tx-ramp compliance

How StateRAMP Helps Providers Fulfill TX-RAMP Compliance


Todd Taber
Todd Taber

In June 2021, Texas Gov. Greg Abbott signed a new cybersecurity law. Under the law, the Texas Department of Information Resources (DIR) was tasked to create a statewide risk and authorization management program that included continuous monitoring of the cloud computing services state agencies use. The goal was to provide a consistent, standardized approach for Texas’ security assessments and authorizations while bolstering data security statewide.  

DIR set to work to create a framework to gather data on cloud services’ security postures and how to assess cloud computing compliance appropriately to ensure state agencies in Texas and the citizens they serve are protected from cyberthreats. Their work established the Texas Risk and Authorization Management Program (TX-RAMP). Beginning January 1, 2022, many agencies throughout Texas may only enter into or renew contracts to receive cloud computing services from platforms that comply with TX-RAMP. 

But what is TX-RAMP and how does it relate to other risk management programs like StateRAMP and FedRAMP? Learn more about TX-RAMP, including who the new risk management program affects, what exactly is required for compliance, and how TX-RAMP security thresholds compare to other risk management standards.  

Quick Links

Understanding TX-RAMP Certification

TX-RAMP will have far-reaching effects for organizations throughout Texas and the companies that process, store, or transmit their data. Under the new law, state agencies, institutions of higher education, and public community colleges must use cloud service providers that have a current, valid TX-RAMP certification.

Cloud service providers can receive one of three possible TX-RAMP certifications depending on the sensitivity of the types of materials and information they handle. DIR will define Low, Moderate, and High Impact information resources according to the Texas Administrative Code Chapter 202.1 and as determined by each agency.

TX-RAMP’s Three Levels of Certification

TX-RAMP Level 1 Certification is the required minimum certification level for a cloud computing service that processes, stores, or transmits agency data considered nonconfidential or to be a Low Impact information resource. This standard goes into effect January 1, 2023.

TX-RAMP Level 2 Certification is the required minimum certification level for a cloud computing service that processes, stores, or transmits agency data considered to be confidential and to be a Moderate Impact or High Impact information source. This standard went into effect January 1, 2022.

TX-RAMP Provisional Certification can be leveraged in place of a TX-RAMP Level 1 or Level 2 Certification for the term of the provisional certification.

TX-RAMP Provisional Certification

Cloud services that receive a Provisional Certification must obtain a TX-RAMP Level 1 or Level 2 Certification (or equivalent StateRAMP/FedRAMP authorization) within 18 months from the date a company is conferred Provisional Status from DIR. Provisional Certification can be achieved in one of two ways:

  • Agency-sponsored request: Agencies can inform DIR of a previously conducted assessment
  • Third-party assessment audit/documentation: Industry-standard assessment artifacts may be submitted for review
TX-RAMP Security Assessments

Agencies may request TX-RAMP security assessments via the Statewide Portal for Enterprise Cybersecurity Threat, Risk, and Incident Management (SPECTRIM). Cloud service companies may request assessments of their products or services via the TX-RAMP Assessment Request Form.

How TX-RAMP Relates to StateRAMP and FedRAMP

Though TX-RAMP applies exclusively to agencies and cloud computing manufacturers doing business in Texas, the program shares many commonalities with existing State and Federal risk management programs, including StateRAMP and FedRAMP.

Cloud service providers with existing StateRAMP or FedRAMP statuses do not need to take any action to fulfill TX-RAMP compliance components. DIR will use StateRAMP’s Authorized Vendor List and FedRAMP Marketplace to certify cloud services with appropriate TX-RAMP security statuses.

tx-ramp compliance
tx-ramp compliance

By becoming members of StateRAMP and completing a StateRAMP verification, cloud service providers can streamline their TX-RAMP compliance. With current, valid StateRAMP verification, cloud service providers can be deemed compliant and be added to TX-RAMP’s list of approved services and able to serve agencies throughout Texas.

Get Started with StateRAMP Today

Joining StateRAMP puts cloud service providers on track to fulfill all current TX-RAMP security thresholds, enabling them to serve the people of Texas safely and securely. 

StateRAMP aims to help meet the clear need for a standardized approach to cybersecurity. Whether you’re a third-party assessor, government official, or cloud service provider, StateRAMP has the resources necessary to begin the process of authorization. Cloud service providers can apply now to join StateRAMP’s mission to bolster third-party cybersecurity standards for state and local governments.


Share on facebook
Share on twitter
Share on linkedin