Texas Risk Assessment and Management Program (TX-RAMP)
TX-RAMP was established by the Texas Department of Information Resources to provide a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process, store, or transmit the data of a state agency.
Definition and purpose
The primary purpose of TX-RAMP is to establish security measures for cloud products and services that process, store, or transmit data to Texas state agencies in order to protect the information and information resources possessed by those agencies.
TX-RAMP is governed by the Texas Department of Information Resources (DIR). DIR is responsible for overseeing the program's implementation, ensuring compliance, and updating the regulations as necessary.
TX-RAMP applies to cloud computing services, as defined by Texas Government Code Section 2054.0593(a).
State agencies, institutions of higher education, and public community colleges as defined by Texas Government Code 2054.003(13) must only enter or renew contracts to receive cloud computing services that comply with TX-RAMP requirements.
Controls and requirements
TX-RAMP outlines specific requirements that cloud providers must comply with in order to receive and maintain a certification for a cloud computing service. Some of the key requirements cover:
- Data classification, security, and retention
- Cybersecurity training
- Information security plan development and maintenance
The controls that cloud providers need to comply with depends on the TX-RAMP certification level they need to adhere to. If they need to adhere to TX-RAMP Level 1, the controls use the NIST 800-53 Low baseline. This is a set of minimum security controls for information systems based on their impact level. If they need to adhere to TX-RAMP Level 2, the controls use the NIST 800-53 Moderate baseline. You can learn more about NIST 800-53 and its security control baselines in our Ultimate Guide to Federal Frameworks.
For state agencies, TX-RAMP also establishes statutory requirements of contracting for cloud services with appropriate certification.
Please refer to the official legislation provided by the Texas Department of Emergency Management for a detailed list of controls and requirements.
Audit type, frequency, and duration
To obtain TX-RAMP certification, cloud offerings must undergo an assessment by DIR to ensure compliance with the program's requirements.
The frequency varies based on the certification level. There are three TX-RAMP certification levels:
- Level 1: for public/non-confidential information or low impact systems
- Level 2: for confidential/regulated data in moderate or high impact systems
- Provisional: permits a state agency to contract for the use of a product for up to 18 months without a full Level 1 or 2 certification. Full certification or equivalent will need to be attained during the provisional period.
TX-RAMP Level 1 and Level 2 Certifications are valid for three years as long as the cloud service maintains compliance with the program requirements, so these assessments will need to be conducted at least every three years for certification to be renewed.
The duration of audits varies depending on several factors such as thoroughness of
responses and documentation, timeliness of clarification responses, level of assessment being performed, and volume of requests. The DIR aims to complete an assessment and issue a recommendation within 4 weeks.