As cyber threats increase worldwide, lawmakers continue to enforce strict regulations on organizations doing business with state-related agencies. For example, in 2021, the Texas Department of Information Resources (DIR) established the Texas Risk and Authorization Management Program (TX-RAMP) from requirements in Senate Bill 475. Such regulations are meant to secure customer data and strengthen the cybersecurity resilience of small and medium-sized businesses (SMBs).

TX-RAMP provides a standardized approach toward security assessment, authorization, and continuous monitoring, especially for data assets and computing services hosted in the cloud. A recent report shows that 67% of cybersecurity professionals consider the misconfiguration of cloud security the most significant cloud security risk. The DIR framework collects information about the security posture of cloud services and assesses responses for compliance with required controls and documentation.

This article explores the details of TX-RAMP and its compliance requirements.

Particulars of TX-RAMP and Its Importance

TX-RAMP is a DIR program that provides a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services. It aims to review security measures of cloud products and services that process, store, or transmit data to Texas state agencies, institutes of higher education, and public community colleges.

TX-RAMP dictates that agencies comply with the statutory requirements of contracting for cloud services with appropriate certification. In addition, cloud providers must demonstrate compliance with the security criteria for receiving and maintaining the certification. However, certain cloud computing services are outside the scope of the TX-RAMP due to their unique characteristics: email or notification distribution services, educational tools, social media platforms, and services or graphic design and illustration products that do not create, process, or store confidential information do not require TX-RAMP compliance.

The minimum certification level for a cloud service is determined by the impact level of the contracting agency’s information resources and the confidentiality of the processed, stored, or transmitted data. Therefore, agencies must consult with appropriate internal stakeholders to verify whether the cloud service is subject to TX-RAMP certification.

Modeled after the FedRAMP and State RAMP, TX-RAMP provides a solid framework to ensure that state agencies purchase cloud computing services with adequate security controls. Likewise, it gives state IT leaders higher visibility into how vendors manage their environments, offers security officers greater control over the disparate technologies that make up the state IT ecosystem, and prevents the risks associated with shadow IT. It also enables them to review vendors’ policies, standards, and documentation to ensure they have a strong cybersecurity posture with all controls in place.

Becoming TX-RAMP Complaint

TX-RAMP has three levels of certification: Level 1, Level 2, and Provisional certificates. Level 1 certification is for public or non-confidential information or low-impact systems, whereas Level 2 certification is for confidential or regulated data that comes under moderate or high-impact strategies. Businesses must submit the assessment responses and meet the minimum requirements for Level 1 and 2 assessment criteria to achieve Level 1 or Level 2 certification, respectively. These levels are valid for three years. In addition, they can also submit evidence of StateRAMP Category 1 or 2 authorization or FedRAMP low or moderate authorization.

The provisional certification, valid for 18 months, permits state agencies to contract with cloud computing services without full TX-RAMP certification if the service receives certification through a TX-RAMP assessment or equivalent within the provisional status period. Cloud service providers must access the TX-RAMP request form online and initiate the questionnaire. Businesses can achieve this certificate by completing the TX-RAMP acknowledgment and inventory questionnaire.

The duration of the assessment review process depends on various factors, such as the quality and completeness of initial documents, timeliness of response to additional information requests, and the request volume.

Conclusion

Security governance and compliance remain an integral part of business, as staying compliant with standards and regulations ensures business alignment with industry and government requirements for protecting critical data and improving security posture. Unfortunately, for many organizations, adherence to the barrage of compliance requirements outlined in a typical compliance framework is non-negotiable due to the financial and reputational damages associated with non-compliance. For example, TX-RAMP compliance requires agencies operating within Texas to routinely assess and monitor their vendors and suppliers to ensure that their security posture is acceptable to maintain their certification.

Unfortunately, 77% of SMBs need more resources to perform cyber risk operations, such as assessing, deploying, and maintaining current and projected compliance requirements. Therefore, collaborating with a reliable cybersecurity compliance partner specializing in a risk-based approach to security is essential to ensure proper risk assessment and security gap identification processes are deployed before seeking TX-RAMP certification.

The security governance and compliance experts at GoldSky have the expertise and capabilities to deploy a robust TX-RAMP certification roadmap that provides a clear pathway to attaining and maintaining TX-RAMP certification without jeopardizing core security objectives or business goals.