TX-RAMP Frequently Asked Questions (FAQs)

These FAQs are intended to provide easy to find answers to the most asked questions about TX-RAMP. It is divided into sections:

  • What is TX-RAMP?

The Texas Risk and Authorization Management Program (TX-RAMP) is a DIR program that provides review of security measures taken by cloud products and services that transmit data to Texas state agencies. Cloud providers must comply with an established DIR framework and continuous compliance to be accepted. TX-RAMP was established from requirements put forth in Senate Bill 475.

  • To which organizations do TX-RAMP requirements apply?

State agencies must comply with the statutory requirements of contracting for cloud services with appropriate TX-RAMP certification.

Cloud service providers must demonstrate compliance with the security criteria to receive and maintain a TX-RAMP certification for a cloud computing service.

State agencies (as defined by Texas Government Code Section 2054.003) means a department, commission, board, office, council, authority, or other agency in the executive or judicial branch of state government that is created by the constitution or a statute of this state, including a university system or institution of higher education (as defined by Section 61.003, Education Code).

  • Which software tools or solutions require TX-RAMP certification?

Only cloud computing services (IaaS, PaaS, SaaS), as defined by Section 2054.0593(a), are within scope for TX-RAMP certification. Products or services that are not cloud computing services are not subject to TX-RAMP.

Additionally, certain categories and characteristics within the definition of cloud computing services are outside of the scope of Section 2054.0593 and, as such, are not required to comply with TX-RAMP. 

Consult Appendix D of the TX-RAMP Program Manual’s essential characteristics list to determine whether a product or service is a cloud computing service subject to TX-RAMP.

  • How is the determination made if a cloud service (Iaas, Paas,SaaS) is in- or out-of-scope for TX-RAMP, and who makes it?

Three characteristics determine if a software product is in-scope for TX-RAMP:

  • Is it a cloud computing service? (pg. 9, Program Manual)
  • Is it classified as a service not subject to TX-RAMP requirements? (pg. 10, Program Manual)
  • What is the impact level of a security breach? (pg. 14, Program Manual)
  • What are the levels of TX-RAMP certification?

TX-RAMP establishes three levels of certification:

  • TX-RAMP Level 1 Certification is the required minimum certification level for a cloud computing service that processes, stores, or transmits agency data determined to be nonconfidential or determined to be a low impact information resource.
  • TX-RAMP Level 2 Certification is the required minimum certification level for a cloud computing service that processes, stores, or transmits agency data determined to be confidential and determined to be a moderate or high impact information resource.
  • TX-RAMP Provisional Certification may be obtained in place of a TX-RAMP Level 1 or 2 Certification for a period of 18 months to expedite compliance to assist with active procurements.

Final determination of the minimum certification level required is at the discretion of the contracting state agency.

  • What is Fast Track?

The TX-RAMP Fast Track Assessment is a streamlined process designed to expedite the certification of cloud service providers by allowing providers to leverage existing DIR-approved third-party assessments or audit reports to provide verified evidence of security practices.DIR accepts the below third-party assessments or audit reports to be considered for Fast Track assessment:

  • SOC 2 Type 2;
  • HITRUST Authorized External Assessor Validated Assessment;
  • PCI DSS Qualified Security Assessor Audit Report on Compliance;
  • Any third-party assessment or audit artifacts authorized by DIR and posted as part of the comprehensive list on its website.

A third-party assessment or audit artifact that is not included in the above list or identified by the comprehensive list posted to the DIR website cannot be used for the Fast Track assessment process.

  • How long is a TX-RAMP certification valid?

  • TX-RAMP Level 1 and Level 2 Certifications are valid for 3 years from the date the certification is granted, provided the cloud service maintains compliance with the program requirements.
  • TX-RAMP Provisional Certification is valid for 18 months from the date the certification is granted. Agencies or Cloud service providers may request a TX-RAMP Level 1 or Level 2 assessment at any time during the Provisional Certification period, but should, be aware that the full assessment process takes some time.
  • TX-RAMP Interim Provisional Certification (agency-sponsored) is good for 60 days.
  • How long does an assessment take?

Once the required documentation is submitted to DIR, the assessment review process varies in duration depending on factors such as:

  • Quality and completeness of initial documentation provided
  • Timeliness of response to requests for additional information
  • Current volume of requests awaiting review

Once an assessment review begins, the DIR goal is to complete that review and issue a recommendation within 4 weeks, assuming the considerations above are met.

  • How does a certification get renewed?

