TX-RAMP (Texas Risk and Authorization Management Program) is a cybersecurity program that was modeled after the similarly named FedRAMP and StateRAMP programs to ensure that cloud computing services that work with federal or state agencies have adequate security controls in place.
TX-RAMP was created by the Texas Department of Information Resources (DIR) to provide a method to review the security measures taken by cloud-based products and services that process and transmit data to Texas state agencies.
The program comes from the passing of Senate Bill 475 by the Texas State Legislature, which required the Texas DIR to provide a “standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.”
As a result, all cloud providers contracted with Texas state agencies must comply with TX-RAMP requirements and maintain TX-RAMP certifications.
Learn how UpGuard helps businesses achieve compliance with regulatory standards >
TX-RAMP Overview
Effective December 1st, 2022, DIR has revised TX-RAMP, referred to as TX-RAMP 2.0, to streamline the compliance process.
Under TX-RAMP, all cloud computing services are subject to its program requirements. The Texas Government Code § 2157.007 defines a cloud computing service as any service that provides a “model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (networks, servers, storage, applications, and other services).”
TX-RAMP has two assessment levels:
- Level 1 - For public/non-confidential information or low-impact systems.
- Level 2 - For confidential/regulated data in moderate or high-impact systems.
Additionally, TX-RAMP maintains three certification levels or statuses that all cloud computing services must hold at any given point:
- Level 1 Certification (Public Controls Baseline) - Achieved after submitting assessment responses and meeting the minimum requirements of a Level 1 Assessment or by submitting evidence of StateRAMP Category 1 authorization or FedRAMP Low authorization.
- Level 2 Certification (Confidential Controls Baseline) - Achieved after submitting assessment responses and meeting the minimum requirements of a Level 2 Assessment or by submitting evidence of StateRAMP Category 3 authorization or FedRAMP Moderate authorization.
- TX-RAMP Provisional Certification - Provides a provisional product certification that allows a state agency to contract the use of that product for up to 18 months without a full TX-RAMP certification. However, cloud services that achieve a TX-RAMP provisional status must achieve a Level 1 or Level 2 Certification (or equivalent FedRAMP/StateRAMP authorization) within 18 months from the date the provisional status was granted. Providers that have also achieved FedRAMP/StateRAMP status can be automatically granted a Provisional Certification.
It is up to the contracting state agency to determine the baseline level (Level 1 or 2) the cloud service or product is subject to based on the level of sensitive information (either non-confidential or confidential) the provider handles.
Low-impact and non-confidential information is described as resources in which the loss of confidentiality, integrity, or availability would have minimal or limited effect on an organization’s operations. In other words, if the data the service provider handles becomes compromised, would it affect the agency’s ability to continue operating with little to no setbacks?
When Does TX-RAMP Take Effect?
As of January 1st, 2022, all cloud services subject to TX-RAMP Level 2 must obtain certification BEFORE contracting with state agencies.
Cloud services subject to TX-RAMP Level 1 must obtain certification on or after January 1st, 2024.
The only exception is for agencies that are seeking an Interim Provisional Certification for a particular service, which can only be obtained in two ways:
- Agency-sponsored requests - Agencies that have conducted a risk assessment of a cloud service can request an Interim Provisional Status, which is good for 60 days. Requests are submitted in SPECTRIM through the Texas DIR website.
- DIR review of third-party assessment or audit documentation - Cloud providers can request Provisional Certification by completing the TX-RAMP Assessment Request Form and providing documentation related to a third-party review of security controls.
How Long Are TX-RAMPS Certifications Valid For?
TX-RAMP Level 1 and Level 2 Certifications are valid for three years from the date the certification was granted, as long as the cloud service maintains compliance with program requirements.
TX-RAMP Provisional Certifications are valid for 60 days from the date the certification is granted. Cloud services can request a TX-RAMP Level 1 or Level 2 assessment at any time during the provisional period.
The Texas DIR will automatically notify service providers 12 and 6 months before the certification end date. Cloud providers can also request recertification to Texas DIR up to 12 months prior to the certification end date.
Additionally, no fees are required to attain TX-RAMP certification as the program is funded by the state of Texas.
Who Must Comply With TX-RAMP?
All cloud service providers (CSPs) planning to contract with Texas state agencies fall under the scope of TX-RAMP and must comply with its requirements.
However, certain cloud services fall outside of the TX-RAMP scope because they do not meet the definition of cloud computing services as defined in Texas Government Code § 2054.0593(a). This is because those services do not: create, process, or store confidential state-controlled data or connect with agency systems or networks that create, process, or store confidential state-controlled data.
