In the 87th Legislative Session, the Texas Legislature passed Senate Bill 475, requiring the Texas Department of Information Resources (DIR) to establish a state risk and authorization management program that provides “a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.”  To comply, DIR established a framework for collecting information about cloud services security posture and assessing responses for compliance with required controls and documentation. Texas Government Code 2054.0593 mandates that state agencies as defined by Texas Government Code 2054.003(13) must only enter or renew contracts to receive cloud computing services that comply with TX-RAMP requirements beginning January 1, 2022.

For more information on TxRamp requirements: https://dir.texas.gov/information-security/texas-risk-and-authorization-management-program-tx-ramp

When does it take effect?

• Cloud offerings subject to TX-RAMP Level 1 certification (Published data) must obtain a TX-RAMP certification to contract with state agencies or institutions of higher education and public community colleges on or after January 1, 2024.

• Cloud offerings subject to TX-RAMP Level 2 certification (Controlled or Confidential data) must obtain a TX-RAMP certification to contract with state agencies or institutions of higher education and public community colleges on or after January 1, 2022.

• Cloud offerings that obtain TX-RAMP Provisional Status must obtain a TX-RAMP certification (or equivalent StateRAMP/FedRAMP authorization) within 18 months from the date that Provisional Status is conferred as reflected in DIR’s files.

For more information on UT Data Classification: https://security.utexas.edu/policies/data_classification

Which organizations must comply with TX-RAMP requirements?

• TX-RAMP requirements apply to state agencies, institutions of higher education, and public community colleges (Texas Government Code 2054.003 (13).

• Agencies need to comply with the statutory requirements of contracting for cloud services with appropriate certification.

• Cloud providers need to demonstrate compliance with the security criteria to receive and maintain a certification for a cloud computing service.

How does this apply to my vendor?

• Cloud software using published (Cat-III) data does not need TX-RAMP certification or ISO review at this time.

• Cloud software using controlled (Cat-II) or confidential (Cat-I) data, your vendor will need to pursue TX-RAMP certification Level 2. ISO review is not needed.

• Cloud software with a Level 2 certification or a Provisional certification meets TX-RAMP guidelines. ISO review is not needed.

NOTE: You can view a complete list of TX-RAMP certified cloud software in Isora, UT's governance, risk & compliance (GRC) platform. This vendor product inventory is updated daily using TX-RAMP's API. The Status section will indicate a vendor's current TX-RAMP certifications. For more information on viewing vendor products in Isora: Vendor Product Inventory and Assessments#ViewingProductInventory.

How does my vendor get TX-RAMP certified?

Once you've determined that your vendor needs TX-RAMP certification, they'll need to complete the following steps:

1. The vendor must complete the initial TX-RAMP vendor assessment questionnaire (https://survey.alchemer.com/s3/6510630/TX-RAMP-Vendor-Contact).

2. If TX-RAMP approves their initial assessment, the vendor will be granted an 18-month provisional status. 

3. The vendor must then complete full TX-RAMP assessment (~500 questions) and get approval during that provisional status to continue to do business with agencies and public universities in Texas.

4. The TX-RAMP review timeline could take up to 3-4 months so be sure to encourage your vendors to submit their initial assessment questionnaires as soon as possible.

NOTE: Once you've determined the TX-RAMP status of your vendor product, we recommend consulting with the Business Contracts Office (vpcfo.contracts@austin.utexas.edu) to see if a UT contract is needed for your purchase.

Exigent Circumstances

For exigent circumstances, vendors can complete a HECVAT assessment using Isora as a provisional step. However, the vendor will still need to complete steps 3 and 4 as listed above. Due to this duplication of effort, the ISO strongly recommends that vendors work directly with TX-RAMP to initiate TX-RAMP certification.

To initiate a HECVAT assessment within Isora, please follow the directions here: Vendor Product Inventory and Assessments#InitiatingaVendorProductSecurityAssessmentwithinIsora.

How does I add my vendor product to my department's inventory in Isora?