“What’s New” for Security

Security coordinators are required to certify that their records are up to date through a semiannual security verification process that is concurrent for all Fiscal Management applications.

• Review the instructions for the Semiannual Verification of Users’ Security Access Levels (FPP K.009) (login required).
• Download and review the Agency Security Coordinator Reports (login required)
• Complete and return the Attestation form (73-326) to the Comptroller’s office by May 15.

If you have questions, email ssa.security@cpa.texas.gov.

State agencies and institutions of higher education sometimes send documents with confidential information to Fiscal Management.

An unencrypted email is not a secure transmission. Agencies must send confidential information in an encrypted email or as an encrypted email attachment as prescribed by your agency’s information security policy.

See Confidential Information Must Be Encrypted Before Emailing to Fiscal Management (FPP D.004) for details.

Fiscal Management urges all agencies to review and further strengthen internal processes and procedures for requesting system or security changes. To avoid security threats, it is best to validate requests by a method other than email.

In the past, hackers harvested credentials such as user IDs, passwords, email addresses, etc., then used the credentials to access systems and gather data or other sensitive information.

Now, hackers target the credential with the most transparency — email addresses. They hijack an email account, change the password, then use the email address to request the agency to provide sensitive information or make detrimental changes to the user’s profile, such as changing direct deposit instructions.

This is what makes these hacks so dangerous. Everything about the email appears legitimate, because it is. Since the email account is compromised, the traditional strategy of training users to identify illegitimate email will not work. Only a second level of validation will ensure the instructions received were from the intended user.

See Fraud Prevention Recommendations for more tips, or contact your agency’s information security office for more information and/or to discuss and implement security improvements for your agency.

Security coordinators are required to certify that their records are up to date through a semiannual security verification process that is concurrent for all Fiscal Management applications.

• Review the instructions for the Semiannual Verification of Users’ Security Access Levels (FPP K.009) (login required).
• Download and review the Agency Security Coordinator Reports (login required).
• Complete and return the attestation form (73-326) to the Comptroller’s office by Nov. 3.

Email mailto:ssa.security@cpa.texas.gov with any questions.

Security coordinators are required to certify that their records are up to date through a semiannual security verification process that is concurrent for all Fiscal Management applications.

• Review the instructions for the Semiannual Verification of Users’ Security Access Levels (FPP K.009) (login required).
• Download and review the Agency Security Coordinator Reports (login required).

• Complete and return the Attestation form (73-326) to the Comptroller’s office by Nov. 3.

Email ssa.security@cpa.texas.gov with any questions.

If you already completed our Fiscal Management customer service survey, thank you!

If you haven't had a chance to take our online survey, it will be available until the close of business Friday, Sept. 29.

We appreciate your feedback.

If you have any questions about the survey, email us at fiscal.documentation@cpa.texas.gov.

How well are we meeting your customer service expectations?

Please let us know by completing the online survey by Friday, Sept. 29. We appreciate your feedback.

Email us at fiscal.documentation@cpa.texas.gov with any questions.

Check the Forms page on FMX to ensure you use the current version. Previously downloaded forms might be outdated. The top of every FMX page has a link to the Forms page.

Topic pages (such as Appropriations and Payment Services link to their specific forms on the Forms page.

Note: Payment Services forms on FMX are secured and require login to prevent unauthorized users from accessing them and submitting them to state agencies. If it is necessary to maintain any of these forms on your agency’s website, ensure the forms require login and are the most current version.

Security coordinators are required to certify that their records are up to date through a semiannual security verification process that is concurrent for all Fiscal Management applications.

• Review the instructions for the Semiannual Verification of Users’ Security Access Levels (FPP K.009) (login required).
• Download and review the Agency Security Coordinator Reports (login required).
• Complete and return the Attestation form (73-326) to the Comptroller’s office by May 15.

If you have questions, email ssa.security@cpa.texas.gov.

Security coordinators are required to certify that their records are up to date through a semiannual security verification process that is concurrent for all Fiscal Management applications.

• Review the instructions for the Semiannual Verification of Users’ Security Access Levels (FPP K.009) (login required).
• Download and review the Agency Security Coordinator Reports (login required).
• Complete and return the Attestation form (73-326) to the Comptroller’s office by May 15.

If you have questions, email ssa.security@cpa.texas.gov.

Multifactor authentication (MFA) is one of the best practices an agency can use to prevent unauthorized access to its data, devices and networks. MFA requires users to present multiple pieces of information that must be validated by the system before the user can access the system.

It is essential that agencies implement strong password policies to enhance the protection of MFA. However, MFA for CAPPS is only as effective as the surrounding controls that each agency implements. It remains each agency’s responsibility to secure the entire infrastructure supporting the MFA factors (e.g., agency email accounts and voice call). If any of the systems supporting MFA are compromised, it could lead to account takeover.

Check the Forms page on FMX before submitting a form to ensure you submit the current version. Previously downloaded forms or stored links might be outdated.

The top of every FMX page has a link to the Forms page.

Topic pages (such as Appropriations or Payment Services) link to their specific forms on the Forms page.

