Texas Risk and Authorization Management Program (TX-RAMP)
A new Texas state law requires cloud services being purchased or received must comply with the Texas Risk and Authorization Management Program (TX-RAMP) requirements before entering or renewing a contract.
Anyone purchasing or obtaining cloud services (cloud software as a service, infrastructure as a service, or platform as a service) should notify their vendors of this requirement to reduce the time to approve purchases and give time for vendors to become compliant. Cloud services that cannot comply by the dates specified for the types of data involved cannot be used by any state agency (i.e. UTA).
Effective January 1, 2022, any cloud services that deal with Confidential Data must now have a “Level 2” TX-RAMP Certification or a Provisional Certification that will allow a vendor 18 months to become Level 2 certified. Vendors may apply for certification and for a provisional certification themselves
Effective January 1, 2024, all cloud services irrespective of data types must have a TX-RAMP Certification. Services dealing with Controlled or Public data must have a Level 1 TX-RAMP certification.
Provisional Certification. Vendors may apply for a provisional certification in addition to the appropriate TX RAMP Certification Level that allows them to work with state agencies for 18 months while they obtain their certification.
Please work with your vendors to ensure they are aware of the TX-RAMP requirement and are working to be Compliant to this law. If a vendor’s product is not compliant, UTA cannot begin its use or renew licenses for the service when current contracts expire. (a reminder, many online services have a “Click Through” agreement during the online purchase. This is a legal contract, and unless you are authorized by the University, you are violating policy and putting the University at risk by not following the proper procedures for reviewing the security, accessibility, and legal requirements.
TX-RAMP Background
Texas Government Code 2054.0593 mandates that state agencies as defined by Texas Government Code 2054.003(13) must only enter or renew contracts to receive cloud computing services that comply with TX-RAMP requirements beginning January 1, 2022.
Senate Bill 475, required the Texas Department of Information Resources (DIR) to establish a state risk and authorization management program that provides “a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.” To comply, DIR established a framework for collecting information about cloud services security posture and assessing responses for compliance with required controls and documentation.
TX-RAMP Certification Levels and Overview:
Level 2 Certification:
Cloud Services dealing with State/University Confidential/Regulated Data in moderate or high impact systems. Required by January 1, 2022.
Level 1 Certification:
Cloud services dealing with State/University public/non-confidential information or low impact systems. Required by January 1, 2024.
Provisional Certification:
Allows for a state agency to contract for the use of a product for up to 18 months without the service receiving full TX-RAMP certification. Upon achieving provisional status, the cloud computing service will need to be certified through a TX-RAMP assessment or equivalent within the provisional status period to maintain compliance with program requirements.
Out of Scope:
Some cloud services are out-of-scope for TX-RAMP due to unique characteristics of the cloud service. These services are only out-of-scope if they do not
- create, process, or store confidential state-controlled data (except as needed to provide a login capability, e.g. username, password, email) or
- connect with agency systems or networks that create, process, or store confidential state-controlled data such that any security incident might affect such systems or networks.
The below cloud computing services are considered out of scope of TX-RAMP:
- Consumption-focused cloud computing services such as advisory services, market research, or other resources that are used to gather non-confidential research or advisory information
- Graphic design or illustration products
- Geographic Information Systems or mapping products that are not used for confidential purposes or tied to individual identities
- Email or notification distribution services that do not create, process, or store confidential information
- Social media platforms and services
- Survey and scheduling cloud computing services that do not create, process, or store confidential information
- Cloud computing services used to deliver training that do not create, process, or store confidential information
- Cloud computing services used to transmit copies of nonconfidential data as required by external governing bodies for purposes of accreditation and compliance; and
- Low Impact Software-as-a-Service cloud computing services as defined by the following criteria:
- The product meets the definition of a Software as a Service (SaaS), as defined by NIST SP 800-145, The NIST Definition of Cloud Computing
- The cloud computing service does not contain personally identifiable information (PII), except as needed to provide a login capability (username, password and email address), or create, process, or store confidential state-controlled data
- The cloud computing service is a low impact information resource as defined by 1 TAC §202.1 and
- The cloud computing service operates within a TX-RAMP certified Platform as a Service (PaaS) or Infrastructure as a Service (IaaS).
TX-RAMP Information and Links
- Texas Department of Information Resources (TX DIR) TX-RAMP Information: https://dir.texas.gov/texas-risk-and-authorization-management-program-tx-ramp
- Note the above page has a link to updated lists of TX-RAMP Certified Cloud Products
- TX-RAMP Manual: TX-RAMP Program Manual v2
- Overview for the vendors: https://dir.texas.gov/sites/default/files/2022-01/TX-RAMP Overview Webinar For Vendors.Update.pdf
- Vendor link to submit for Certification/Assessment: https://survey.alchemer.com/s3/6510630/TX-RAMP-Vendor-Contact
- TX-RAMP FAQs by the Texas Dept of Information Resources: https://dir.texas.gov/sites/default/files/2022-01/TX-RAMP%20FAQ.12.30.21.pdf