TEXAS - RAMP

It and Data Governance Banner

TEXAS-RAMP


Texas Risk and Authorization Management Program (TX-RAMP)

In the 87th Legislative Session, the Texas Legislature passed Senate Bill 475, requiring the Texas Department of Information Resources (DIR) to establish a state risk and authorization management program that provides “a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.” To comply, DIR established a framework for collecting information about cloud services' security posture and assessing responses for compliance with required controls and documentation.

Texas Government Code 2054.0593 mandates that state agencies as defined by Texas Government Code 2054.003(13) must only enter or renew contracts to receive cloud computing services that comply with TX-RAMP requirements beginning January 1, 2022.

 

SOURCE: Texas Department of Information Resources

When does it take effect?

  • Cloud offerings subject to TX-RAMP Level 1 certification must obtain a TX-RAMP certification to contract with state agencies or institutions of higher education and public community colleges on or after January 1, 2024.
  • Cloud offerings subject to TX-RAMP Level 2 certification must obtain a TX-RAMP certification to contract with state agencies or institutions of higher education and public community colleges on or after January 1, 2022.
  • Cloud offerings that obtain TX-RAMP Provisional Status must obtain a TX-RAMP certification (or equivalent StateRAMP/FedRAMP authorization) within 18 months from the date that Provisional Status is conferred as reflected in DIR’s files.

Which organizations must comply with TX-RAMP requirements?

  • TX-RAMP requirements apply to state agencies, institutions of higher education, and public community colleges (Texas Government Code 2054.003 (13).
  • Agencies need to comply with the statutory requirements of contracting for cloud services with appropriate certification.
  • Cloud providers need to demonstrate compliance with the security criteria to receive and maintain certification for a cloud computing service.

Certification Levels

TX-RAMP has two assessment levels:

  • Level 1 for public/non-confidential information or low-impact systems.
  • Level 2 for confidential/regulated data in moderate or high-impact systems.

 

Action Required

For Vendors For Faculty & Staff

How do vendors get TX-RAMP certified?

There are three possible TX-RAMP certifications a vendor can receive depending on the sensitivity of the information or material they handle. DIR will define Low, Moderate, and High Impact information resources according to the  Texas Administrative Code Chapter 202.1 and as determined by UTRGV.

Step 1 – Obtain level determination from UTRGV 

The first step is to obtain your appropriate TX-RAMP level based on confidentiality requirements and the organizational impact determination from UTRGV. Once categorized, vendors must obtain TX-RAMP certification from Texas DIR and submit a TX-RAMP Assessment Request to Texas DIR before their provisional certification expires.

We strongly recommend that you do this today to avoid a lapse in contracted services due to non-compliance.

Step 2 – Obtain the required TX-RAMP Certification

Apply and complete certification.

Step 3 – Notify UTRGV and submit a copy of the DIR TX-RAMP Certification 

Submit a copy of the DIR TX-RAMP certificate and the corresponding product SKU number(s) to UTRGV via email to pmo@utrgv.edu and infosec@utrgv.edu. 

Step 4 – Complete Requirements for Continuous Monitoring 

TX-RAMP requires agencies to routinely assess and monitor their vendors to ensure that their security posture is acceptable to maintain their certification. Vendors who are certified through TX-RAMP will be required to fill out a quarterly or yearly (for TX-RAMP Level 2 and Level 1, respectively) vulnerability questionnaire from DIR. Afterward, agencies are responsible for analyzing the results and reporting any critical findings to DIR.

Step 5 – Vendor must notify UTRGV when they are no longer TX-RAMP certified

If TX-RAMP Certification is revoked, the vendor must notify UTRGV via email to pmo@utrgv.edu and infosec@utrgv.edu.

For more information on the TX-RAMP certification process, please visit:

  • TX -RAMP Assessment Request for Vendors
  • TX-RAMP Overview for Vendors 

Contact Information:

For assistance with TX-RAMP, contact TX-RAMP@utrgv.edu.

For questions about how TX-RAMP certifications may affect procurement contracts, contact purchcontracts@utrgv.edu

Resource Links:

Texas Senate Bill 475

Texas Department of Information Resources (DIR) 

UTRGV Information Security

Like most modern organizations, UTRGV utilizes software to perform many essential tasks. Much of that software is accessible via a “cloud” computing structure typically shared by other businesses and organizations and not hosted on university property.

While these systems are effective, they are not perfect. To better protect state data from future cybersecurity threats, the state has implemented the Texas Risk and Authorization Management Program (TX-RAMP), which requires state agencies and institutions, including UTRGV, to only contract with cloud vendors that comply with TX-RAMP certification standards.

 

How do we know if our software is TX-RAMP compliant?

UTRGV’s Information Technology and Information Security departments are tasked with actively assessing all software utilized by University employees and students on an ongoing basis. However, this is a huge undertaking, and we need your help to ensure UTRGV successfully complies with this new law.


What do I need to do?

All faculty and staff members who make software procurement decisions must submit a Software Assessment Request when a new product/vendor has been identified for purchase or 60 days before renewing an existing product/vendor.

Please note the following:

We thank you for taking this critical step toward protecting UTRGV and our campus community.