Texas Risk Assessment and Management Program (TX-RAMP)

TX-RAMP was established by the Texas Department of Information Resources to provide a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process, store, or transmit the data of a state agency.

Definition and purpose

The primary purpose of TX-RAMP is to establish security measures for cloud products and services that process, store, or transmit data to Texas state agencies in order to protect the information and information resources possessed by those agencies.

Governing Body

TX-RAMP is governed by the Texas Department of Information Resources (DIR). DIR is responsible for overseeing the program's implementation, ensuring compliance, and updating the regulations as necessary.

Last updated

The latest version of TX-RAMP, TX-RAMP Manual v3.0, was last updated in October 2023. It will be effective December 1, 2023. Until then, TX-RAMP Manual v2.0 remains in effect.

Applies to

TX-RAMP applies to cloud computing services, as defined by Texas Government Code Section 2054.0593(a).

State agencies, institutions of higher education, and public community colleges as defined by Texas Government Code 2054.003(13) must only enter or renew contracts to receive cloud computing services that comply with TX-RAMP requirements. 

Controls and requirements

TX-RAMP outlines specific requirements that cloud providers must comply with in order to receive and maintain a certification for a cloud computing service. Some of the key requirements cover:

  • Reporting 
  • Data classification, security, and retention
  • Cybersecurity training
  • Information security plan development and maintenance

The controls that cloud providers need to comply with depends on the TX-RAMP certification level they need to adhere to. If they need to adhere to TX-RAMP Level 1, the controls use the NIST 800-53 Low baseline. This is a set of minimum security controls for information systems based on their impact level. If they need to adhere to TX-RAMP Level 2, the controls use the NIST 800-53 Moderate baseline. You can learn more about NIST 800-53 and its security control baselines in our Ultimate Guide to Federal Frameworks.

For state agencies, TX-RAMP also establishes statutory requirements of contracting for cloud services with appropriate certification.

Please refer to the official legislation provided by the Texas Department of Emergency Management for a detailed list of controls and requirements.

Audit type, frequency, and duration

To obtain TX-RAMP certification, cloud offerings must undergo an assessment by DIR to ensure compliance with the program's requirements.

The frequency varies based on the certification level. There are three TX-RAMP certification levels:

  • Level 1: for public/non-confidential information or low impact systems
  • Level 2: for confidential/regulated data in moderate or high impact systems
  • Provisional: permits a state agency to contract for the use of a product for up to 18 months without a full Level 1 or 2 certification. Full certification or equivalent will need to be attained during the provisional period.

TX-RAMP Level 1 and Level 2 Certifications are valid for three years as long as the cloud service maintains compliance with the program requirements, so these assessments will need to be conducted at least every three years for certification to be renewed. 

The duration of audits varies depending on several factors such as thoroughness of

responses and documentation, timeliness of clarification responses, level of assessment being performed, and volume of requests. The DIR aims to complete an assessment and issue a recommendation within 4 weeks.

Get compliant using Secureframe Custom Frameworks