Cloud services that are not subject to TX-RAMP include the following:
- Services that are used to gather non-confidential research or advisory information (such as advisory services or market research services)
- Graphic design or illusion products
- Geographic information systems or mapping services that are not used for confidential purposes or tied to individual identities
- Email or notification services that do not create, process, or store confidential information
- Social media platforms or services
- Survey and scheduling services that do not create, process, or store confidential information
- Cloud products or services used to deliver training that do not create, process, or store confidential information
- Services used to transmit copies of non-confidential data as required by external governing bodies for purposes of accreditation and compliance
- Low-impact SaaS products that do not handle personally identifiable information (PII) or other confidential data
How To Become TX-RAMP Certified
To initiate the assessment process, CSPs seeking certification for a cloud computing service must complete the TX-RAMP Assessment Request Form through the TX-RAMP homepage on the Texas DIR website (dir.texas.gov).
Texas state agencies looking to contract third-party cloud services or vendors can request they complete the TX-RAMP Assessment Request for Vendors.
The certification process for both baseline levels can be achieved in one of two ways:
- Providing accurate assessment responses and appropriate documentation to the Texas DIR for review
- Providing sufficient evidence to the Texas DIR of an accepted risk authorization and management program status (such as StateRAMP or FedRAMP)
DIR will then review the request and determine whether or not additional documentation or further action is needed. Once the request is processed, DIR will email the point of contact with instructions for completing the TX-RAMP Acknowledge and Inventory Questionnaire along with either the TX-RAMP Level 1 or Level 2 Questionnaire.
Cloud providers that are already StateRAMP or FedRAMP certified will automatically be granted TX-RAMP certification.
Continuous Monitoring Requirement
As part of the TX-RAMP requirements, certified cloud computing services must be routinely assessed and monitored for TX-RAMP compliance to ensure they can continue to meet the required security controls. State agencies can also request additional monitoring activities in their contractual agreements with the providers.
As such, DIR has established the following continuous monitoring criteria for CSPs contracting with state agencies:
- TX-RAMP Level 1 Certified cloud services must provide annual vulnerability reports of identified vulnerabilities and corresponding mitigation activities to Texas DIR.
- TX-RAMP Level 2 Certified cloud services must provide quarterly vulnerability reports of identified vulnerabilities and corresponding mitigation activities to Texas DIR.
- Vulnerability reports must contain vulnerability severity categories
- Vulnerability reports must contain a description of remediation plans or mitigation activities for High and Critical-severity vulnerabilities
- CSPs must disclose any system or security breach of the certified cloud service to the DIR within 48 hours of breach discovery
Losing or Getting TX-RAMP Certification Revoked
Texas DIR reserves the right to revoke TX-RAMP certification at any time, at its discretion, if it deems that the cloud computing service is non-compliant or failing to meet baseline TX-RAMP requirements.
Events that can result in a TX-RAMP certification being revoked include, but are not limited to, the following:
- Failure to inform required parties of significant changes to the cloud computing service within 30 days
- Failure to inform required parties of the loss of other accepted risk and authorization management program (FedRAMP, StateRAMP) certifications
- Failure to provide the required continuous monitoring documents
- The report of false or misleading information to DIR or other relevant state agency
- Referencing non-certified cloud computing services as TX-RAMP certified
- Failure to report a breach of system security to DIR within 48 hours of discovery
Recertification
If a CSP makes significant changes to its cloud service, they are required to report those changes to DIR within 30 days, as any changes may affect the security controls and the state of the information system or product itself. Even if changes are deemed non-significant by DIR, it is up to DIR to make that determination after reviewing the certification status. If the changes are deemed significant, then the DIR will require a certification update by the CSP.
Significant changes can include, but are not limited to, the following:
- Adding or removing security controls
- Change in cloud computing service ownership
- Changing or updating backup mechanisms and processes
- Changing alternative (or compensating) security controls
- Moving information system data to a different system boundary
- New authentication mechanisms or changes to existing mechanisms
- New boundary protection mechanisms or changes to existing mechanisms
- New cloud computing service offering or feature outside of the scope of the initial assessment
- New data center or new facility
- New interconnections or changes to existing interconnections
- New system monitoring capabilities or replacing system monitoring capabilities
- New technology (new OS variant, including COTS and appliance, that do not currently exist in the cloud computing service environment)
- New or upgraded database management system (DBMS)
- Platform as a Service (PaaS) or SaaS changing Infrastructure as a Service (IaaS) provider
- Removing system components or service offerings
- Scanning tool changes
- System categorization changes
- Using new external services in support of the cloud computing service
- Changing an accepted risk and authorization management program status
UpGuard is Now TX-RAMP Certified!
UpGuard is now TX-RAMP certified to help organizations or agencies with TX-RAMP requirements manage their vendors’ risks. As the #1 Third-Party & Supplier Risk Management Software Platform according to G2, we’re best suited to help organizations and agencies streamline their TX-RAMP certification process and ensure that all third-party cloud service providers complete their TX-RAMP Assessment Requests quickly and accurately.
.png){kind=avatar}
