Texas Risk and Authorization Management Program (TX-RAMP)
On this page:
TX-RAMP Overview and Resources
Effective and Implementation Dates
Helpful Links for Customers and Vendors
Frequently Asked Questions (Coming Soon)
TX-RAMP Overview Webinars
DIR hosted a series of webinars on TX-RAMP and the TX-RAMP program manual. See recordings of the webinar below.
Overview of TX-RAMP
In the 87th Legislative Session, the Texas Legislature passed Senate Bill 475, requiring the Texas Department of Information Resources (DIR) to establish a state risk and authorization management program that provides “a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.” To comply, DIR established a framework for collecting information about cloud services security posture and assessing responses for compliance with required controls and documentation. Texas Government Code § 2054.0593 mandates that state agencies as defined by Texas Government Code § 2054.003(13) must only enter or renew contracts to receive cloud computing services that comply with TX-RAMP requirements beginning January 1, 2022.
When does it take effect?
- Cloud offerings subject to TX-RAMP Level 1 certification must obtain a TX-RAMP certification to contract with state agencies on or after January 1, 2023.
- Cloud offerings subject to TX-RAMP Level 2 certification must obtain a TX-RAMP certification to contract with state agencies on or after January 1, 2022.
- Cloud offerings that obtain TX-RAMP Provisional Status must obtain a TX-RAMP certification (or equivalent StateRAMP/FedRAMP authorization) within 18 months from the date that Provisional Status is conferred as reflected in DIR’s files.
TX-RAMP has two assessment levels:
- Level 1 for public/nonconfidential information or low impact systems.
- Level 2 for confidential/regulated data in moderate or high impact systems.
TX-RAMP has three statuses:
- Level 1 Certification is achieved after submitting the assessment responses and meeting the minimum requirements for the Level 1 Assessment Criteria or by submitting evidence of StateRAMP Category 1 authorization or FedRAMP Low authorization.
- Level 2 Certification is achieved after submitting the assessment responses and meeting the minimum requirements for the Level 2 Assessment Criteria or by submitting evidence of StateRAMP Category 3 authorization or FedRAMP Moderate authorization.
- TX-RAMP Provisional Status provides a provisional product certification permitting a state agency to contract for the use of a product for up to 18 months without receiving full TX-RAMP certification. Upon achieving provisional status, the cloud computing service will need to be certified through a TX-RAMP assessment or equivalent within the provisional status period to maintain compliance with program requirements. Provisional Certification Status can be achieved through two ways:
- Agency-sponsored: Agencies can notify DIR of a previously conducted assessment for review
- Third-party Assessment: Industry-standard assessment artifacts may be submitted for review
See the resources below to help guide your organization and prepare for the upcoming impacts of TX-RAMP.
Manual for the TX-RAMP program
Security Control Baselines for the TX-Risk Authorization Management Program (TX-RAMP)
Frequently Asked Questions (FAQ)