As more organizations rely on cloud service providers (CSPs) to deliver secure and reliable infrastructure and services, state and local governments are passing increasing regulation and security criteria to protect against vulnerabilities in cloud platforms, misconfigurations, or security weaknesses in the underlying infrastructure that can expose these entities to significant security risks.

The Texas Risk and Authorization Management Program (TX-RAMP) is one such framework for managing these risks.

In this blog post, we'll explore what TX-RAMP is, who needs to comply, how many certification levels there are, and how Secureframe can help streamline the process. We'll also address some frequently asked questions to ensure you have a complete understanding of this framework. 

What is the Texas Risk and Authorization Management Program (TX-RAMP)?

The Texas Risk and Authorization Management Program (TX-RAMP) is a framework that standardizes the risk management and authorization process for cloud services used by Texas state agencies, universities, and other institutions. Developed by the Texas Department of Information Resources (DIR), TX-RAMP aims to ensure that cloud service providers meet the state’s security and privacy requirements, facilitating secure and efficient cloud service usage within the public sector. 

TX-RAMP 3.0, the latest version of the framework, was released in October 2023 and went into effect in December 2023. Let’s take a closer look at this revision below.

TX-RAMP 3.0

TX-RAMP 3.0 represents the latest iteration of the program. A key goal of this revision was to incorporate improvements and streamline workflows to make the process faster and less difficult for organizations to comply. TX-RAMP 3.0 also incorporates updates based on feedback from previous versions and the evolving threat landscape to ensure that cloud services used by Texas state entities are secure and resilient against emerging threats. 

To these ends, TX-RAMP 3.0 introduces more stringent security controls, clearer guidelines, and a more streamlined assessment process.

Here are three of the most significant changes from TX-RAMP 2.0 to TX-RAMP 3.0:

• Added Fast Track Assessment process: TX-RAMP 3.0 introduced a Fast Track Assessment process. This allows CSPs to leverage existing DIR-approved third-party assessments or audit reports that provide evidence of security practices to obtain either Level 1 or Level 2 Certification. These third-party assessments that can be acceptable for the Fast Track include SOC 2 Type 2, PCI DSS, and HITRUST.
• Added transitional grace period: TX-RAMP 3.0 also introduced a transitional grace period. This enables state agencies to create and leverage a transition plan in the event that a compliant solution’s TX-RAMP certification lapses or is revoked. This timeline may not exceed 24 months from planned inception to execution.
• Clarified services not subject to TX-RAMP Certification: In TX-RAMP 3.0, additional clarification is provided for cloud computing services that are out of scope of TX-RAMP certification in a new section of the program manual. Examples include some CSPs that have a non-substantive use of confidential state-controlled data and custom-developed applications, among other categories. 

Which organizations must comply with TX-RAMP requirements?

State agencies, institutions of higher education, public community colleges, and cloud service providers must comply with TX-RAMP requirements. The applicable requirements differ for these groups however.

State agencies, institutions of higher education, public community colleges, and other entities defined by Texas Government Code Section 2054.00 must comply with the statutory requirements of contracting for cloud services with appropriate TX-RAMP certification. In other words, they must only enter or renew contracts to receive cloud computing services that comply with TX-RAMP requirements. This involves determining whether a cloud computing service is in scope for TX-RAMP and the appropriate TX-RAMP level for the service. 

The cloud service providers that handle sensitive or confidential data on behalf of these entities, on the other hand, must comply with the security criteria to receive and maintain a TX-RAMP certification for a cloud computing service.

It’s important to note that it is not required for all TX-RAMP compliant cloud service providers to use only TX-RAMP compliant vendors or third-party services themselves.

Now that we understand who TX-RAMP applies to, let’s take a look at the certification levels below.

TX-RAMP Certification Levels

TX-RAMP has three certification levels to accommodate varying degrees of risk and data sensitivity associated with cloud services. These levels are detailed below.

TX-RAMP Level 1 Certification

Level 1 is for cloud services that an agency categorizes as low-impact information resources. Meaning, the CSP processes or stores a negligible quantity and/or quality of confidential state-controlled data so any loss of confidentiality, integrity, or availability of that data would have a limited adverse effect on the agency. 

The security requirements at this level are less stringent than Level 2. The Level 1 baseline is made up of 117 controls based on the NIST 800-53 Low Impact Baseline.

TX-RAMP Level 2 Certification

This level applies to cloud services that an agency categorizes as moderate or high-impact information resources. Meaning, the CSP processes or stores a significant amount of confidential state-controlled data so any loss of confidentiality, integrity, or availability of that data would have a serious or severe/catastrophic adverse effect on the agency. 

