TX-RAMP Eligibility and Requirements
On this page:
Which organizations must comply with TX-RAMP?
Which TX-RAMP Certification Level is required?
Security Control Requirements
Which organizations must comply with TX-RAMP requirements?
- TX-RAMP requirements apply to state agencies, institutions of higher education, and public community colleges. (Texas Government Code 2054.003(13))
- Agencies need to comply with the statutory requirements of contracting for cloud services with appropriate certification.
- Cloud providers need to demonstrate compliance with the security criteria to receive and maintain a certification for a cloud computing service.
- Use this simple flowchart to help you identify if TX-RAMP is in scope for you.
Which TX-RAMP Certification Level is required?
TX-RAMP has two assessment and certification levels:
- Level 1 for public/non-confidential information or low impact systems.
- Level 1 Certification is achieved after submitting the assessment responses and meeting the minimum requirements for the Level 1 Assessment Criteria or by submitting evidence of StateRAMP Category 1 authorization or FedRAMP Low authorization.
- Level 2 for confidential/regulated data in moderate or high impact systems.
- Level 2 Certification is achieved after submitting the assessment responses and meeting the minimum requirements for the Level 2 Assessment Criteria or by submitting evidence of StateRAMP Category 2 authorization or FedRAMP Moderate authorization.
- Level 2 Certification is achieved after submitting the assessment responses and meeting the minimum requirements for the Level 2 Assessment Criteria or by submitting evidence of StateRAMP Category 2 authorization or FedRAMP Moderate authorization.
- TX-RAMP Provisional Status provides a provisional product certification permitting a state agency to contract for the use of a product for up to 18 months without receiving full TX-RAMP certification. Upon achieving provisional status, the cloud computing service will need to be certified through a TX-RAMP assessment or equivalent within the provisional status period to maintain compliance with program requirements.
- Provisional Certification Status is a step in the TX-RAMP Assessment Request process and is achieved by completing the TX-RAMP Acknowledgment and Inventory Questionnaire. To initiate the questionnaire, a cloud service provider must complete the TX-RAMP Request Form online.
TX-RAMP Security Control Requirements
Only cloud computing services, as defined by Texas Government Code, section 2054.0593(a), are within scope for TX-RAMP. Products or services that are not cloud computing services are not subject to TX-RAMP. Certain specific cloud computing services are outside of the scope of Texas Government Code, section 2054.0593 and, as such, are not required to comply with TX-RAMP. Details about cloud offerings that are not in scope can be found in our TX-RAMP Manual 2.0.
Specific technical assessment criteria for Level 1 and Level 2 baseline may be found in the spreadsheet provided in the TX-RAMP Security Control Baselines.