to other control standards, including the old TAC 202, click here.