Security coordinators are required to certify that their records are up to date through a semiannual security verification process that is concurrent for all Fiscal Management applications.

• Review the instructions for the Semiannual Verification of Users’ Security Access Levels (FPP K.009) (login required).
• Download and review the Agency Security Coordinator Reports (login required).
• Complete and return the Attestation form (73-326) to the Comptroller’s office by Nov. 4.

Email ssa.security@cpa.texas.gov with any questions.

How well are we meeting your customer service expectations?

Please let us know by completing the online survey by Friday, Sept. 30. We appreciate your feedback.

Email us at fiscal.documentation@cpa.texas.gov with any questions.

How well are we meeting your customer service expectations?

Please let us know by completing the online survey by Friday, Sept. 30. We appreciate your feedback.

Email us at fiscal.documentation@cpa.texas.gov with any questions about the survey.

State agencies continue to report fraud attempts to the Comptroller’s office, especially for direct deposit payments. Agencies must be vigilant when setting up and/or changing direct deposit account information for employees and vendors.

Review the Fraud Prevention Recommendations on TexPayment Resource, which include Don’t Be a Target of Fraud, Vendor Impersonation Fraud and Payment Processing Tips.

Security coordinators are required to certify that their records are up to date through a semiannual security verification process that is concurrent for all Fiscal Management applications.

• Review the instructions for the Semiannual Verification of Users’ Security Access Levels (FPP K.009) (login required).
• Download and review the Agency Security Coordinator Reports (login required).
• Complete and return the Attestation form (73-326) to the Comptroller’s office by May 9.

If you have questions, email ssa.security@cpa.texas.gov.

State agencies are reporting more fraud cases to the Comptroller’s office, especially for direct deposit payments. Agencies must be vigilant when setting up and/or changing direct deposit account information for employees and vendors.

Review the Fraud Prevention Recommendations on TexPayment Resource, which include Don’t Be a Target of Fraud, Vendor Impersonation Fraud and Payment Processing Tips.

State agencies and institutions of higher education sometimes send documents with confidential information to Fiscal Management.

Email is not a secured transmission. Agencies must send confidential information as an encrypted email attachment as prescribed by your agency’s information security policy.

See Confidential Information Must be Encrypted Before Emailing to Fiscal Management (FPP D.004) for details.

The Statewide Fiscal Systems (SFS) Security team’s name has changed to Statewide Security Administration (SSA).

Effective Feb. 14, the support email address (SFS.security@cpa.texas.gov) will be replaced with SSA.security@cpa.texas.gov. This email account is primarily for agency security coordinators to send questions/correspondence to the SSA team. Security access requests must still be submitted via the Security Request System.

Agencies should:

• Confirm with IT departments that the new SSA address is not subject to security filters.
• Update internal contact lists and web pages to reflect both the new email (SSA.Security@cpa.texas.gov) and the new name (Statewide Security Administration).

NOTE: The old SFS email account will not receive messages after Tuesday, March 15.

Agency security coordinators may contact the SSA team with questions.

The Comptroller’s office will disable two transport layer security (TLS) protocols, 1.0 and 1.1, on Jan. 30. After that, only TLS 1.2 connections will work. This update is needed to correct security vulnerabilities.

This change will impact all connections to Comptroller systems, so be sure your information technology team is aware of the upgrade. The Comptroller’s office alerted state agencies to the upcoming change in September and has worked with agencies to replace the older protocols. See Microsoft’s update for more information.

Check the Forms page or appropriate topic page on FMX before submitting a form to ensure you submit the current version. Previously downloaded forms or stored links might be outdated.

You’ll find a link to the Forms page at the top of any FMX page. Also, FMX topic pages such as Appropriations or Payment Services feature links to related forms.

The Comptroller’s office will disable two transport layer security (TLS) protocols, 1.0 and 1.1, on Jan. 30, 2022. After that, only TLS 1.2 connections will work. This update is needed to correct security vulnerabilities.

This change could impact any connection to Comptroller systems, so be sure your informational technology team is aware of the upgrade. The Comptroller’s office alerted state agencies to the upcoming change in September and has worked with agencies to replace the older protocols. See Microsoft’s update for more information.

Security coordinators are required to certify that their records are up to date through a semiannual security verification process that is concurrent for all Fiscal Management applications.

• Review the instructions for the Semiannual Verification of Users’ Security Access Levels (FPP K.009) (login required).
• Download and review the Agency Security Coordinator Reports (login required).
• Complete and return the Attestation form (73-326) to the Comptroller’s office by Nov. 30.

Email sfs.security@cpa.texas.gov with any questions.

How well are we meeting your customer service expectations?

Please let us know by completing the online survey by Friday, Sept. 24. We appreciate your feedback.

If you have any questions about the survey, email us at fiscal.documentation@cpa.texas.gov.

How well are we meeting your customer service expectations?

Please let us know by completing the online survey by Friday, Sept. 24. We appreciate your feedback.

If you have any questions about the survey, please email us at fiscal.documentation@cpa.texas.gov.

