TX-RAMP Guidelines for Cloud Software/Services
Overview of Texas Risk and Authorization Management Program (TX-RAMP)
In the 87th Legislative Session, the Texas Legislature passed Senate Bill 475, requiring the Texas Department of Information Resources (DIR) to establish a state risk and authorization management program that provides “a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.” To comply, DIR established a framework for collecting information about cloud services security posture and assessing responses for compliance with required controls and documentation. Texas Government Code 2054.0593 mandates that state agencies as defined by Texas Government Code 2054.003(13) must only enter or renew contracts to receive cloud computing services that comply with TX-RAMP requirements beginning January 1, 2022.
For more information on TxRamp requirements: https://dir.texas.gov/information-security/texas-risk-and-authorization-management-program-tx-ramp
When does it take effect?
Cloud offerings subject to TX-RAMP Level 1 certification (Published data) must obtain a TX-RAMP certification to contract with state agencies or institutions of higher education and public community colleges on or after January 1, 2024.
Cloud offerings subject to TX-RAMP Level 2 certification (Controlled or Confidential data) must obtain a TX-RAMP certification to contract with state agencies or institutions of higher education and public community colleges on or after January 1, 2022.
Cloud offerings that obtain TX-RAMP Provisional Status must obtain a TX-RAMP certification (or equivalent StateRAMP/FedRAMP authorization) within 18 months from the date that Provisional Status is conferred as reflected in DIR’s files.
For more information on UT Data Classification: https://security.utexas.edu/policies/data_classification
Which organizations must comply with TX-RAMP requirements?
TX-RAMP requirements apply to state agencies, institutions of higher education, and public community colleges (Texas Government Code 2054.003 (13).
Agencies need to comply with the statutory requirements of contracting for cloud services with appropriate certification.
Cloud providers need to demonstrate compliance with the security criteria to receive and maintain a certification for a cloud computing service.
How does this apply to my vendor?
Cloud software using published (Cat-III) data does not need TX-RAMP certification or ISO review at this time.
Cloud software using controlled (Cat-II) or confidential (Cat-I) data, your vendor will need to pursue TX-RAMP certification Level 2. ISO review is not needed.
Cloud software with a Level 2 certification or a Provisional certification meets TX-RAMP guidelines. ISO review is not needed.
NOTE: You can view a complete list of TX-RAMP certified cloud software in Isora, UT's governance, risk & compliance (GRC) platform. This vendor product inventory is updated daily using TX-RAMP's API. The Status section will indicate a vendor's current TX-RAMP certifications. For more information on viewing vendor products in Isora: Vendor Product Inventory and Assessments#ViewingProductInventory.
How does my vendor get TX-RAMP certified?
Once you've determined that your vendor needs TX-RAMP certification, they'll need to complete the following steps:
The vendor must complete the initial TX-RAMP vendor assessment questionnaire (https://survey.alchemer.com/s3/6510630/TX-RAMP-Vendor-Contact).
If TX-RAMP approves their initial assessment, the vendor will be granted an 18-month provisional status.
The vendor must then complete full TX-RAMP assessment (~500 questions) and get approval during that provisional status to continue to do business with agencies and public universities in Texas.
The TX-RAMP review timeline could take up to 3-4 months so be sure to encourage your vendors to submit their initial assessment questionnaires as soon as possible.
NOTE: Once you've determined the TX-RAMP status of your vendor product, we recommend consulting with the Business Contracts Office (email@example.com) to see if a UT contract is needed for your purchase.
For exigent circumstances, vendors can complete a HECVAT assessment using Isora as a provisional step. However, the vendor will still need to complete steps 3 and 4 as listed above. Due to this duplication of effort, the ISO strongly recommends that vendors work directly with TX-RAMP to initiate TX-RAMP certification.
To initiate a HECVAT assessment within Isora, please follow the directions here: Vendor Product Inventory and Assessments#InitiatingaVendorProductSecurityAssessmentwithinIsora.
How does I add my vendor product to my department's inventory in Isora?
Once your vendor has received TX-RAMP certification, you'll need to add the vendor to your department's inventory: Vendor Product Inventory and Assessments#AddingVendorProductstoDepartmentInventory
More information about Vendor Assessments and Inventory can be found at: https://wikis.utexas.edu/pages/viewpage.action?pageId=297382784
If you have any questions, please email firstname.lastname@example.org.
Isora is a web-based tool managed by the UT Information Security Office that allows departments to record information about the applications they have developed or installed in their areas. This registry tracks information such as: application stewards, data classification, priority, associated systems, etc. This registry also allows for applications to be consistently assessed against the Minimum Security Standards for Application Development and Administration and comply with the System Development and Deployment Standard (Section 21) of the UT Austin Information Resources Use and Security Policy.
Applications are generally services that are created or managed by the university (on or off-premise) where no third parties have access to university data. These can be applications that are built in-house, open source products or purchased products that the university manages.
NOTE: In accordance with Texas Administrative Code (TAC) 202 and UT System policy, all applications processing Confidential university data or that are deemed Mission Critical must be registered and assessed by Isora. Such assessments must be renewed annually.
More information about Application Assessments and Inventory can be found at:
If you have any questions, please email email@example.com.