State of Texas & GovRAMP

The flag of the State of Texas

Why GovRAMP?

Protecting our State’s most sensitive and critical information is a team sport in Texas. While we have cybersecurity teams working non-stop to protect and defend our networks and systems from bad actors, the threats are always changing, and we must work to stay ahead by strengthening those networks and systems.

One way we can do this is by ensuring that the vendors that touch or hold any of our critical data are meeting minimum cybersecurity standards. This is where GovRAMP comes in.

GovRAMP has partnered with Texas to assist providers in meeting the statutory requirements of TX-RAMP, while also affording them the benefit of transferable credentials through standardized cybersecurity verification. This allows providers to verify once to serve many.

GovRAMP (State Risk and Authorization Management Program) has developed a roadmap for vendors to follow to demonstrate through an externally verifiable process that they are meeting national cybersecurity standards.

Learn more about GovRAMP on govramp.org.

Texas Department of Information Resources (DIR)

The “How”

DIR and GovRAMP are partnering to help providers meet the statutory requirements of TX-RAMP.  DIR has updated TX-RAMP’s cybersecurity procedures and policy language to allow both the GovRAMP Progressing Security Snapshot Program, as well as GovRAMP authorization, to meet TX-RAMP requirements for vendors that touch or hold our data. 

The Texas Department of Information Resources (DIR) delivers technology solutions to state and local government entities. Specifically, DIR is here to:

  • Offer purchasing support and policy insights so organizations across all levels of Texas government can find and securely implement modern technology
  • Set forth strategic direction for IT statewide through policies and guidance
  • Analyze cybersecurity risks and solutions
  • Empower state and local government entities with reliable and secure technology
  • Assist with technology procurement/purchasing
  • Collaborate with technology vendors
  • Create a dynamic online community for knowledge sharing

The approximately 250 professionals who work at DIR are driven by a sincere desire to make governmental technology more secure, cost-effective, and forward-looking.

For more information about DIR, please visit: Home | Texas Department of Information Resources 

TX-RAMP Overview

TX-RAMP stands for Texas Risk and Authorization Management Program. It is a program of the Texas Department of Information Resources (DIR) that provides a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency. 

TX-RAMP has two assessment and certification levels: Level 1 for public/non-confidential information or low impact systems, and Level 2 for confidential/regulated data in moderate or high impact systems. Cloud computing services that do not create, process, or store confidential state-controlled data, or connect with agency systems or networks that create, process, or store confidential state-controlled data are not required to be TX-RAMP certified.

For more information on the TX-RAMP program and its requirements, download the TX-RAMP Program Manual

Frequently Asked Questions

The Texas Risk and Authorization Management Program (TX-RAMP) is a standardized approach to assessing and authorizing cloud computing services used by Texas state agencies. Established under Texas Government Code §2054.0593, TX-RAMP ensures these services meet minimum security requirements.

GovRAMP is a nonprofit, membership-based program that provides a standardized approach to cloud security verification for service providers serving state and local governments. Built on NIST standards and modeled after FedRAMP, GovRAMP enables providers to demonstrate compliance through an independent, third-party verification process recognized by participating governments—including the State of Texas.

No. If your product is enrolled in GovRAMP’s Progressing Security Snapshot Program, it qualifies for TX-RAMP Provisional Certification. Products in this program are not subject to the 18-month provisional time limit.

⚠️ Important: A single Security Snapshot may also be used to obtain TX-RAMP Provisional Certification, but this approach is limited to 18 months. After that, your product must achieve TX-RAMP certification, GovRAMP Ready, or GovRAMP Authorized status to remain compliant.

Yes, GovRAMP security statuses are recognized by TX-RAMP. However, TX-RAMP certification does not grant GovRAMP status.

To participate:

  1. Become a GovRAMP Member
  2. Submit a Progressing Security Snapshot Request
  3. Pay the applicable fee
  4. Receive onboarding instructions from the GovRAMP PMO

You’ll receive:

  • A Snapshot score within ~3 weeks of payment
  • Quarterly updated Snapshots
  • Monthly one-hour consultative calls with GovRAMP’s security team

If you’re responding to a solicitation, note your time constraints on the request form so we can prioritize accordingly.

