Everything about TX-RAMP

Table of Contents

  1. Introduction
  2. How does TX-RAMP work?
    1. Baseline Requirements
    2. Certification
    3. Continuous Monitoring
  3. How can I prepare for TX-RAMP?
  4. What’s the difference between TX-RAMP, StateRAMP, FedRAMP?
  5. How does SaltyCloud help with TX-RAMP?
  6. Conclusion

Introduction

The Texas Risk and Authorization Management Program (TX-RAMP) is a program that provides a standardized approach for security assessment, authorization, and continuous monitoring of third-party vendors that process the data of a state agency or public higher education institution in the State of Texas (agencies). The Texas Department of Information Resources (DIR) developed the program in compliance with Senate Bill 475.

Effective January 1, 2022, Texas Government Code § 2054.0593 mandates that agencies can only enter into contracts with TX-RAMP compliant vendors.

In this guide, we’ll go over everything you need to know about TX-RAMP, including its structure and requirements.

How does TX-RAMP work?

TX-RAMP requires vendors to adhere to a baseline level of security requirements, be certified by DIR, and for agencies to monitor those vendors continuously.

Baseline Requirements

TX-RAMP offers two levels of baseline security requirements based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53.

TX-RAMP Level 1

TX-RAMP Level 1 is reserved for public or non-confidential information or low-impact systems and requires a NIST 800-53 Low Impact Baseline assessment (124 controls).

TX-RAMP Level 2

TX-RAMP Level 2 is reserved for confidential or regulated data in moderate or high-impact systems and requires a NIST 800-53 Moderate Impact Baseline assessment (325 controls).

Certification

TX-RAMP offers three certifications—two primary levels based on the baseline requirements and a provisional certification to help vendors achieve compliance.

TX-RAMP Level 1 & 2 Certification

Vendors are certified at either of these two levels after they’ve initiated the certification process with DIR, conducted a baseline assessment, and submitted all required evidence to DIR for approval. Alternatively, vendors can use an existing StateRAMP or FedRAMP certification in place of the TX-RAMP process.

TX-RAMP Provisional Certification Status

Vendors may receive a one-time, provisional certification that lasts 18 months. This provisional certification ensures that vendors have enough time to prepare for the more rigorous requirements of TX-RAMP. Vendors can receive the provisional certification directly through DIR or agency sponsorship.

Third-Party Audit/Attestation Review

Vendors can receive a provisional certification by submitting an existing and accepted third-party assessment report to DIR.

  • CSA STAR Level 2 Certification
  • SSAE 16/18 (SOC 2 Type II)
  • ISO 27001/2 Audit
  • ISO 27017/18 Audit
  • Arizona Risk and Authorization Management Program (AZRAMP) Certification
  • Regulatory or Industry Standard Audit Reports
State Agency Sponsored Provisional Status

Vendors can also receive an agency-sponsored provisional certification. Agencies will need to conduct a vendor risk self-assessment, review the results, and submit it to DIR for approval. DIR suggests agencies use the Higher Education Community Vendor Assessment Tool (HECVAT) for self-assessments.

Continuous Monitoring

TX-RAMP requires agencies to routinely assess and monitor their vendors to ensure that their security posture is acceptable to maintain their certification. Vendors who are certified through TX-RAMP will be required to fill out a quarterly or yearly (for TX-RAMP Level 2 and Level 1, respectively) vulnerability questionnaire from DIR. Afterward, agencies are responsible for analyzing the results and reporting any critical findings to DIR.

How can I prepare for TX-RAMP?

Agencies will carry the initial compliance burden since they’ll have to ensure that their existing vendors prepare for certification. Agencies can take the following steps to prepare for TX-RAMP.

Classify vendors

Take inventory of your organization’s vendors and classify them according to Appendix E in the TX-RAMP Program Manual. Some vendors will fall under Level 1, others Level 2, and some might not need to comply.

Notify vendors

Notify all contracted vendors of TX-RAMP, their compliance requirements, and the options available to them. As previously mentioned, most vendors will need to be provisionally certified initially. Vendors can do that directly through DIR, or your agency can sponsor them. You can ask your vendors to either (1) submit an existing third-party certification or (2) complete a self-assessment like the HECVAT.

Assess vendors

If your vendor has opted for the agency-sponsored certification via a self-assessment, you’ll need to conduct a HECVAT assessment. You should use an automated solution to help you conduct and manage all vendor assessments.

Sponsor vendors

Once you’ve identified your vendors, notified them, and collected the relevant details from them, you’ll need to submit everything to DIR. If approved, vendors will receive their provisional, one-time, 18-month certification.

Plan ahead

After you get your vendors provisionally certified, you’ll want to implement a reliable and scalable vendor risk management process to fulfill the continuous monitoring requirements. Additionally, you’ll want to ensure that your vendors prepare to be fully certified during the 18-month provisional period.

What’s the difference between TX-RAMP, StateRAMP, FedRAMP?

TX-RAMP, StateRAMP, and FedRAMP are all standardized cybersecurity verification programs for cloud service providers serving government agencies and public higher education institutions. While FedRAMP serves the needs of federal agencies, StateRAMP serves the needs of local and state agencies, and TX-RAMP serves the specific requirements of Texas agencies and Senate Bill 475.

How does SaltyCloud help with TX-RAMP?

SaltyCloud offers Isora GRC, a Governance, Risk, and Compliance (GRC) Assessment Platform that streamlines TX-RAMP implementation for Texas agencies. Manage vendors, conduct vendor assessments (e.g., HECVAT), access dashboards, and export compliance reports. Learn more about Isora GRC.

Conclusion

TX-RAMP introduces several new requirements to ensure that cloud service providers serving Texas agencies meet a baseline of security requirements to protect regulated and confidential data. The requirements go into effect on January 1, 2022, and require both agencies and cloud service providers to take action to ensure compliance. Agencies can learn more by reviewing the TX-RAMP Program Manual, or by watching one of the TX-RAMP Overview for Agencies Webinar.

Recommended

  • Everything about TX-RAMP

    TX-RAMP is a new vendor risk management regulation for Texas state agencies and public higher education institutions. Here’s everything agencies need to know