Skip to Main

Texas Risk and Authorization Management Program (TX-RAMP)

TX-RAMP is a state-required program designed to verify that cloud computing services used by Texas agencies comply with baseline security standards. It was established from requirements put forth in the 87th Legislative Session, Senate Bill 475, and provides a standardized approach for security assessment, certification, and continuous monitoring of cloud computing services that process the data of Texas state agencies and public institutions of higher education. Cloud providers must comply with an established framework and continuous compliance to achieve TX-RAMP compliance.

Requirements

Per regulation, state agencies must not acquire or use cloud computing services that meet TX-RAMP certification requirements unless the cloud computing service is certified at the appropriate level. Cloud computing services must maintain their TX-RAMP certification throughout the contract period with the state agency. Non-compliant cloud computing services cannot be renewed, and if certification lapses under contract, current usage may be revoked. TX-RAMP certification is at the product level. Vendors with multiple products will need to certify each product that falls under TX-RAMP requirements.

Applicability

TX-RAMP applies to third-party cloud computing services that store, process, access, or transmit UT Southwestern data. The TX-RAMP Program Manual states that cloud computing services are defined by the National Institute of Standards and Technology (SP 800-145). Only products that meet the definition are in scope with TX-RAMP. UTSW created a tool that can assist in determining if a product or service is a cloud computing service: UTSW TX-RAMP Certification Decision Matrix.

Once it is determined that the product or service is a cloud computing system, the impact of the system and type of data to be used within the system must be determined to identify the full TX-RAMP scope.

To get started, the Texas Department of Information Resources (DIR) created an easy form to assist in determining if a cloud service is in scope and requires TX-RAMP certification:

TX-RAMP form for state agency customers

After completing the form, applicability will be provided:

  • Out of Scope – TX-RAMP certification not required. Cloud computing services are out of scope of TX-RAMP certification provided the service is determined to be a low impact information resource that does not process or store confidential state-controlled data other than as needed for login capability or that processes or stores a negligible quantity and/or quality of confidential data.
  • TX-RAMP Level 1 – Required for low impact systems.
  • TX-RAMP Level 2 – Required for moderate or high impact systems.

If TX-RAMP certification is required, the vendor must certify their cloud service or UTSW cannot enter a contract. Cloud service providers should submit requests using the online form, TX-RAMP Request, to request DIR assessment in pursuit of TX-RAMP certification.

Need Help?

Additional details regarding TX-RAMP can be found at Texas Risk and Authorization Management Program (TX-RAMP) | Texas Department of Information Resources.

If assistance is needed for determination requirements, please GRC@utsouthwestern.edu the Information Security Governance, Risk and Compliance team.

Back-to top