Texas Risk and Authorization Management Program (TX-RAMP)

On this page:

TX-RAMP Overview and Resources

Effective and Implementation Dates

Helpful Links for Customers and Vendors

Frequently Asked Questions (Coming Soon)

TX-RAMP Overview Webinars

DIR hosted a series of webinars on TX-RAMP and the TX-RAMP program manual. See recordings of the webinar below.

Overview of TX-RAMP

In the 87th Legislative Session, the Texas Legislature passed Senate Bill 475, requiring the Texas Department of Information Resources (DIR) to establish a state risk and authorization management program that provides “a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.”  To comply, DIR established a framework for collecting information about cloud services security posture and assessing responses for compliance with required controls and documentation. Texas Government Code § 2054.0593 mandates that state agencies as defined by Texas Government Code § 2054.003(13) must only enter or renew contracts to receive cloud computing services that comply with TX-RAMP requirements beginning January 1, 2022.

When does it take effect?

  • Cloud offerings subject to TX-RAMP Level 1 certification must obtain a TX-RAMP certification to contract with state agencies on or after January 1, 2023.
  • Cloud offerings subject to TX-RAMP Level 2 certification must obtain a TX-RAMP certification to contract with state agencies on or after January 1, 2022.
  • Cloud offerings that obtain TX-RAMP Provisional Status must obtain a TX-RAMP certification (or equivalent StateRAMP/FedRAMP authorization) within 18 months from the date that Provisional Status is conferred as reflected in DIR’s files.

Certification Levels

TX-RAMP has two assessment levels:

  • Level 1 for public/nonconfidential information or low impact systems.
  • Level 2 for confidential/regulated data in moderate or high impact systems.

TX-RAMP has three statuses:

  • Level 1 Certification is achieved after submitting the assessment responses and meeting the minimum requirements for the Level 1 Assessment Criteria or by submitting evidence of StateRAMP Category 1 authorization or FedRAMP Low authorization.
  • Level 2 Certification is achieved after submitting the assessment responses and meeting the minimum requirements for the Level 2 Assessment Criteria or by submitting evidence of StateRAMP Category 3 authorization or FedRAMP Moderate authorization.
  • TX-RAMP Provisional Status provides a provisional product certification permitting a state agency to contract for the use of a product for up to 18 months without receiving full TX-RAMP certification. Upon achieving provisional status, the cloud computing service will need to be certified through a TX-RAMP assessment or equivalent within the provisional status period to maintain compliance with program requirements. Provisional Certification Status can be achieved through two ways:
    • Agency-sponsored: Agencies can notify DIR of a previously conducted assessment for review
    • Third-party Assessment: Industry-standard assessment artifacts may be submitted for review

Resources

See the resources below to help guide your organization and prepare for the upcoming impacts of TX-RAMP.

.pdf (401.83 KB)
Last Updated: 11-02-2021

Manual for the TX-RAMP program

.xlsx (219.63 KB)
Last Updated: 11-02-2021

Security Control Baselines for the TX-Risk Authorization Management Program (TX-RAMP)

.pdf (2.17 MB)
Last Updated: 11-23-2021

.pdf (2.53 MB)
Last Updated: 11-23-2021

Frequently Asked Questions (FAQ)

Coming Soon

Contact DIR

Contact us with any questions related to TX-RAMP.

TX-RAMP Contact

About File Formats

Some documents on this page are in the PDF format. Please download the Adobe Reader in order to view these documents.