Level 2 requires more comprehensive security controls and a thorough risk assessment. This level is made up of 223 controls based on the NIST 800-53 Moderate Impact Baseline.

TX-RAMP Provisional Certification

TX-RAMP Provisional Certification is a designation given to CSPs that allows Texas state agencies to temporarily enter or renew a contract with a CSP as they undergo the full TX-RAMP certification process. The CSP must obtain a TX-RAMP Level 1 or Level 2 certification within 18 months from the date that provisional certification is granted by the DIR or it will expire.

A CSP can also maintain the validity of its provisional certification by achieving an acceptable status within StateRAMP or FedRAMP.

Steps to Getting TX-RAMP Certification

Obtaining TX-RAMP certification involves several steps designed to ensure that CSPs meet the security criteria required by the State of Texas. Here is a detailed breakdown of the process:

1. Understand TX-RAMP requirements

Before starting the certification process, it's crucial to familiarize yourself with the TX-RAMP requirements. These are outlined by the Texas Department of Information Resources and include specific security controls, documentation, and risk management practices. Understanding these requirements is an important first step in preparing and streamlining the certification process.

If you’re a Secureframe customer, the platform has these requirements laid out for you, but you can speak with a compliance manager to help you understand these requirements and which apply based on your current environment.

2. Determine the appropriate certification level

A state agency is responsible for determining the required TX-RAMP certification level for your cloud computing service.

However, if you are pursuing TX-RAMP certification before a customer has requested it, then you can determine which level best applies to your cloud service based on the nature of the data you store or process and the potential impact of security breaches.

If using a compliance automation platform, ensure it supports both certification levels like Secureframe does. That way, you can work with any agency, no matter what certification level they determine applies to your cloud service. 

3. Conduct a self-assessment and gap analysis

Perform a self-assessment to evaluate your current security posture against the TX-RAMP requirements. Identify any gaps or areas needing improvement. This step is essential to ensure that you meet the necessary controls and can address any deficiencies before proceeding to the formal assessment.
A compliance automation tool like Secureframe can automate this step. Once you integrate the audit-relevant softwares and tools you use every day, the Secureframe platform will show you exactly where you stand and what you need to do to comply with the appropriate TX-RAMP control baseline based on your unique configurations and IT infrastructure. As you work through the framework and complete activities within the Secureframe platform, it will update showing your progress percentage toward compliance. 

4. Prepare required documentation

At this stage, you’ll need to gather and prepare all required documentation. This typically includes:

• Security policies and procedures
• TX-RAMP Security Plan Workbook
• Incident response plans
• Evidence of compliance with security controls
• Documentation of any third-party audits or certifications (such as FedRAMP, SOC 2 Type 2, etc.)
• A POA&M for for each security control identified by either the vendor or DIR as deficient (i.e. not implemented, partially implemented)

A compliance automation platform can automate the audit readiness and then evidence collection process, saving your organization time and resources and reducing human error. 

5. Submit an assessment request

Once your documentation is ready, initiate the certification process by completing the TX-RAMP Assessment Request form through the TX-RAMP webpage on the DIR website.

The DIR will guide you through the specific steps and provide any additional information needed for your certification level. The most important step is completing the TX-RAMP assessment questionnaire, including the TX-RAMP Security Plan (Control Implementation Workbook) and submitting it to DIR.

6. Undergo the formal assessment

Once your application is submitted, the DIR or an authorized third-party assessor will conduct a formal assessment of your cloud service. This assessment will verify that you meet the TX-RAMP security controls and requirements of your certification level. The assessment process may include:

• Reviewing documentation
• Conducting interviews with key personnel
• Performing technical evaluations of your security measures

7. Address any findings

If the assessment identifies any control deficiencies (i.e. not implemented or partially implemented), you will need to document and address these findings in a POA&M. Remediating these deficiencies may involve implementing additional security measures, updating documentation, or making procedural changes. Once the issues are resolved, you may need to undergo a follow-up assessment.

8. Achieve certification

After successfully completing the assessment and addressing any findings, you will receive your TX-RAMP certification. This certification demonstrates that your cloud service meets the required security and risk management standards, and that you are able to work with Texas state entities.

9. Maintain compliance

TX-RAMP certification is typically valid for three years, with annual reviews required to ensure continued compliance. During this period, you must maintain your security controls, address any changes in your service or the threat landscape, and submit continuous monitoring reports. 

A compliance automation platform can also automate the continuous monitoring process, providing your organization with a much more dynamic view of the effectiveness of your controls and the overall security posture of the organization than manual processes. 

By following these steps and utilizing the right tools, you can efficiently navigate the TX-RAMP certification process and ensure that your cloud service meets the highest standards of security and compliance required by the State of Texas.