BlueZone Web-to-Host 5.2 will be decommissioned Sept. 8. Customers must upgrade to BlueZone Web-to-Host 7.1 before that date. See Requirements for Transmitting Comptroller Information (FPP N.007) (login required) for installation instructions.

Note: If you have trouble connecting to the FMX site or downloading BlueZone, contact your IT support to determine if your agency security policies or firewalls are blocking access.

BlueZone Web-to-Host 5.2 will be decommissioned Sept. 8. Customers must upgrade to BlueZone Web-to-Host 7.1 before that date. See Requirements for Transmitting Comptroller Information (FPP N.007) (login required) for installation instructions.

Note: If you have trouble connecting to the FMX site or downloading BlueZone, contact your IT support to determine if your agency security policies or firewalls are blocking access.

BlueZone Web-to-Host 5.2 will be decommissioned Sept. 8. Customers must upgrade to BlueZone Web-to-Host 7.1 before that date. See Requirements for Transmitting Comptroller Information (FPP N.007) (login required) for installation instructions.

Note: If you have trouble accessing instructions or downloading BlueZone, contact your IT support to determine if your agency security policies or firewalls are blocking access.

BlueZone Web-to-Host 5.2 will be decommissioned on Sept. 8. Customers must upgrade to BlueZone Web-to-Host 7.1 before that date. See Requirements for Transmitting Comptroller Information (FPP N.007) (login required) for installation instructions.

Note: If you have trouble connecting to the FMX site or downloading BlueZone, contact your IT support to determine if your agency security policies or firewalls are blocking access.

Customers using BlueZone Web-to-Host 5.2 can leave that version installed; it will not conflict with version 7.1.

After Sept. 8, BlueZone Web-to-Host 5.2 will no longer connect to the CPA mainframe and will redirect to a Comptroller.Texas.Gov welcome page.

Agencies and institutions may also use other TN3270E emulation software equivalent to BlueZone. See Alternative Emulator Configuration Settings (login required) in FPP N.007 or contact Information Technology Support at your agency or institution for assistance.

Customers using BlueZone Web-to-Host 5.2 may continue using this version until further notice. We recommend that you upgrade to Web-to-Host 7.1 at your earliest convenience; see Requirements for Transmitting Comptroller Information (FPP N.007) (login required) for more information and installation instructions. The Comptroller’s office will announce the new decommission date for Web-to-Host 5.2 shortly.

All customers using BlueZone Web-to-Host 5.2 must upgrade to the latest version, 7.1, by June 1, when the current version will be decommissioned on Comptroller systems.

Note: If you or your IT support already downloaded and installed BlueZone Web-to-Host 5.2 from FMX, you must upgrade to the latest 7.1 version. If your agency or office has its own licensed version of BlueZone or another 3270 emulator, you can continue using it to connect to the Comptroller’s mainframe.

See Requirements for Transmitting Comptroller Information (FPP N.007) (login required) for more information and installation instructions.

Agencies and institutions may also use other TN3270E emulation software equivalent to BlueZone. See Alternative Emulator Configuration Settings (login required) in FPP N.007, or contact information technology support at your agency for help.

All customers using BlueZone Web-to-Host 5.2 must upgrade to the latest version, 7.1, by June 1, when the current version will be decommissioned on Comptroller systems.

Note: If you or your IT support already downloaded and installed BlueZone Web-to-Host 5.2 from FMX, you must upgrade to the latest 7.1 version. If your agency or office has its own licensed version of BlueZone or another 3270 emulator, you can continue using it to connect to the Comptroller’s mainframe.

See Requirements for Transmitting Comptroller Information (FPP N.007) (login required) for more information and installation instructions.

Agencies and institutions may also use other TN3270E emulation software equivalent to BlueZone. See Alternative Emulator Configuration Settings (login required) in FPP N.007, or contact information technology support at your agency for help.

All customers using BlueZone Web-to-Host 5.2 must upgrade to the latest version, 7.1, by June 1, when the current version will be decommissioned on Comptroller systems. See Requirements for Transmitting Comptroller Information (FPP N.007) (login required) for more information and installation instructions.

Agencies and institutions may also use other TN3270E emulation software equivalent to BlueZone. See Alternative Emulator Configuration Settings (login required) in FPP N.007, or contact information technology support at your agency for help.

Security coordinators are required to certify that their records are up to date through a semiannual security verification process that is concurrent for all Fiscal Management applications.

• Review the instructions for the Semiannual Verification of Users’ Security Access Level (FPP K.009) (login required).
• Download and review the Agency Security Coordinator Reports (login required).
• Complete and return the Attestation form (73-326) to the Comptroller’s office by May 6.

If you have questions, email sfs.security@cpa.texas.gov.

Security coordinators are required to certify that their records are up to date through a semiannual security verification process that is concurrent for all Fiscal Management applications.

• Review the instructions for the Semiannual Verification of Users’ Security Access Levels (FPP K.009) (login required).
• Download and review the Agency Security Coordinator Reports (login required).
• Complete and return the Attestation form (73-326) to the Comptroller’s office by May 6.

If you have questions, email sfs.security@cpa.texas.gov.