Texas Risk and Authorization Management Program (TX-RAMP)

On this page:

TX-RAMP Certified Products

TX-RAMP Overview, Resources, and Implementation Dates

Helpful Links for Customers and Vendors

Frequently Asked Questions

TX-RAMP Certified Cloud Products

Access the latest list of cloud computing services certified through TX-RAMP.

.xlsx (55.56 KB)
Last Updated: 05-20-2022

List of cloud computing products that have been certified through the Texas Risk and Authorization Management Program (TX-RAMP)

Overview of TX-RAMP

In the 87th Legislative Session, the Texas Legislature passed Senate Bill 475, requiring the Texas Department of Information Resources (DIR) to establish a state risk and authorization management program that provides “a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.”  To comply, DIR established a framework for collecting information about cloud services security posture and assessing responses for compliance with required controls and documentation. Texas Government Code 2054.0593 mandates that state agencies as defined by Texas Government Code 2054.003(13) must only enter or renew contracts to receive cloud computing services that comply with TX-RAMP requirements beginning January 1, 2022.

When does it take effect?

  • Cloud offerings subject to TX-RAMP Level 1 certification must obtain a TX-RAMP certification to contract with state agencies or institutions of higher education and public community colleges on or after January 1, 2023.
  • Cloud offerings subject to TX-RAMP Level 2 certification must obtain a TX-RAMP certification to contract with state agencies or institutions of higher education and public community colleges on or after January 1, 2022.
  • Cloud offerings that obtain TX-RAMP Provisional Status must obtain a TX-RAMP certification (or equivalent StateRAMP/FedRAMP authorization) within 18 months from the date that Provisional Status is conferred as reflected in DIR’s files.

Which organizations must comply with TX-RAMP requirements?

  • TX-RAMP requirements apply to state agencies, institutions of higher education, and public community colleges (Texas Government Code 2054.003 (13).
  • Agencies need to comply with the statutory requirements of contracting for cloud services with appropriate certification.
  • Cloud providers need to demonstrate compliance with the security criteria to receive and maintain a certification for a cloud computing service.

Certification Levels

TX-RAMP has two assessment levels:

  • Level 1 for public/non-confidential information or low impact systems.
  • Level 2 for confidential/regulated data in moderate or high impact systems.

TX-RAMP has three statuses:

  • Level 1 Certification is achieved after submitting the assessment responses and meeting the minimum requirements for the Level 1 Assessment Criteria or by submitting evidence of StateRAMP Category 1 authorization or FedRAMP Low authorization.
  • Level 2 Certification is achieved after submitting the assessment responses and meeting the minimum requirements for the Level 2 Assessment Criteria or by submitting evidence of StateRAMP Category 3 authorization or FedRAMP Moderate authorization.
  • TX-RAMP Provisional Status provides a provisional product certification permitting a state agency to contract for the use of a product for up to 18 months without receiving full TX-RAMP certification. Upon achieving provisional status, the cloud computing service will need to be certified through a TX-RAMP assessment or equivalent within the provisional status period to maintain compliance with program requirements. Provisional Certification Status can be achieved through two ways:
    • Agency-sponsored: Agencies can notify DIR of a previously conducted assessment for review
    • Third-party Assessment: Industry-standard assessment artifacts may be submitted for review

SPECTRIM

The Statewide Portal for Enterprise Cybersecurity Threat, Risk, and Incident Management (SPECTRIM) is the mechanism by which agencies can request assessments or submit notification and information for provisional certifications. DIR conducted a webinar for agencies and institutions of higher education to learn about the mechanisms for completing TX-RAMP related activities within SPECTRIM on December 16, 2021.

TX-RAMP SPECTRIM Overview Webinar- Video

TX-RAMP SPECTRIM Overview Webinar- PowerPoint Presentation

Resources

See the resources below to help guide your organization and prepare for the upcoming impacts of TX-RAMP.

.pdf (401.83 KB)
Last Updated: 11-02-2021

Manual for the TX-RAMP program

.xlsx (140.07 KB)
Last Updated: 12-08-2021

Security Control Baselines for the TX-Risk Authorization Management Program (TX-RAMP)

.pdf (2.17 MB)
Last Updated: 11-23-2021

.pdf (2.14 MB)
Last Updated: 01-20-2022

.pdf (1.76 MB)
Last Updated: 12-20-2021

Slide deck from the TX-RAMP SPECTRIM Overview Webinar, December 16, 2021.

.xlsx (55.56 KB)
Last Updated: 05-20-2022

List of cloud computing products that have been certified through the Texas Risk and Authorization Management Program (TX-RAMP)

TX-RAMP Overview Webinars

DIR hosted a series of webinars on TX-RAMP and the TX-RAMP program manual. See recordings of the webinar below.

Frequently Asked Questions (FAQs)

.pdf (175.76 KB)
Last Updated: 01-10-2022

Information about the Texas Risk and Authorization Management Program (TX-RAMP)

Contact DIR

Contact us with any questions related to TX-RAMP.

TX-RAMP Contact

Information Security

About File Formats

Some documents on this page are in the PDF format. Please download the Adobe Reader in order to view these documents.