TX-RAMP Frequently Asked Questions (FAQs)

• What is TX-RAMP?

The Texas Risk and Authorization Management Program (TX-RAMP) is a DIR program that provides review of security measures taken by cloud products and services that transmit data to Texas state agencies. Cloud providers must comply with an established DIR framework and continuous compliance to be accepted. TX-RAMP was established from requirements put forth in Senate Bill 475.

• To which organizations do TX-RAMP requirements apply?

State agencies must comply with the statutory requirements of contracting for cloud services with appropriate TX-RAMP certification.

Cloud service providers must demonstrate compliance with the security criteria to receive and maintain a TX-RAMP certification for a cloud computing service.

State agencies (as defined by Texas Government Code Section 2054.003) means a department, commission, board, office, council, authority, or other agency in the executive or judicial branch of state government that is created by the constitution or a statute of this state, including a university system or institution of higher education (as defined by Section 61.003, Education Code).

• Which software tools or solutions require TX-RAMP certification?

Only cloud computing services, as defined by Section 2054.0593(a), are within scope for TX-RAMP certification. Products or services that are not cloud computing services are not subject to TX-RAMP.  Consult Appendix D of the TX-RAMP Program Manual’s essential characteristics list to determine whether a product or service is a cloud computing service subject to TX-RAMP.

Additionally, certain categories and characteristics within the definition of cloud computing services are outside of the scope of Section 2054.0593 and, as such, are not required to comply with TX-RAMP. Examples include:

• Email or notification distribution services that do not create, process, or store confidential information
• Educational tools that do not create, process, or store confidential information
• Social media platforms and services
• Graphic design or illustration products

A longer list of the general types of cloud services that are out-of-scope can be found on page 6 of the TX-RAMP Program Manual.  Final determination TX-RAMP scope is at the discretion of the contracting state agency.

• How is the determination made if a cloud service (SaaS) is in-scope or out-of-scope for TX-RAMP, and who makes it?

The minimum certification level for a cloud service is determined by the impact level of the information resources defined by the contracting agency and the confidentiality of the data processed, stored, or transmitted by the cloud service, as described above. Agencies should consult with the appropriate internal stakeholders to determine whether a cloud service is subject to TX-RAMP certification requirements and the impact level of the information resources.  Agencies should consult with their general counsel if needed.

Some categories of cloud computing services are out-of-scope for TX-RAMP due to the general characteristics of that type of service.

• What are the levels of TX-RAMP certification?

TX-RAMP establishes three levels of certification:

• TX-RAMP Level 1 Certification is the required minimum certification level for a cloud computing service that processes, stores, or transmits agency data determined to be nonconfidential or determined to be a low impact information resource.
• TX-RAMP Level 2 Certification is the required minimum certification level for a cloud computing service that processes, stores, or transmits agency data determined to be confidential and determined to be a moderate or high impact information resource.
• TX-RAMP Provisional Certification may be obtained in place of a TX-RAMP Level 1 or 2 Certification for a period of 18 months to expedite compliance to assist with active procurements.

Final determination of the minimum certification level required is at the discretion of the contracting state agency.

• When is TX-RAMP certification required to be in place to do business with the state?

Cloud services subject to TX-RAMP Level 1 certification must obtain a TX-RAMP certification to contract with state agencies on or after January 1, 2024.
Cloud services subject to TX-RAMP Level 2 certification must obtain a TX-RAMP certification to contract with state agencies as of January 1, 2022.

• How long is a TX-RAMP certification valid?

• TX-RAMP Level 1 and Level 2 Certifications are valid for 3 years from the date the certification is granted, provided the cloud service maintains compliance with the program requirements.
• TX-RAMP Provisional Certification is valid for 18 months from the date the certification is granted. Agencies or Cloud service providers may request a TX-RAMP Level 1 or Level 2 assessment at any time during the Provisional Certification period, but should, be aware that the full assessment process takes some time.
• TX-RAMP Interim Provisional Certification (agency-sponsored) is good for 60 days.

• How long does an assessment take?

