Three professionals reviewing Texas Administrative Code compliance framework diagram on glass wall

Most Texas business owners have never heard of TAC 202. That’s not their fault. It’s a state rule that lives inside the Texas Administrative Code, and unless your IT company brought it up, there’s no reason it would have crossed your desk. But if your business relies on any state agency or handles data covered by Texas government contracts, TAC 202 is worth understanding. And even if you don’t, the security controls it requires are the same ones that protect any business from ransomware, data theft, and outages.

Here’s what TAC 202 actually requires, who it applies to, and what implementing it looks like in practice.

What TAC 202 is

Title 1, Part 10, Chapter 202 of the Texas Administrative Code sets the minimum information security standards for state agencies and institutions of higher education. The Texas Department of Information Resources (DIR) has maintained it since its adoption. The rule defines how these organizations must protect their information systems and the data they handle, and it extends to vendors and contractors who connect to state networks or process state data.

The chapter is organized into three subchapters:

  • Subchapter A: Definitions
  • Subchapter B: Information Security Standards for State Agencies
  • Subchapter C: Information Security Standards for Institutions of Higher Education

The agency rules and the higher education rules mirror each other almost section for section. If your business provides IT services, software, or data services to a Texas state agency or a public university, you may be contractually required to meet TAC 202 standards, or your client may be required to ensure you do.

Texas DIR, the Texas Cyber Command, and TAC 202
The Texas Department of Information Resources (DIR) publishes TAC 202, the Security Controls Standards Catalog, and the Texas Cybersecurity Framework. House Bill 150, passed in 2025, moved DIR’s cybersecurity functions to the new Texas Cyber Command, so oversight is in transition and you will see both names in state guidance for a while. DIR also certifies the training programs required under Texas Government Code §§ 2054.5191 and 2054.5193.

Who actually needs to care about it

TAC 202 directly governs state agencies and higher ed institutions. But its reach extends further through vendor agreements. If you fall into any of these categories, you should understand what TAC 202 requires:

  • IT vendors or MSPs contracted to state agencies or public universities
  • Software or SaaS providers whose systems connect to state networks
  • Businesses that process, store, or transmit data on behalf of a state entity
  • Texas county appraisal districts, which are local governments with their own state training mandates and which commonly hold vendors to TAC 202-aligned standards
  • Any contractor that handles sensitive government data under a DIR contract

For Central Texas businesses along the I-35 corridor, this applies more than you might think. If your company does any work with Hays County, Travis County, or a state-affiliated organization such as a community college or a regional water authority, TAC 202 compliance may be part of the deal.

What TAC 202 actually requires

The rule requires covered organizations to use DIR’s Security Controls Standards Catalog, which is built on NIST SP 800-53 Revision 5. The core requirements fall into several areas:

  • Information security program: A documented, maintained security program with a designated Information Security Officer
  • Risk assessment: Regular identification and evaluation of threats to your systems and data
  • Access controls: Multi-factor authentication, least-privilege access, and controls on who can reach what data
  • Incident response plan: A written, tested plan for what happens when a breach or ransomware attack occurs
  • Security awareness training: Annual training for all staff who handle covered systems or data
  • Vulnerability management: Regular patching and scanning for known weaknesses
  • Data classification: Understanding which data is sensitive and handling it accordingly
  • Third-party risk management: Vetting vendors who access your systems

None of these are exotic. They’re the same controls that protect a healthcare practice, a law firm, or a financial services company. The difference is that TAC 202 makes them a legal requirement for covered entities and a practical requirement for anyone who wants to stay on the vendor list.

TAC 202 and Texas appraisal districts

County appraisal districts are political subdivisions created under the Texas Property Tax Code. They are local governments, not state agencies, so TAC 202 does not bind them directly. What does apply: every CAD employee who works on a computer must complete a state-certified cybersecurity training program each year under Texas Government Code § 2054.5191, and HB 3512 added a certified AI training requirement under § 2054.5193, effective September 1, 2025.

Beyond training, most districts adopt TAC 202 and the DIR control catalog as their benchmark anyway. It is the standard auditors, cyber insurers, and vendor contracts point to, and after multiple Texas appraisal districts were hit by ransomware since 2022, most boards want the state standard rather than an approximation of it. That is why CAD IT vendors need to understand TAC 202 requirements instead of applying generic managed IT service. safemode IT works directly with Texas appraisal districts and builds cybersecurity programs that meet the state standard, not just approximate it.