TX-RAMP Level 1 and Level 2 certifications are valid for three years from the date the last certification was conferred upon a cloud computing service, provided that the cloud service provider is compliant with the program requirements enumerated in this Program Manual. Recertification requires the cloud service provider to review and update control implementation details as necessary and provide updated documentation to DIR for review. The identified points of contact for TX-RAMP certified cloud computing services will be notified by automated email at least 12 months and six months prior to the certification end date. This email will include instructions for completing the recertification process. The request to initiate the recertification process may be made by the cloud service provider up to 12 months prior to the certification end date.

  • How are certifications communicated?

DIR will notify the requestor and the CSP when certification is granted, and the list of approved services is updated regularly on the TX-RAMP website.

  • What does a TX-RAMP certification cost?

There are no fees associated with a TX-RAMP certification, as it is funded by the state of Texas.

  • What steps are required to obtain TX-RAMP Certification when a cloud service has an existing StateRAMP or FedRAMP authorization?

​​​​​​​No action is necessary. DIR pulls the StateRAMP Authorized Cloud service providers list and FedRAMP Marketplace (authorized list) on a regular basis and certify the cloud services with appropriate status under TX-RAMP. If a StateRAMP or FedRAMP cloud service with appropriate status is not listed on the TX-RAMP certified cloud services listing, an agency or service provider may contact [email protected] for clarification.

  • Where is the list of TX-RAMP certified cloud services?

The list of TX-RAMP certified products is here.

  • What is TX-RAMP 3.0 (or the revised TX-RAMP Program Manual)?

DIR has revised TX-RAMP effective 12/1/2023, incorporating improvements and streamlining workflows to make the process faster and less difficult for our customers and partners to comply.  This revision is commonly referred to as TX-RAMP 3.0.

  • What are the major changes in the revised Program Manual?

While there are changes throughout the Program Manual, these areas have major changes:

  • Fast Track
  • Transitional Grace Period
  • Changes to scope requirements
  • What do I do if I already have submitted my assessment documentation, or am working on it using the previous Program Manual?

If an assessment was begun or provisional was granted prior to the effective date of the 3.0 version of the Program Manual, the cloud service provider may:

  • Submit the existing v1.0 assessment for review and certification, or
  • Determine if eligible for Fast Track and submit the required documentation for that path to certification.
  • The Acknowledgement and Inventory (A&I) is the first step in the TX-RAMP certification process. It is a questionnaire launched via SPECTRIM to the cloud service provider.
  • The A&I form asks for basic information and a Security Artifact Inventory of HECVAT and/or third-party assessments or audits.
  • Artifact inventory will be listed on the TX-RAMP Engagement record and visible to those with TX-RAMP access.
  • What are the conditions by which an Extension will be granted for Provisional Certification?
  • One 6-month extension may be granted if a level 1 or 2 certification assessment is in progress but not submitted, submitted but not yet reviewed by DIR
  • One additional 3-month extension may be granted if DIR has not completed assessment review
  • Additional 1-month extensions may be granted on discretionary basis
  • What is an Interim Provisional Certification?

​​​​​​​In circumstances when Provisional Certification is urgently required in order to maintain a business function, Interim Provisional Certification can be granted for a period of 60 days. This is intended to supplement, not replace, the Provisional Certification process, and may only be requested by a state agency or University/College.

  • What is the process for requesting a TX-RAMP level 1 or level 2 assessment?

Agencies must direct the cloud service provider to request an assessment for their cloud service(s) through the TX-RAMP Assessment Request Form.

Agencies will be able to see pending assessment requests for cloud services and do not need to submit additional requests for assessment.

  • Can an agency apply for Provisional certification of a sponsored product?

Agencies can no longer request or sponsor TX-RAMP Provisional certification. In its place, agencies now can request Interim Provisional Status, good for 60 days, via SPECTRIM. See the “changes for TX-RAMP 2.0” section of this FAQ for details.

  • Does each agency need to submit a request if they plan to enter a contract for a particular cloud service?

No. If a TX-RAMP assessment request or certification exists for a cloud service, any agency may leverage the existing engagement.

  • Can anyone view the list of cloud services that are in queue to be assessed?

This information is available to authorized SPECTRIM users.

  • Who is responsible for ensuring Shared Technology Services (STS) cloud solutions are in TX-RAMP compliance?

As the agency contracting with the Shared Technology Services providers, DIR is responsible for ensuring cloud solutions used in the STS program are compliant with TX-RAMP.