Once the required documentation is submitted to DIR, the assessment review process varies in duration depending on factors such as:

• Quality and completeness of initial documentation provided
• Timeliness of response to requests for additional information
• Current volume of requests awaiting review

Once an assessment review begins, the DIR goal is to complete that review and issue a recommendation within 4 weeks, assuming the considerations above are met.

• How does a certification get renewed?

TX-RAMP Level 1 and Level 2 certifications are valid for three years from the date the last certification was conferred upon a cloud computing service, provided that the cloud service provider is compliant with the program requirements enumerated in this Program Manual. Recertification requires the cloud service provider to review and update control implementation details as necessary and provide updated documentation to DIR for review. The identified points of contact for TX-RAMP certified cloud computing services will be notified by automated email at least 12 months and six months prior to the certification end date. This email will include instructions for completing the recertification process. The request to initiate the recertification process may be made by the cloud service provider up to 12 months prior to the certification end date.

• How are certifications communicated?

DIR will notify the requestor and the CSP when certification is granted, and the list of approved services is updated regularly on the TX-RAMP website.

• Where is the list of TX-RAMP certified cloud services?

​​​​​​​The list of TX-RAMP certified products is here.

• What does a TX-RAMP certification cost?

​​​​​​​There are no fees associated with a TX-RAMP certification, it is funded by the state of Texas.

• What steps are required to obtain TX-RAMP Certification when a cloud service has an existing StateRAMP or FedRAMP authorization?

​​​​​​​No action is necessary. DIR pulls the StateRAMP Authorized Cloud service providers list and FedRAMP Marketplace (authorized list) on a regular basis and certify the cloud services with appropriate status under TX-RAMP. If a StateRAMP or FedRAMP cloud service with appropriate status is not listed on the TX-RAMP certified cloud services listing, an agency or service provider may contact [email protected] for clarification.

• What is TX-RAMP 2.0 (or the revised TX-RAMP Program Manual)?

DIR has revised TX-RAMP effective 12/1/2022, incorporating improvements and streamlining workflows to make the process faster and less difficult for our customers and partners to comply.  This revision is commonly referred to as TX-RAMP 2.0.

• What are the major changes in the revised Program Manual?

While there are changes throughout the Program Manual, these areas have major changes:

• Security control baselines
• Provisional Certification
• Certification Requirements

• What are the changes to the Security Control Baselines?

​​​​​​​The list of security controls required for TX-RAMP certification has been updated to align with NIST 800-53 revision 5.

• What are the changes to Provisional Certifications?

• Only submitted by the cloud service provider
• Third-party audit/assessment requirement is replaced with Acknowledgement and Inventory questionnaire
• Provisional Certification granted after completing Acknowledgement and Inventory questionnaire
• Changes agency-sponsored Provisional Certification to Interim Provisional Certification, good for 60 days only
• Incorporates an extension process
• Removes January 1, 2023, deadline for Provisional Certification requests

• What are the changes to the assessment requirements?

• Consolidates required documentation into one provided template
• Streamlined the number of questions in the assessment
• Moved effective date of level 1 to January 1, 2024

• What do I do if I already have submitted my assessment documentation, or am working on it using the previous Program Manual?

​​​​​​​If an assessment was begun or provisional was granted prior to the effective date of the 2.0 version of the Program Manual, the cloud service provider may:

• Submit the existing v1.0 assessment for review and certification, or
• Opt to complete the new v2.0 assessment instead

• What is an Acknowledgement and Inventory?

• Will be a SPECTRIM Questionnaire launched to the cloud service provider.
• The questionnaire will ask for basic information and a Security Artifact Inventory of HECVAT and/or third-party assessments or audits.
• Artifact inventory will be listed on the TX-RAMP Engagement record and visible to those with TX-RAMP access.

• What are the conditions by which an Extension will be granted for Provisional Certification?

• 6-month extension if level 1 or 2 certification assessment submitted, but not yet granted
• Additional 3-month extension if DIR has not completed assessment review
• Additional 3-month extension may be granted on discretionary basis

• What is an Interim Provisional Certification?

