Menu Doing Business with DFPS
- DFPS Contracts
- Contracting Policies
- Contracting Forms
- Contract Performance
- Background Checks
- Funding Opportunities
- Historically Underutilized Business
- Partnering with DFPS
- Cybersecurity Requirements
- IMPACT Job Aids
- Purchased Client Services
- About PCS
- Regional APS Contracts
- Regional CPS Contracts
- Residential Child Care Contracts
- State Office Contracts
- Community-Based Care Contracts
- Reports & Statistics
- Active Contracts
- Children in DFPS Care
- Data Book
- Reports and Presentations
The DFPS Office of Information Security (OIS) takes defending our organization, its data, system, and reputation from cyber criminals seriously as part of the DFPS mission to protect the unprotected. The duty of the DFPS Office of Information Security, as required by state law, is to protect the confidentiality, integrity, availability, and accountability of the Agency’s information technology resources for a safe and secure computing environment.
Working with DFPS
Contractors and partners who work with the Department of Family and Protective Services must adhere to the following cybersecurity requirements:
The DFPS Office of Information Security provides secure means for our partners to report incidents, phishing attempts, malware, and vulnerabilities directly to the Security Team.
What is a Security Incident?
A security incident is any attempted or actual unauthorized access, use, disclosure, modification, or destruction of information. This includes interference with information technology operation and violation of DFPS policy, state laws or regulations.
Examples of security incidents include:
- Computer or information technology (IT) system breach
- Unauthorized access to, or use of, systems, software, or data
- Unauthorized changes to systems, software, or data
- Loss or theft of equipment storing DFPS data
- Denial of service attacks
- Interference with the intended use of IT resources
- Compromised user accounts
What Do We Need from You?
Report actual or suspected security incidents as early as possible so that DFPS can limit the damage and cost of recovery.
Some incidents must be reported to DFPS Office of Information Security within 24-hours of discovery, like incidents that include social security administration data or criminal history data supplied by DFPS.
Include specific details regarding the system breach, vulnerability, or compromise of your information system, and we will respond with a plan for further containment and mitigation.
How Do You Report a Security Incident?
You may report an incident online, by email, or by telephone.
- Online: Complete the security incident formExternal Link
- Email: infosec@dfps.texas.gov
- DFPS Customer Service Center: 1-877-642-4777
Cybersecurity incident notifications will be treated as confidential under Texas Government Code 552.139, Confidentiality of Government Information Related to Security or Infrastructure Issues for Computers.
To mitigate cybersecurity threats and risks in state government contracting, the 86th Legislature passed House Bill 3834, which requires contractors and their subcontractors, officers, or employees who have access to state computer systems or databases to complete cybersecurity training through Department of Information Resources (DIR). Contractors are required to adhere to cybersecurity training requirements for the term of their contract, including any renewal periods, and certify that required personnel and subcontractors have completed the training.
DIR certified cybersecurity training is required when the contractor's personnel and subcontractors have access to any DFPS information systems, networks, or resources.
To obtain a list of DIR certified trainings, visit the DIR WebsiteExternal Link.
Note: DFPS contracted employees who augment fulltime staff will satisfy cybersecurity training requirements through training with the DFPS Office of Information Security.
Certification of Cybersecurity Training
Contractors must complete and submit DFPS Cybersecurity Training CertificationPDF Document (form 4530) to attest that identified personnel and subcontractors who have access to the DFPS systems receive required cybersecurity training within the certification period.
Contractors must maintain documentation that includes:
- Individuals who are required to take the training
- Documentation of the completed training
- Name of the entity who performed the training
- Title of the cybersecurity course
All personnel who access the Vendor's Information Resources must complete cybersecurity awareness training prior to accessing Criminal Justice Information (CJI) within the first week of hire and before accessing DFPS information systems, and thereafter on an annual basis by June 30th of each calendar year. Contractors must submit the DFPS Cybersecurity Training Certification to the contract manager. The certification must be signed by your:
- Contract signatory (or designee) or
- Human resources director
After the DFPS Cybersecurity Training Certification is submitted, contract staff must upload the certification within 30 days of receipt into SCOR using the Cybersecurity Training dropdown option in the document library module.
Cybersecurity training documentation, as listed above, must be reviewed during scheduled administrative contract monitoring activities.
Data & System Security Requirements
All DFPS contracts have the following standard data and system security requirements throughout the duration of the contract:
DFPS Contractor Data and System Security RequirementsPDF Document
Contractors must:
- Comply with the requirements as outlined in the document.
- Periodically check for any updates made to the requirements and comply with any updates.
- Periodically provide evidence of meeting the requirements.
Information Security and Privacy Controls Catalog
The DFPS Information Security and Privacy Controls CatalogPDF Document provides guidance for implementing best practices in security controls. The Catalog includes requirements derived from state authority, including the Texas Department of Information Resources and state legislation, as well as Agency-specific requirements as determined by the Chief Information Security Officer in consideration of the Agency’s environment and security posture.
Center for Internet Security (CIS) Security Controls
The Center for Internet Security (CIS) is one of the top leaders in developing guidelines for protecting people, organizations, and governments from cyber threats in our continually evolving digital environment.
The CIS Controls operate as an overarching framework for individuals, corporations, and governments alike, and are comprised of 18 Critical Security ControlsExternal Link. Much like the NIST Cybersecurity FrameworkExternal Link, CIS critical security controls are based on risk assessment best practices and contain guidelines to provide the appropriate maintenance, monitoring, and analysis required to secure an organization. Having its roots in risk management, the implementation of these controls is scalable for any size organization, by utilizing the respective implementation levels.
For information on CIS Controls and how to easily incorporate them into your business, refer to the DFPS External Partners CIS Security ControlsPDF Document document.
Secure Email
Our job is to protect the unprotected. We use email encryption to protect your personal information and to protect our clients' well-being, safety, and privacy. Secure email is encrypted with the equivalence of an AES-256 key. Each message is signed by the sender to ensure authenticity and data security of the message.
Visit the DFPS Email Encryption page for information on how to read secure messages.
Need help? Contact DFPS Encryption Support.
File Sharing
Do you need to send a file to DFPS staff in a safe and secure manner? Or do you need to send attachments that are too large to send via e-mail?
DFPS uses MOVEitExternal Link to securely transmit files with sensitive data.
MOVEit is a platform that works similarly to other cloud-based file transferring systems, like Google Drive, Dropbox, and Box.com. MOVEit will allow any user to transfer files, regardless of size, to or from DFPS in a secure manner.
Please note that MOVEit is for transferring files and not for long term storage. Files older than 7 days are deleted from the MOVEit server automatically and are not recoverable.
For help with using MOVEit, see the DFPS External User Instructions for MOVEitPDF Document.
Why can’t we use Dropbox or other cloud-based file sharing sites?
MOVEitExternal Link is the approved software for file sharing with DFPS. It is against the DFPS Acceptable Use Agreement (AUA) policy to use any other cloud computing resources or storage unless approved by the Office of Information Security.
Dropbox and other cloud-based file sharing sites have numerous security concerns. These include data leakage, information being stored in foreign countries, and passwords breaches. Sensitive DFPS data, like case records, social security numbers, and criminal history data, must be properly secured.
Penalties for AUA compliance violations can be steep or lead to lawsuits against the Agency. If you have any questions about MOVEit, please send an email directly to the DFPS Office of Information Security.
