CMMC Level 2
Nov 10, 2026 — Hard Enforcement
Hard Cutoff
What's Required
DoD defense primes and subs bidding contracts above $10M must have a certified C3PAO third-party assessment or an approved SPRS self-assessment score on file. NIST SP 800-171 Rev 2/3 — all 110 practices. No assessment = no contract.
Who's Affected
1,800+ Texas defense subcontractors in the DFW/San Antonio corridor. Any entity handling Controlled Unclassified Information (CUI) in the DoD supply chain.
Penalty Exposure
Contract ineligibility · False Claims Act exposure (treble damages) · SPRS score publication
How CoreRecon Closes the Gap
- SPRS self-assessment scoring across all 110 NIST 800-171 practices
- Remediation roadmap tied to each failing practice
- Continuous CUI boundary monitoring and access control evidence
- SSP and POAM documentation for C3PAO assessment readiness
CJIS Security Policy v6.0
Oct 1, 2027 — Full Audit Enforcement
Hard Cutoff
What's Required
FBI CJIS Security Policy v6.0 auditing is live (Oct 2025). Full enforcement deadline is Oct 1, 2027. All 13 CJIS security policy areas — including MFA, encryption, advanced authentication, and incident response — must be documented and operational.
Who's Affected
Every Texas municipality, county, and law enforcement agency with NCIC access. 1,400+ entities on the FBI audit schedule. Wave 1 and 2 outreach lists already active.
Penalty Exposure
Loss of NCIC/CJIS database access · Federal funding risk · Public exposure of audit findings
How CoreRecon Closes the Gap
- Pre-audit gap assessment across all 13 CJIS policy areas
- MFA enrollment and advanced authentication evidence collection
- 24/7 SOC monitoring with CJIS-mapped alert thresholds
- Incident response plan and documented tabletop exercises
TSA Pipeline SD 2021-02C
Ongoing — Enforcement Active
Ongoing
What's Required
Critical pipeline operators must: report cybersecurity incidents to CISA within 24 hours, maintain a Cybersecurity Incident Response Plan (CIRP), implement network segmentation between OT/IT environments, and conduct an annual architecture review.
Who's Affected
Texas natural gas and hazardous liquid pipeline owners and operators. Texas accounts for 28% of U.S. natural gas production — the densest pipeline network in the country.
Penalty Exposure
Up to $11,904/day per violation · TSA emergency orders · CISA incident escalation
How CoreRecon Closes the Gap
- OT/IT segmentation monitoring and access control enforcement
- 24-hour CISA incident reporting workflow and documentation
- Annual architecture review and CIRP authoring support
- ICS/SCADA-aware threat detection and anomaly alerting
Texas HB 300
60-Day PHI Breach Notification SLA
Ongoing
What's Required
Texas HB 300 requires any covered entity handling PHI to notify affected individuals within 60 days of discovering a breach. Broader than HIPAA — applies to any entity that receives, collects, uses, or processes PHI in Texas, regardless of size or federal applicability.
Who's Affected
Texas healthcare providers, insurers, business associates, and any organization handling patient health information. Includes vendors, billing companies, and third-party processors.
Penalty Exposure
Up to $1.5M per violation category per year · Texas AG civil enforcement · OCR parallel investigation
How CoreRecon Closes the Gap
- Breach detection with automated 60-day notification clock trigger
- HIPAA Security Rule safeguard mapping across all 18 standards
- PHI access logging, monitoring, and unauthorized access alerting
- Incident documentation package for AG and OCR response
NCUA Part 748 + GLBA Safeguards
72-Hr Incident Notice · Annual Program Review
Annual
What's Required
Federally insured credit unions must report reportable cyber incidents to the NCUA within 72 hours of discovery. The GLBA Safeguards Rule requires an annual written information security program review, including vendor oversight and employee training documentation.
Who's Affected
All NCUA-insured credit unions — 500+ in Texas. GLBA applies to any financial institution including credit unions, community banks, and mortgage companies that receive personal financial information.