TX-RAMP compliance checklist

Achieving and maintaining TX-RAMP certification involves a structured approach that encompasses a range of activities from initial assessment to ongoing maintenance. Use this checklist to guide your organization through the compliance process.

How Long is a TX-RAMP Certification Valid?

TX-RAMP Level 1 and Level 2 certifications are valid for three years, provided that the cloud service provider continues to meet the program requirements. This requires undergoing annual reviews, which involve assessing any changes in the service, the threat landscape, and the provider's security posture. Continuous monitoring and adherence to TX-RAMP requirements are essential to maintain the certificate's validity throughout its duration.

To get recertified, cloud service providers must review and update control implementation details as necessary and provide updated documentation to DIR for review. CSPs can make the request to initiate the recertification process up to 12 months prior to the certification end date.

A TX-RAMP Provisional Certification is valid for 18 months from the date the certification is granted.

TX-RAMP Fast Track Assessment

The TX-RAMP Fast Track Assessment is an expedited process designed for cloud service providers that have already undergone rigorous security evaluations and have existing DIR-approved third-party assessments or audit reports that provide verified evidence of security practices.

By allowing CSPs to leverage their existing third-party assessments or audit reports to obtain TX-RAMP certification more quickly, this fast track option is designed to reduce redundancy and accelerate the approval process while maintaining the necessary security standards.

DIR currently accepts the following third-party assessments or audit reports to be considered for Fast Track assessment:

• SOC 2 Type 2 report
• HITRUST Authorized External Assessor Validated Assessment
• PCI DSS Qualified Security Assessor Audit Report on Compliance (RoC)

TX-RAMP Certification best practices

Here are some best practices for obtaining and maintaining TX-RAMP certification:

• Maintain comprehensive documentation: Maintain detailed documentation of all security policies, procedures, and controls, ensuring they are easily accessible and up-to-date. Develop a well-defined incident response plan that outlines specific steps to be taken in case of a security breach. This thorough documentation supports compliance and readiness.
• Conduct regular employee training: Conduct regular security awareness training sessions to educate employees about their roles in maintaining security. Implement phishing simulations and other training exercises to enhance their ability to recognize and respond to security threats. Continuous education helps build a security-conscious culture within the organization.
• Conduct regular reviews: Conduct regular reviews of your security practices and controls to ensure they remain effective and compliant. If any areas where your current practices do not meet TX-RAMP standards are identified, develop a remediation plan with specific actions, timelines, and assigned responsibilities to address these deficiencies. This proactive approach helps streamline the path to compliance.
• Leverage automation: Using a compliance automation platform can significantly simplify the TX-RAMP certification process. With this type of tool, you can automate risk assessments, manage documentation, monitor security controls, and ensure continuous compliance. This can reduce the time and effort required to achieve and maintain TX-RAMP certification.

Automating TX-RAMP compliance with Secureframe

As the only compliance automation platform that supports TX-RAMP,  Secureframe significantly streamlines the process of achieving TX-RAMP certification, helping cloud service providers efficiently manage and meet the necessary security requirements.

Key features include:

• Government and federal compliance expertise: Our dedicated, world-class compliance team includes former FISMA, FedRAMP, and CMMC auditors who have the expertise and experience to support you at every step. 
• Integrations with federal cloud products: Secureframe integrates with your existing tech stack, including AWS GovCloud, to automate infrastructure monitoring and evidence collection.
• Trusted partner network: Secureframe has strong relationships with partners that can offer vCISO services (ie. tailored advice and support) to help simplify TX-RAMP compliance, like RISC point and CyAlpha. Secureframe also partners with respected auditing firms that are certified Third Party Assessment Organizations (3PAOs) and can support TX-RAMP Fast Track Assessments through other federal audits such as FedRAMP. 
• Policy management: The platform provides templated policies, procedures, and a System Security Plan (SSP) to meet requirements and help you prepare for assessments, including POA&M documents, Impact Assessments, and readiness checklists.
• Cross-mapping across frameworks: TX-RAMP has many overlapping requirements with NIST 800-53, StateRAMP, NIST 800-171, FedRAMP, CJIS, CMMC, and other federal frameworks. Instead of starting from scratch, our platform can help map what you’ve already done for TX-RAMP to other frameworks so you’re never duplicating efforts. 
• Continuous monitoring: By monitoring your tech stack 24/7 to alert you of non-conformities, Secureframe makes it easier to maintain continuous compliance. You can specify test intervals and notifications for required regular tasks to maintain TX-RAMP compliance. You can also use our Risk Management and Vulnerability capabilities to support your continuous monitoring efforts and POA&M maintenance. 

To learn how Secureframe can help your organization reduce the time and effort required to achieve and maintain TX-RAMP certification, schedule a demo with a product expert.