Information Security
Information Security

TX-RAMP Eligibility and Requirements

On this page:

Which organizations must comply with TX-RAMP?

Which TX-RAMP Certification Level is required?

Security Control Requirements

Which organizations must comply with TX-RAMP requirements?

  • TX-RAMP requirements apply to state agencies, institutions of higher education, and public community colleges. (Texas Government Code 2054.003(13))
  • Agencies need to comply with the statutory requirements of contracting for cloud services with appropriate certification.
  • Cloud providers need to demonstrate compliance with the security criteria to receive and maintain a certification for a cloud computing service.
  • Use this simple flowchart to help you identify if TX-RAMP is in scope for you.

Which TX-RAMP Certification Level is required?

TX-RAMP has two assessment and certification levels:

  • Level 1 for public/non-confidential information or low impact systems.
    • Level 1 Certification is achieved after submitting the assessment responses and meeting the minimum requirements for the Level 1 Assessment Criteria or by submitting evidence of StateRAMP Category 1 authorization or FedRAMP Low authorization.
  • Level 2 for confidential/regulated data in moderate or high impact systems.
    • Level 2 Certification is achieved after submitting the assessment responses and meeting the minimum requirements for the Level 2 Assessment Criteria or by submitting evidence of StateRAMP Category 2 authorization or FedRAMP Moderate authorization.
       
  • TX-RAMP Provisional Status provides a provisional product certification permitting a state agency to contract for the use of a product for up to 18 months without receiving full TX-RAMP certification. Upon achieving provisional status, the cloud computing service will need to be certified through a TX-RAMP assessment or equivalent within the provisional status period to maintain compliance with program requirements.
    • Provisional Certification Status is a step in the TX-RAMP Assessment Request process and is achieved by completing the TX-RAMP Acknowledgment and Inventory Questionnaire. To initiate the questionnaire, a cloud service provider must complete the TX-RAMP Request Form online.

TX-RAMP Security Control Requirements

Only cloud computing services, as defined by Texas Government Code, section 2054.0593(a), are within scope for TX-RAMP. Products or services that are not cloud computing services are not subject to TX-RAMP. Certain specific cloud computing services are outside of the scope of Texas Government Code, section 2054.0593 and, as such, are not required to comply with TX-RAMP. Details about cloud offerings that are not in scope can be found in our TX-RAMP Manual 2.0.

Specific technical assessment criteria for Level 1 and Level 2 baseline may be found in the spreadsheet provided in the TX-RAMP Security Control Baselines.

Questions?

Contact the TX-RAMP team:

DIR TX-RAMP team

Information Security
Related Content
Information Security
Security Policy and Planning
TX-RAMP Quick Links
TX-RAMP Program Manual 3.0
TX-RAMP Certified Cloud Products
TX-RAMP Eligibility and Requirements
TX-RAMP Resources Library
TX-RAMP Request

About File Formats

Some documents on this page are in the PDF format. Please download the Adobe Reader in order to view these documents.