Nick McLarty

The Texas A&M University System is aware of a cybersecurity incident affecting Instructure, the company that operates Canvas — the learning management system used across our member universities. This incident was not directed at the Texas A&M University System or any of our institutions. Instructure serves thousands of institutions worldwide, and this is a vendor-level event that may affect multiple institutions globally.

System Regulation 29.01.03, Information Security, has been renumbered to align with the recently released System Policy 29.02.

Operation Winter SHIELD (Securing Homeland Infrastructure by Enhancing Layered Defense) distills the FBI’s 10 most impactful actions organizations can take to improve resilience against cyber intrusions. These recommendations were developed with domestic and international partners and draw on recent investigations to reflect adversary behavior and defensive gaps.

Below are the FBI's recommended actions along with enhanced commentary or guidance from Texas A&M System Cybersecurity for members to implement the recommended actions.

The new System Policy 29.02, Information Security, was released today.

In accordance with Governor Greg Abbott’s directive to block access to prohibited technologies and their affiliated companies from state networks, the DIR Cybersecurity Operations team researched the prohibited technologies to identify their internet assets and compiled a list of IP addresses, IP CIDRs, and domain names that should be blocked. The resulting list included 96,251 hostnames from 399 domains.

There has been recent interest from members on a "how to get started" roadmap for securing operational technology (OT) at the institutional level. We are assembling a more formalized set of recommendations, but in the interim, courtesy of NotebookLM, I offer...

DIR has added seven new security control standards in version 2.2 of their security control standards catalog. These have been incorporated into the A&M System Security Control Standards Catalog, published at https://www.cyber.tamus.edu/catalog/. All controls have a required implementation date of February 28, 2027, and are listed below:

We have added a new section to the Cybersecurity website to serve as a central landing place for all information relating to identity security.

The page is available at https://www.cyber.tamus.edu/identity/.

The Texas A&M System Security Control Standards Catalog was updated today to incorporate NIST SP 800-53 Release 5.2.0. The update also included a cosmetic change to the catalog generation code to zero-pad control and enhancement numbers, consistent with NIST SP 800-53.

Effective immediately, the Texas A&M System is updating its guidance on multi-factor authentication (MFA) to enhance security across all system members.

The guidance is published at https://www.cyber.tamus.edu/restricted/guidelines/mfa.