Compliance Calendar

info

The following is a recommended annual cycle of compliance activities to best use the results of one activity to support those that follow. The activities in red are required deadlines by State of Texas or A&M System policy; the others are suggested.

Months	Compliance Activity	Remarks
Sep→Nov	Cybersecurity Framework Assessment Program performance and gap identification	Answers the question of how your institutional information security program is performing. Identifies gaps requiring treatment to sustain your information security program. Resource:NIST Cybersecurity Framework 2.0
Oct→Dec	Risk Assessment Risk identification across information resources	Identifies risks to institutional information resources. The cycle of assessing information resources varies. See Security Control Standard RA-03(f) for the required interval. Resource:Security Control Standard RA-03(f)•NIST SP 800-30r1 (Risk Assessments)
Oct→Decat least biennially	Controls Assessment Effectiveness testing of selected controls	Assesses the effectiveness of selected controls in protecting institutional information resources from threats identified in the risk assessment. Identifies gaps requiring additional controls (people, processes, tools) to secure institutional information resources. Resource:NIST RMF — Assess Step
Dec 31	Annual Information Security Report Executive reporting (agency head / university president)	Reports to your agency head/university president on the status of your information security program. Provides an opportunity to request resources or funding to mitigate gaps in the information security program. Resource:Annual Information Security Program Report Template
Jan→Mar	Budget Cycle Funding and resourcing for the program	Secure resources and funding to sustain the information security program.
May 31even-numbered years	Biennial Information Security Plan State reporting and risk roadmap acknowledgement	Reports to the State of Texas on the effectiveness of Texas Cybersecurity Framework control objectives. Documents roadmap for approved risk treatments or challenges to implementation, and acknowledgement of risks to the organization by executive leadership. Resource:DIR Information Security Plan
Jun→Aug	Policy and Control Updates Refresh controls based on the year’s findings	Revise rules, procedures, and controls based on new identified risks or treatments implemented during the year. Resource:NIST RMF — Select Step

Operational tip

Treat the assessment windows as minimums. If a major system change, incident, or audit finding occurs, pull the relevant activity forward.