Effective January 1, 2022, Texas institutions of higher education and public community colleges must comply with Texas Government Code 2054.0593 requirements when entering into or renewing contracts for cloud computing services. The new requirements are known as Texas Risk Assessment and Authorization Management Program ("TX-RAMP"). TX-RAMP provides a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process, store, or transmit the data of a state agency (which includes higher education and public community colleges).
Under this new program, cloud providers need to demonstrate compliance with the security criteria to receive and maintain a certification for a cloud computing service in Texas. Cloud computing vendors cannot enter into agreements with higher education institutions without this certificate.
Cloud offerings can obtain a TX-RAMP Level 1 certificate, Level 2 certificate or Provisional Status (which gives the vendor 18 months to obtain full certification). Level 1 certification is for cloud systems with either public/non-confidential information or low impact systems. Level 2 certification is for confidential or regulated data in moderate or high impact systems.
Because this is a new requirement, many vendors are forced to obtain provisional certification in order to comply. This allows the higher education institution to contract for use of the product for up to 18 months when the product does not have full TX-RAMP certification. Provisional status can be achieved through an agency sponsor or third-party assessment. In the case of an agency sponsored certificate, the institution of higher education must notify the Texas Department of Information Resources (DIR) of a previously conducted assessment for review. Alternatively, industry-standard assessment artifacts may be submitted for review. (SOC2, ISO 27k, Regulatory Audits, CSA STAR, etc.)
Certain cloud computing services are out-of-scope of TX-RAMP due to the unique characteristics of the cloud computing service. Examples include: (i) email or notification distribution services that do not create, process, or store confidential information; (ii) social media platforms and services; and (iii) graphic design or illustration products.
DIR conducted a webinar for agencies and institutions of higher education to learn about the mechanisms for completing TX-RAMP related activities within SPECTRIM on December 16, 2021 which is available here:
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.