​​​​​​​Effective 12/1/2022, state agencies can no longer request or sponsor a cloud service provider’s application for Provisional Certification. This process must be initiated by the CSP. 

However, in circumstances when Provisional Certification is urgently required in order to maintain a business function, Interim Provisional Certification can be granted for a period of 60 days. This is intended to supplement, not replace, the Provisional Certification process, and may only be requested by a state agency.

• What is the process for requesting a TX-RAMP level 1 or level 2 assessment?

The cloud service provider may request an assessment for their cloud service(s) through the TX-RAMP Assessment Request Form.

Agencies can view pending assessment requests for cloud services in SPECTRIM, and do not need to submit additional requests for assessment.

• Can an agency apply for Provisional Status?

As of 12/1/2022, agencies can no longer request or sponsor Provisional Status. In its place, agencies now can request Interim Provisional Status, good for 60 days. See the “changes for TX-RAMP 2.0” section of this FAQ for details.

• Does each agency need to submit a request if they plan to enter a contract for a particular cloud service?

No. If a TX-RAMP assessment request or certification exists for a cloud service, any agency may leverage that existing engagement.

• Can anyone view the list of cloud services that are in queue to be assessed?

​​​​​​​This information is available to authorized SPECTRIM users.

• Who is responsible for ensuring Shared Technology Services (STS) cloud solutions are in compliance?

​​​​​​​As the agency contracting with the Shared Technology Services providers, DIR is responsible for ensuring cloud solutions used in the STS program are compliant with TX-RAMP.

• Can a TX-RAMP certification be revoked?

​​​​​​​Yes. Failure of a cloud service provider to maintain baseline compliance with TX-RAMP requirements described by this Program Manual will result in revocation of a product’s TX-RAMP certification.

Events that will result in a revocation include but are not limited to the following:

• Failure to inform required parties in a timely manner of significant changes to the cloud computing service
• Failure to inform required parties of the loss of other accepted risk and authorization management program (e.g. FedRAMP, StateRAMP) certification
• Failure to provide required continuous monitoring documents
• The report of false or misleading information to DIR or a state agency
• Referencing non-certified cloud computing services as TX-RAMP certified
• Failure to report a breach of system security to DIR within 48 hours of discovery

• Does DIR provide any verbiage to add to contract or solicitation language regarding TX-RAMP?

​​​​​​​Yes. The Comptroller’s Statewide Procurement Guide provides additional language below that agencies can use for future procurements. See page 3 of Appendix 23 (PDF page 201) for additional information.

Pursuant to Section 2054.0593(d)-(f) of the Texas Government Code, relating to cloud computing state risk and authorization management program, Respondent represents and warrants that it complies with the requirements of the state risk and authorization management program and Respondent agrees that throughout the term of the contract it shall maintain its certifications and comply with the program requirements in the performance of the contract.​​​​​​​

• Will DIR accept self- or third-party attestation as proof of meeting the criteria for certification?

For Provisional Certification, self-attestations (such as HECVAT) and third-party attestation or audit (such as SOC 2 Type 2) have been replaced by the Acknowledgement and Inventory questionnaire in the revised Program Manual- see “What is an Acknowledgement and Inventory” in the TX-RAMP 2.0 changes section above.

For level 1 and level 2 certification, third-party attestation or audit (such as SOC 2 Type 2) are helpful but not required.   An assessment conducted by DIR is required.

• Can a CSP pursue Provisional Certification status and level 1 or level 2 certification simultaneously?

Yes. Not only permitted but encouraged, to assure compliance in the near-term for any pending contracts or renewals while the full assessment is completed, and the full 3-year certification period for compliance longer-term.

• Is a Separate certification required for each cloud service, or can they be assessed together as a platform?

If included cloud services share all infrastructure and security controls, they may be assessed together and only a single request is required.  Otherwise, each cloud service requires its own assessment.

• How should the required documentation and questionnaire be prepared for submission?

• Review the TX-RAMP v2.0 Program Manual
• Additionally, the TX-RAMP v2.0 Control Baselines are available for review before the assessment is started
• CSPs should engage their IT and information security teams in completing the assessment.
• Assessments can be delegated to other members of your organization with the same email domain.