  • Can a TX-RAMP certification be revoked?

Yes. Failure of a cloud service provider to maintain baseline compliance with TX-RAMP requirements described by the Program Manual will result in revocation of a product’s TX-RAMP certification.

Events that will result in a revocation include but are not limited to the following:

  • Failure to inform required parties in a timely manner of significant changes to the cloud computing service
  • Failure to inform required parties of the loss of other accepted risk and authorization management program (e.g. FedRAMP, StateRAMP) certification
  • Failure to provide required continuous monitoring documents
  • The report of false or misleading information to DIR or a state agency
  • Referencing non-certified cloud computing services as TX-RAMP certified
  • Failure to report a breach of system security to DIR within 48 hours of discovery
  • What happens when a product loses TX-RAMP certification?

If a product falls out of TX-RAMP compliance, either through lapse of the certification period or through revocation, the agency is required to notify DIR and begin the Transitional Grace Period (pg. 24, Program Manual).

  • Does DIR provide any verbiage to add to contract or solicitation language regarding TX-RAMP?

Yes. The Comptroller’s Statewide Procurement Guide provides additional language below that agencies can use for future procurements. See page 3 of Appendix 23 (PDF page 201) for additional information.

Pursuant to Section 2054.0593(d)-(f) of the Texas Government Code, relating to cloud computing state risk and authorization management program, Respondent represents and warrants that it complies with the requirements of the state risk and authorization management program and Respondent agrees that throughout the term of the contract it shall maintain its certifications and comply with the program requirements in the performance of the contract.

  • Will DIR accept self- or third-party attestation as proof of meeting the criteria for certification?

For Provisional Certification, self-attestations (such as HECVAT) have been replaced by the Acknowledgement and Inventory form.

For level 1 and level 2 certification, products with certain third-party audits (such as SOC 2 Type II) are eligible for Fast Track certification.

  • Can a CSP pursue Provisional Certification and level 1 or level 2 certification simultaneously?

Yes. Not only allowed but encouraged, to assure compliance in the near-term for any pending contracts or renewals while the full assessment is completed, and the full 3-year certification period for compliance longer-term.

  • Is a separate certification required for each cloud service, or can they be assessed together as a platform?

If the assessed cloud services (products or SKUs) share all infrastructure and security controls, they may be assessed together and only a single assessment request is necessary.  Otherwise, each cloud service requires its own assessment.

  • How should the required documentation and questionnaire be prepared for submission?
  • Review the TX-RAMP 3.0 Program Manual and TX-RAMP Control Baselines 2.0
  • CSPs should engage their IT and information security teams in completing the assessment.
  • Assessments can be delegated to other members of your organization with the same email domain via the Archer Engage assessment portal.

If you have additional questions, contact [email protected].

*Questionnaires are automatically deleted after 180 days of inactivity, please schedule your full assessment to launch when you are ready to begin and complete work on it.

  • Do all external systems and services (“fourth-party”) need to have TX-RAMP certification in order for a product to obtain certification?

A certified cloud service provider is expected to hold their own service providers to the same level 1 or level 2 requirements as a full certification, but TX-RAMP certification is only required for the provider directly entering into contract with a state agency.

  • If a cloud provider is using a TX-RAMP certified cloud environment, can the underlying cloud provider’s certification be leveraged for TX-RAMP certification?

No. Using a TX-RAMP Certified infrastructure does not automatically make the service TX-RAMP compliant. Each layer (i.e., IaaS, PaaS, and SaaS) must be evaluated on its own and obtain the appropriate TX-RAMP Certifications. However, when software sits on a TX-RAMP Certified third-party cloud architecture it may inherit controls from the underlying certified systems and should be noted in the assessment.

  • If a cloud service provider offers both a commercial cloud and a government cloud for the product we are procuring, is an agency required to use the government cloud for TX-RAMP certification?

No.  In some cases, a CSP will make a distinction between their commercial cloud offerings and their gov cloud offerings for marketing purposes, but both are FedRAMP authorized.  Check the list of TX-RAMP certified products and it should be noted whether their commercial cloud is certified.  If not, reach out to [email protected] for clarification.

  • Do Plan of Action & Milestones (POAMs) need to be in place for all non-satisfied controls?

A mitigation plan is required for each control out of compliance and DIR reserves the right to request that plan but reporting of POAMs to DIR is not required.

  • Can an assessment due date be changed?

