Get Started
Everything about TX-RAMP: Complete Guide

SaltyCloud Research Team

Updated Dec 3, 2021 Read Time 6 min


TX-RAMP is a standardized program for assessing and monitoring third-party vendors’ security for Texas state agencies and public higher education institutions with a mandate for agencies to contract only with TX-RAMP compliant vendors effective January 1, 2022.

The Texas Risk and Authorization Management Program (TX-RAMP) is a program that provides a standardized approach for security assessment, authorization, and continuous monitoring of third-party vendors that process the data of a state agency or public higher education institution in the State of Texas (agencies). The Texas Department of Information Resources (DIR) developed the program in compliance with Senate Bill 475.

Effective January 1, 2022, Texas Government Code § 2054.0593 mandates that agencies can only enter into contracts with TX-RAMP compliant vendors.

In this guide, we’ll go over everything you need to know about TX-RAMP, including its structure and requirements.

How does TX-RAMP work?

TX-RAMP requires vendors to adhere to a baseline level of security requirements, be certified by DIR, and for agencies to monitor those vendors continuously.

Baseline Requirements

TX-RAMP offers two levels of baseline security requirements based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53.

TX-RAMP Level 1

TX-RAMP Level 1 is reserved for public or non-confidential information or low-impact systems and requires a NIST 800-53 Low Impact Baseline assessment (124 controls).

TX-RAMP Level 2

TX-RAMP Level 2 is reserved for confidential or regulated data in moderate or high-impact systems and requires a NIST 800-53 Moderate Impact Baseline assessment (325 controls).


TX-RAMP offers three certifications—two primary levels based on the baseline requirements and a provisional certification to help vendors achieve compliance.

TX-RAMP Level 1 & 2 Certification

Vendors are certified at either of these two levels after they’ve initiated the certification process with DIR, conducted a baseline assessment, and submitted all required evidence to DIR for approval. Alternatively, vendors can use an existing StateRAMP or FedRAMP certification in place of the TX-RAMP process.

TX-RAMP Provisional Certification Status

Vendors may receive a one-time, provisional certification that lasts 18 months. This provisional certification ensures that vendors have enough time to prepare for the more rigorous requirements of TX-RAMP. Vendors can receive the provisional certification directly through DIR or agency sponsorship.

Third-Party Audit/Attestation Review

Vendors can receive a provisional certification by submitting an existing and accepted third-party assessment report to DIR.

  • CSA STAR Level 2 Certification
  • SSAE 16/18 (SOC 2 Type II)
  • ISO 27001/2 Audit
  • ISO 27017/18 Audit
  • Arizona Risk and Authorization Management Program (AZRAMP) Certification
  • Regulatory or Industry Standard Audit Reports
State Agency Sponsored Provisional Status

Vendors can also receive an agency-sponsored provisional certification. Agencies will need to conduct a vendor risk self-assessment, review the results, and submit it to DIR for approval. DIR suggests agencies use the Higher Education Community Vendor Assessment Tool (HECVAT) for self-assessments.

Continuous Monitoring

TX-RAMP requires agencies to routinely assess and monitor their vendors to ensure that their security posture is acceptable to maintain their certification. Vendors who are certified through TX-RAMP will be required to fill out a quarterly or yearly (for TX-RAMP Level 2 and Level 1, respectively) vulnerability questionnaire from DIR. Afterward, agencies are responsible for analyzing the results and reporting any critical findings to DIR.

How can I prepare for TX-RAMP?

Agencies will carry the initial compliance burden since they’ll have to ensure that their existing vendors prepare for certification. Agencies can take the following steps to prepare for TX-RAMP.

Classify vendors

Take inventory of your organization’s vendors and classify them according to Appendix E in the TX-RAMP Program Manual. Some vendors will fall under Level 1, others Level 2, and some might not need to comply.

Notify vendors

Notify all contracted vendors of TX-RAMP, their compliance requirements, and the options available to them. As previously mentioned, most vendors will need to be provisionally certified initially. Vendors can do that directly through DIR, or your agency can sponsor them. You can ask your vendors to either (1) submit an existing third-party certification or (2) complete a self-assessment like the HECVAT.

Assess vendors

If your vendor has opted for the agency-sponsored certification via a self-assessment, you’ll need to conduct a HECVAT assessment. You should use an automated solution to help you conduct and manage all vendor assessments.

Sponsor vendors

Once you’ve identified your vendors, notified them, and collected the relevant details from them, you’ll need to submit everything to DIR. If approved, vendors will receive their provisional, one-time, 18-month certification.

Plan ahead

After you get your vendors provisionally certified, you’ll want to implement a reliable and scalable vendor risk management process to fulfill the continuous monitoring requirements. Additionally, you’ll want to ensure that your vendors prepare to be fully certified during the 18-month provisional period.

What’s the difference between TX-RAMP, StateRAMP, FedRAMP?

TX-RAMP, StateRAMP, and FedRAMP are all standardized cybersecurity verification programs for cloud service providers serving government agencies and public higher education institutions. While FedRAMP serves the needs of federal agencies, StateRAMP serves the needs of local and state agencies, and TX-RAMP serves the specific requirements of Texas agencies and Senate Bill 475.

TX-RAMP introduces several new requirements to ensure that cloud service providers serving Texas agencies meet a baseline of security requirements to protect regulated and confidential data. The requirements go into effect on January 1, 2022, and require both agencies and cloud service providers to take action to ensure compliance. Agencies can learn more by reviewing the TX-RAMP Program Manual, or by watching one of the TX-RAMP Overview for Agencies Webinar.

How Isora GRC from SaltyCloud can help


Isora GRC from SaltyCloud is the powerfully simple TX-RAMP solution making regulatory compliance easier while helping organizations improve their cyber resilience.

The stakes have never been higher for organizations as they confront escalating cyberattacks and mounting regulations.

With business-critical data and privacy on the line, companies need a simple solution that helps them move beyond a ‘check-the-box’ mindset towards a risk-informed, data-driven, and proactive approach.

Isora GRC from SaltyCloud is the powerfully simple solution changing how information security teams manage governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.

  • Ace compliance audits with collaborative surveys, adaptable security frameworks, dynamic dashboards, and insightful reporting for key regulations.
  • Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
  • Protect critical data with comprehensive inventory management, seamless integration, continuous assessments, and insightful reporting.
  • Minimize third-party risk with a complete vendor inventory, risk assessment surveys, and approval workflows.

Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.

Discover how Isora GRC from SaltyCloud can streamline your TX-RAMP compliance.

Learn More
Our GRC Resources

Dive into our research-backed resources–from product one pagers and whitepapers, to webinars and more–and unlock the transformative potential of powerfully simple GRC.

Learn More
Other Relevant Content

This guide covers everything you need to know about TAC 202, including what it entails, why it's important, and how you can comply. We even included a TAC 202 checklist to make it easy for your organization to get started.

This Complete Guide explores basics and the compliance checklist for the GLBA Safeguards Rule risk assessment of customer information security programs.

This Complete Guide explores basics and the compliance checklist for the GLBA Safeguards Rule requiring IT security programs securing customer data

Stay ahead of the curve
Get insightful guides, original research, regulatory updates, and novel solutions delivered straight to your inbox.
Get Started
Manage assessments
confidently with
collaborative GRC tooling