The details required to request an assessment are as follows:

• Assessment Level requested (Level 1, Level 2, or Provisional Certification)
• Product name
• Company (Manufacturer) Name
• Product page URL
• Requested Assessment Launch Date
• Assessment Point of Contact Full Name
• Assessment Point of Contact Title
• Assessment Point of Contact Email
• Requested Assessment Questionnaire Due Date*

Additional Assessment Contacts (Optional)

• Assessment Point of Contact Full Name
• Assessment Point of Contact Title
• Assessment Point of Contact Email

If you have additional questions, contact [email protected] or schedule a meeting with TX-RAMP staff.

*Questionnaires are automatically deleted 180 days after the assigned due date, please ensure that the due date is as realistic as possible.

• Do all external systems and services (“fourth-party”) need to have TX-RAMP certification in order for a product to obtain certification?

A certified cloud service provider is expected to hold service providers of their own to the same level 1 or level 2 requirements as a full certification, but TX-RAMP certification is only required for the provider directly entering into contract with a state agency.

• If a cloud provider is using a TX-RAMP certified cloud environment, can the underlying cloud provider’s certification be leveraged for TX-RAMP certification?

​​​​​​​No. Using a TX-RAMP Certified infrastructure does not automatically make the service TX-RAMP compliant. Each layer (i.e., IaaS, PaaS, and SaaS) must be evaluated on its own and obtain the appropriate TX-RAMP Certifications. However, when software sits on a TX-RAMP Certified third-party cloud architecture it may inherit controls from the underlying certified systems and should be noted in the assessment.

• If a cloud service provider offers both a commercial cloud and a government cloud for the product we are procuring, is an agency required to use the government cloud for TX-RAMP certification?

​​​​​​​Not necessarily.  In some cases, a CSP will make a distinction between their commercial cloud offerings and their gov cloud offerings for marketing purposes, but both are FedRAMP authorized.  Check the list of TX-RAMP certified products and it should be noted whether their commercial cloud is certified.  If not, reach out to [email protected] for clarification.

• Do Plan of Action & Milestones (POA&Ms) need to be in place for all non-satisfied controls?

A mitigation plan is required for each control out of compliance and DIR reserves the right to request that plan but reporting of POA&Ms to DIR is not required.

• Can an assessment due date be changed?

If an assessment requires more time to complete than available before the recorded due date, contact [email protected] about changing the date.  Note that 180 days of inactivity will trigger cancellation of an assessment in progress.

• How can additional users be added to assessments?

​​​​​​​​​​​​​​If the new user is in the same domain, add them via the assessment portal. If not, contact [email protected] for assistance.

• How can company contacts be added or updated?

If the company contacts need to be updated after the initial request for TX-RAMP certification, contact [email protected] for assistance.

During the Questionnaire Development phase, the Engagement Manager can update contact information.

If this change is during the Assessment Review, contact updates can be updated through the Assessor.

• Can an assessment level be changed on an assessment in progress?

​​​​​​​​​​​​​​If the assessment level needs to be updated after the initial request for TX-RAMP certification, contact [email protected] for assistance.

During the Questionnaire Development phase, the DIR TX-RAMP Engagement Manager can assist in changing the assessment level and redirecting the TX-RAMP certification path.

If this change is during the Assessment Review, contact the Assessor as soon as possible so the assessment certification path can be redirected or put On-Hold until the assessment can be changed.

• What are the deadlines for responding to questions or submitting additional documentation during the Assessment Review process?

There is a two-week window (10 business days) to respond to follow up requested, i.e., documentation modifications and/or additional clarification, by an Assessor.

If it will take more than three weeks (15 business days) to complete the requested information, the Assessor will need to put the Assessment Review On-Hold (if the need for an additional week is not communicated to the Assessor, the Engagement will go On-Hold after the two-week period).

After a month of an Assessment Review being On-Hold, the Engagement will be moved to a Denied-Returned for Additional Information status and moved to the end of the review queue.