An assessment due date may be updated by DIR republishing the current submission or it may be cancelled and replaced with a new assessment with a new due date. Note that this may require resubmission of any work in progress. Contact [email protected] about changing the date.  On a related note, be aware that 180 days of inactivity will trigger cancellation of an assessment in progress.

  • How can additional users be added to assessments?

If the new user is in the same domain, add them via the assessment portal. If not, contact [email protected] for assistance.

  • How can company contacts be added or updated?

If the company contacts need to be updated after the initial request for TX-RAMP certification, contact [email protected] for assistance.

If this change is during the Assessment Review, contact updates can be updated through the Assessor.

  • Can an assessment level be changed on an assessment in progress?

If the assessment level needs to be updated after the initial request for TX-RAMP certification, contact [email protected] for assistance.

During the Questionnaire Development phase, the DIR TX-RAMP Engagement Manager can assist in changing the assessment level and redirecting the TX-RAMP certification path.

If this change is during the Assessment Review, contact the Assessor as soon as possible so the assessment certification path can be redirected or put On-Hold until the assessment can be changed.

  • What are the deadlines for responding to questions or submitting additional documentation during the Assessment Review process?

There is a two-week window (10 business days) to respond to follow up requested, i.e., documentation modifications and/or additional clarification, by an Assessor.

If it will take more than three weeks (15 business days) to complete the requested information, the Assessor will need to put the Assessment Review On-Hold (if the need for an additional week is not communicated to the Assessor, the Engagement will go On-Hold after the two-week period).

After a month of review being On-Hold status, the Engagement will be moved to Rejected status and a new assessment will need to be requested and will be placed at the end of the review queue.

Vulnerability Reporting:

DIR established the following minimum continuous monitoring requirements to ensure that cloud service providers comply with TX-RAMP. Any additional continuous monitoring requirements are at the discretion of the contracting state agency.

  • TX-RAMP Level 2 Certified cloud computing services, cloud service providers must provide quarterly vulnerability reports of identified vulnerabilities and mitigation activities to DIR through the SPECTRIM Vendor Portal.
  • TX-RAMP Level 1 Certified cloud computing services, cloud service providers must provide annual vulnerability reports of identified vulnerabilities and mitigation activities to DIR through the SPECTRIM Vendor Portal.

Reporting Breach of System Security:

 A cloud service provider whose cloud computing service is certified by TX-RAMP shall disclose any breach of system security of the certified cloud offering in compliance with Texas Business & Commerce Code Section 521.053. A cloud service provider whose TX-RAMP-certified service has a breach of system security shall notify DIR within 48 hours of becoming aware of the breach of system security. A breach of system security notifications must be sent by authorized company officials to [email protected] with a description of the incident, potentially impacted Texas customers, and any additional relevant information.

A cloud service provider must report a suspected or confirmed breach to appropriate parties as required by law. If the suspected or confirmed breach involves the unauthorized disclosure of 250 or more Texans, the cloud service provider must also report the breach to the Office of the Attorney General of Texas as required by law.

Significant Change Reporting:

Significant changes to a cloud computing service, as determined by DIR, may warrant an update to certification upon notification of a change and identification of that change as significant. A significant change is defined as an alteration to a cloud computing service that has a high probability to impact the security posture of the system.

Cloud service providers may occasionally need to make changes (e.g. technical, administrative) to their cloud computing services. As the initial assessment and certification is performed at a certain point in time, it is important to identify any impacts future changes have on the security posture of the cloud computing service. Some changes may have minimal impact on the security of the service while others may warrant additional review to ensure the cloud computing service is maintaining compliance with security requirements.

A significant change is a change that is likely to negatively affect the security state of the information system. Nonsignificant changes would typically be addressed by the cloud service provider’s Configuration Management Plan. Significant changes, however, are those outside of typical change management, the scope of which would call the initial assessment judgment into question because of the significance of the change to the product.

A cloud service provider must report significant changes to a certified service to DIR within 30 days of the date that the change is made. A cloud service provider may also report a significant change to a service to the state agencies with whom they contract; this would not, however, meet the requirement to report significant changes to DIR.

DIR is responsible for completing an updated service certification review resulting from a significant change. This review shall be limited to an assessment of any documentation DIR deems necessary to determine the impact of the significant change upon the service. DIR will determine whether a change identified by the cloud service provider or reported by a contracting state agency qualifies as a significant change and whether the change warrants a review of the certification status.

About File Formats

Some documents on this page are in the PDF format. Please download the Adobe Reader in order to view these documents.