The Texas A&M System Security Control Standards Catalog was updated today to incorporate NIST SP 800-53 Release 5.2.0. The update also included a cosmetic change to the catalog generation code to zero-pad control and enhancement numbers, consistent with NIST SP 800-53.
Effective immediately, the Texas A&M System is updating its guidance on multi-factor authentication (MFA) to enhance security across all system members.
The guidance is published at https://cyber.tamus.edu/restricted/guidelines/mfa.
As a result of recent federal and state government requirements and recommendation from General Counsel, the Texas A&M System has implemented a minimum standard of blocked countries for all publicly-accessible system information resources. This standard is reflected in the newly added system required control SC-07(11). The list of blocked countries is published at https://sso.tamus.edu/BlockedCountries.aspx and may be updated as circumstances dictate.
System Regulation 29.01.06 was released last week, which implements what was previously a policy letter from the System CIO to all members addressing covered applications and prohibited technology.
The guidelines page at https://www.cyber.tamus.edu/policy/guidelines/prohibited-technology/ has been updated to reflect these changes. The regulation is also available at https://policies.tamus.edu/29-01-06.pdf.
Today, TAMUS Cybersecurity released updated incident notification guidance for members to report incidents where the confidentiality, integrity, or availability of a member high-impact information system, or a system processing confidential information, is potentially compromised.
The updated guidance is available at https://www.cyber.tamus.edu/policy/guidelines/incident-notification/.
On January 31, 2025, DIR released an update to the prohibited technologies list to include the following software, applications, and developers:
We have released a set of frequently asked questions (FAQs) relating to covered applications and prohibited technology.
The FAQ page is available at https://www.cyber.tamus.edu/policy/guidelines/prohibited-technology/faq/.
As part of our implementation of security control standard RA-05(11), Public Disclosure Program, today we implemented a consolidated public reporting system for vulnerabilities of Texas A&M system information resources. Information regarding the program and the vulnerability reporting form is available at https://www.cyber.tamus.edu/vulnerability-disclosure-policy/.
We have also released the first version of a TAMUS standardized security.txt, a file format to aid in security vulnerability disclosure specified by RFC 9116. This file is published at https://www.cyber.tamus.edu/.well-known/security.txt and is also available for members to use on their respective institution websites.
We released today a series of administrative changes to the security control standards. The majority of these changes moved TAMUS Implementation Statement language into organizationally-defined parameters (ODP) within each control, as well as implementing control standards that reflect existing system policy and assigning an impact baseline for all TAMUS-required controls.
An updated Covered Applications and Prohibited Technology Plan, as required by Texas DIR and Texas DPS, was issued today. The updated plan incorporates the requirements of Texas Government Code Chapter 620 and revises the plan's language throughout.
The revised plan is available at https://www.cyber.tamus.edu/policy/guidelines/prohibited-technology/.