To participate in the GovRAMP Security Snapshot or Progressing Snapshot Program, providers must first hold an active GovRAMP membership. Membership fees range from $1,500 to $10,000, depending on the tier selected.

GovRAMP Security Snapshot
For products that have not yet achieved a GovRAMP Verified Status

  • $1,000 – Providers with less than $1M in annual revenue
  • $1,500 – Providers with $1M–$5M in annual revenue
  • $2,500 – Providers with more than $5M in annual revenue

GovRAMP Progressing Security Snapshot (Subscription Option)
Includes quarterly updated Snapshots and monthly advisory calls

  • $750/month – Providers with less than $1M in annual revenue
  • $1,000/month – Providers with $1M–$5M in annual revenue
  • $1,600/month – Providers with more than $5M in annual revenue

View the full GovRAMP Fee Schedule.

No. TX-RAMP Provisional Certification is based on artifact availability and access—not on a minimum score.

However, you must grant access to DIR and relevant Texas agencies to view Snapshot documentation and Progressing Notes in order to qualify.

Yes. Whether you’re newly enrolling in GovRAMP or updating your GovRAMP status (e.g., moving to Ready, unenrolling, etc.), you must complete the appropriate form:

Be sure to use the same product and company name you submitted to GovRAMP so DIR can complete verification

Visit the Getting Started with GovRAMP Guide to learn more. The guide includes:

  • Overview of the GovRAMP process
  • Step-by-step onboarding checklist
  • Requirements for verification

Learn more about the GovRAMP Ready Status process here.

GovRAMP requires monthly continuous monitoring once a product reaches Core, Ready, Provisional, or Authorized. This includes:

  • Security status checks
  • Vulnerability tracking and closure
  • Ongoing alignment with NIST control requirements

Download GovRAMP’s Continuous Monitoring Guide.

Cloud services used by state agencies that process or store confidential or regulated data typically require TX-RAMP certification. Certain low-risk services—such as design tools, booking systems, or platforms used only for login or MFA—may be out of scope. Agencies are responsible for making this determination and maintaining documentation.

There are three certification paths:

  • Level 1: For services categorized as low impact
  • Level 2: For services categorized as moderate or high impact
  • Provisional: A temporary certification valid for 18 months while pursuing full certification. May be extended or maintained based on GovRAMP or FedRAMP status.

A provider may pursue certification through:

  1. Assessment by DIR using the TX-RAMP assessment process
  2. Recognition of an external status from GovRAMP or FedRAMP at the corresponding impact level
    1. Note: FedRAMP LI-SaaS is not accepted for TX-RAMP certification.

The following GovRAMP statuses are recognized as meeting TX-RAMP Level 2 requirements:

  • GovRAMP Core
  • GovRAMP Ready
  • GovRAMP Provisional
  • GovRAMP Authorized

Snapshot status may qualify for limited-duration Provisional Certification. Progressing Snapshot status remains valid while the provider is enrolled in the program.

Provisional Certification allows agencies to contract with a service while the provider works toward full certification. It is valid for 18 months unless backed by an active GovRAMP or FedRAMP status, in which case it remains valid as long as that external status is maintained.

You can view or download the most recent manual here: TX-RAMP Program Manual v3.1 – Texas DIR

Yes. See below for a comparison between SOC 2 and GovRAMP audits:

 

Announcements & Educational Opportunities

View the joint webinar with the TX-RAMP and GovRAMP Teams held in the spring of 2023 for more information. 

TX-RAMP Certified Products 

You can find more information about TX-RAMP Certified Products and the differences between provisional and full certification at the link below.

Learn More

TX-RAMP Resources & Documents

For additional tools, templates, and official guidance to support TX-RAMP compliance, click below to visit the TX-RAMP Resource Library.

Resource Library

GovRAMP Participating Governments

GovRAMP is accepted by Texas and other states. Click below to see a list of GovRAMP’s participating governments.

View Participating Government Organizations
GovRAMP Icon-Black

Contact Us

For additional information on how to get started with the GovRAMP process, please contact info@govramp.org.

If you have any questions about TX-RAMP, please contact: tx-ramp@dir.texas.gov.

Scroll to Top