The connection to Texas SB 2610

Texas SB 2610, effective September 1, 2025, created a cybersecurity safe harbor for small businesses. If your business has fewer than 250 employees and implements a recognized cybersecurity framework, such as the NIST Cybersecurity Framework or the CIS Controls, you gain protection from punitive damages in a data breach lawsuit. Actual damages and regulatory penalties still apply, so it is a shield, not immunity. The program must be documented and in place before a breach occurs.

TAC 202 and SB 2610 point at the same underlying controls. A business that implements TAC 202-aligned security gets the benefit of both: vendor qualification for state work and the SB 2610 safe harbor. It is the same work, done once, satisfying more than one compliance requirement.

TAC 202
Texas security standard for state agencies, higher ed, and their vendors
SB 2610
Texas safe harbor law for businesses under 250 employees, eff. Sept 1, 2025
NIST 800-53
The federal control catalog TAC 202 is built on, and a recognized SB 2610 framework

What implementation actually looks like

Getting to TAC 202 compliance isn’t a one-day project, but it’s also not the years-long slog that some compliance consultants make it sound like. For a small or mid-sized business, a realistic implementation looks like this:

  • Week 1-2: Gap assessment. Review your current security posture against TAC 202 requirements, document what exists and what’s missing
  • Week 3-6: Remediation. Implement missing controls: MFA, endpoint protection, documented incident response plan, backup verification
  • Month 2: Documentation. Write and finalize your information security policy, risk assessment, and data classification policy
  • Month 3: Training and testing. Complete security awareness training for all staff, test your incident response plan with a tabletop exercise
  • Ongoing: Quarterly reviews, annual reassessments, and continuous monitoring

The documentation piece trips most businesses up. TAC 202 is not satisfied by having good security alone. It requires evidence that you have good security. Your policies need to exist in writing, be dated, and be reviewed on schedule.

If your business works with Texas state agencies, appraisal districts, or public institutions, or you just want the SB 2610 safe harbor, safemode IT can assess where you stand and build a TAC 202-aligned program. No pressure, no obligation.

Get a free assessment

Does TAC 202 apply to my business if I’m not a state agency?

It depends on your contracts. TAC 202 directly governs state agencies and public universities, but if you’re contracted to provide IT services, software, or data processing to those entities, your contract will typically require you to meet equivalent standards. Vendors to county appraisal districts usually face the same expectation, because most districts hold their vendors to TAC 202-aligned standards even though the rule doesn’t bind the districts directly.

How long does TAC 202 compliance take to implement?

For a small business starting from a reasonable security baseline, 60-90 days is realistic. The technical controls (MFA, endpoint protection, backups) can be in place within 2-4 weeks. Documentation and policy writing takes longer. The first annual training cycle starts the clock on ongoing compliance.

What’s the relationship between TAC 202 and NIST?

TAC 202 requires covered organizations to use DIR’s Security Controls Standards Catalog, and that catalog is built on NIST SP 800-53 Revision 5. DIR separately publishes the Texas Cybersecurity Framework, which aligns with the NIST Cybersecurity Framework. If you already run NIST-aligned controls, you’ve done most of the technical work. What TAC 202 adds is the documentation: written policies, a named security officer, and evidence reviewed on a schedule.

Does TAC 202 compliance satisfy Texas SB 2610?

Largely, yes. SB 2610 recognizes frameworks including the NIST Cybersecurity Framework, NIST SP 800-53, CIS Controls, and the ISO 27000 series, plus similar industry standards. TAC 202’s control catalog is built on NIST SP 800-53, so a documented TAC 202-aligned program rests on a recognized framework. Keep in mind the safe harbor only shields you from punitive damages, and only if the program was documented and in place before the breach.

Does safemode IT handle TAC 202 compliance for businesses in Kyle, San Marcos, and Bastrop?

Yes. safemode IT builds and maintains TAC 202-aligned cybersecurity programs for businesses throughout Hays County and Central Texas, including Kyle, San Marcos, and Bastrop. We also work directly with Texas county appraisal districts. Learn more about our cybersecurity services or contact us to start with a free assessment.