Penalty Exposure
Civil money penalties up to $25K/day · NCUA enforcement orders · FTC Safeguards Rule concurrent action
How CoreRecon Closes the Gap
- 72-hour cyber incident detection and NCUA notification workflow
- Annual GLBA information security program documentation and review
- Vendor risk assessment program and third-party access monitoring
- Employee security training records and phishing simulation program
FFIEC CAT
Recommended Annual Reassessment
Annual
What's Required
The FFIEC Cybersecurity Assessment Tool is a voluntary but examiner-expected annual maturity reassessment. Examiners reference CAT scores during safety-and-soundness exams. A stale or declining CAT score triggers deeper examiner scrutiny and potential enforcement referrals.
Who's Affected
Texas credit unions, community banks, and financial institutions subject to FFIEC examinations — including NCUA, OCC, FDIC, and state-chartered institutions under Texas Department of Banking oversight.
Penalty Exposure
Examiner-flagged deficiencies · Mandatory improvement plans · Increased examination frequency
How CoreRecon Closes the Gap
- Annual FFIEC CAT self-assessment facilitation and scoring
- Maturity gap analysis with prioritized remediation roadmap
- Continuous monitoring evidence mapped to CAT domain controls
- Examiner-ready documentation and board reporting package
ABA Rule 1.6(c) + TX Ethics Op. 712
Ongoing — Competence & Reasonable Safeguards
Ongoing
What's Required
ABA Model Rule 1.6(c) requires lawyers to make reasonable efforts to prevent inadvertent or unauthorized disclosure of client information. Texas Ethics Opinion 712 requires law firms to implement reasonable security safeguards, document them, conduct regular training, and maintain an incident response capability.
Who's Affected
All Texas law firms — from solo practitioners to AmLaw 200. Any attorney handling client confidential information, which is every practicing attorney in Texas.
Penalty Exposure
State Bar disciplinary action · Malpractice liability · Client notification obligations · Reputational damage
How CoreRecon Closes the Gap
- Reasonable safeguards documentation mapped to Ethics Op. 712 §4.1–4.6
- Breach detection and 60-day client notification workflow
- Annual security training records and phishing simulation program
- IR plan authoring, tabletop facilitation, and legal hold procedures
FTC Safeguards Rule (16 CFR §314)
Ongoing — Enforcement Active Since June 2023
Ongoing
What's Required
The expanded FTC Safeguards Rule classifies tax preparers and CPA firms as "financial institutions." Requirements: designate a Qualified Individual (QI), conduct a written risk assessment, implement MFA on all systems with customer financial data, encrypt data at rest/in transit, maintain a written incident response plan, and provide annual board-level security reporting. Enforcement began June 9, 2023.
Who's Affected
Every tax preparer, CPA firm, enrolled agent, and bookkeeper in Texas that receives consumer financial information (tax return data, W-2s, SSNs). Estimated 45,000+ Texas tax professionals now subject to the Safeguards Rule.
Penalty Exposure
FTC civil penalties up to $50,120/violation · Mandatory corrective action · Breach notification obligations · Reputational damage
How CoreRecon Closes the Gap
- Qualified Individual (QI) designation documentation and program governance
- Written risk assessment and annual review cadence
- MFA enforcement and encryption posture assessment across all client data systems
- Incident response plan authoring and 30-day FTC breach notification workflow
IRS Written Information Security Plan (WISP)
Ongoing — Required for Every PTIN Holder
Ongoing
What's Required
IRS Publication 5708 requires every tax preparer with a PTIN to create and maintain a firm-specific Written Information Security Plan. The WISP must document data protection procedures, designate a security coordinator, require an annual risk assessment, mandate employee security training, and include an incident response procedure. A generic downloaded template does not satisfy the requirement.
Who's Affected
Every tax preparer holding an IRS Preparer Tax Identification Number (PTIN) — including sole practitioners, CPA firms, enrolled agents, AFSP participants, and tax preparation chains. Over 800,000 active PTINs nationally; 40,000+ in Texas.
Penalty Exposure
IRS civil penalties · PTIN suspension or revocation · Audit trigger for tax professional practices · Concurrent FTC Safeguards enforcement
How CoreRecon Closes the Gap
- Firm-specific WISP authoring (not a template — tailored to your systems and data)
- Annual WISP review and update cadence with risk assessment documentation
- Security coordinator designation support and employee training records
- Incident response procedure that satisfies both IRS and FTC Safeguards requirements