The State of Texas and StateRAMP
Learn more about the partnership between the State of Texas and StateRAMP, and how it benefits you.
About the Program
Why StateRAMP
Protecting our State’s most sensitive and critical information is a team sport in Texas. While we have cybersecurity teams working non-stop to protect and defend our networks and systems from bad actors, the threats are always changing, and we must work to stay ahead by strengthening those networks and systems.
One way we can do this is by ensuring that the vendors that touch or hold any of our critical data are meeting minimum cybersecurity standards. This is where StateRAMP comes in.
StateRAMP has partnered with Texas to assist providers in meeting the statutory requirements of TX-RAMP, while also affording them the benefit of transferable credentials through standardized cybersecurity verification. This allows providers to verify once to serve many.
StateRAMP (State Risk and Authorization Management Program) has developed a roadmap for vendors to follow to demonstrate through an externally verifiable process that they are meeting national cybersecurity standards.
Learn more about StateRAMP on stateramp.org.
Texas Department of Information Resources (DIR)
The How
DIR and StateRAMP are partnering to help providers meet the statutory requirements of TX-RAMP. DIR has updated TX-RAMP’s cybersecurity procedures and policy language to allow both the StateRAMP Progressing Security Snapshot Program, as well as StateRAMP authorization, to meet TX-RAMP requirements for vendors that touch or hold our data.
The Texas Department of Information Resources (DIR) delivers technology solutions to state and local government entities. Specifically, DIR is here to:
- Offer purchasing support and policy insights so organizations across all levels of Texas government can find and securely implement modern technology
- Set forth strategic direction for IT statewide through policies and guidance
- Analyze cybersecurity risks and solutions
- Empower state and local government entities with reliable and secure technology
- Assist with technology procurement/purchasing
- Collaborate with technology vendors
- Create a dynamic online community for knowledge sharing
The approximately 250 professionals who work at DIR are driven by a sincere desire to make governmental technology more secure, cost-effective, and forward-looking.
For more information about DIR, please visit: Home | Texas Department of Information Resources
Founded at the beginning of 2020, StateRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments.
As a 501(c)6 nonprofit, our mission is to promote cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve. StateRAMP is comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third party assessment organizations, and government officials. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.
No. For every product your organization enrolls in StateRAMP’s Progressing Security Snapshot Program, they will satisfy the requirements for TX-RAMP Provisional Certification. Additionally, this program affords you Provisional Certification without the 18-month time limitation. Once your product has achieved TX-RAMP Provisional via the Progressing Security Snapshot program, you should begin working towards a StateRAMP Ready or Authorized status.
* Please note: While you are able to use a single Security Snapshot to qualify for limited TX-RAMP Provisional Certification, using this method will limit you to 18 months of TX-RAMP Provisional status. After 18 months, your product MUST have achieved TX-RAMP certification, StateRAMP Ready, or StateRAMP Authorized.
While StateRAMP provides reciprocity with TX-RAMP, compliance with TX-RAMP does not afford you a StateRAMP security status.
To participate in the StateRAMP Progressing Security Snapshot Program, providers need to become a member of StateRAMP and submit a Progressing Security Snapshot Request. Once the form is submitted and payment is fulfilled, providers will receive further instructions from the security team at the Program Management Office on how to schedule the Security Snapshot Review call.
We strive to provide Snapshot scores within three weeks of receiving payment. If you have time constraints due to solicitations, please indicate them on the StateRAMP Security Snapshot request form. Our security team at the Program Management Office will make every effort to accommodate your needs.
After the initial call, you will receive a Snapshot score. Additionally, you will receive quarterly updated Snapshots and have access to monthly one-hour consultative calls with our security team. These measures ensure that you are making progress toward meeting the requirements of a StateRAMP Ready Review.
The updated StateRAMP fee schedule outlines the costs for the StateRAMP Security Snapshot.
No. The TX-RAMP Provisional certification requires providers to catalog the available security artifacts and assurances.
However, to qualify for TX-RAMP Provisional Status, providers must provision access for DIR and other appropriate Texas agencies to view Snapshots and Progressing Notes.
Yes, if you are enrolled in StateRAMP’s Progressing Snapshot program or have a verified StateRAMP status, you will need to complete a TX-RAMP certification request as part of the reciprocity process.
Starting October 30, 2024, TX-RAMP requires all StateRAMP-certified products to submit a TX-RAMP Request Form in order to be added to their certified products list. Please complete the form by following this TX-RAMP Request Form link. You will be prompted to create an Archer Engage account if you have not already done so.
Once the TX-RAMP reciprocity request is completed, it will be reviewed by the Department of Information Resources (DIR) and the RAMP certification level validated before a reciprocal TX-RAMP certification is issued. Only complete this form if this product has never been on the TX-RAMP Certified Product List.
Additionally, if you need to update your status or report a change in your StateRAMP certification (ex. you are now using the Progressing Snapshot Program to obtain TX-RAMP Provisional but you were previously on the TX-RAMP list, or your product moves off the Progressing Snapshot List because it has achieved StateRAMP Ready, or because you have unenrolled in the Progressing Snapshot program, etc.), you will need to submit a Status Change Request Form here. DIR will verify these changes and make appropriate updates to the TX-RAMP Certified Product List.
Important: When filling out these forms, it’s essential to use the same company name and product name you provided to StateRAMP to ensure DIR can complete their verification of your product.
If you have any questions about this process, please don’t hesitate to reach out to DIR or your Membership Engagement Specialist for clarification.
To learn more about how to obtain a StateRAMP Ready Status, visit our Getting Started with StateRAMP Guide for Service Providers. This document provides an overview of the StateRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the StateRAMP verification process
Continuous monitoring is the monthly security status check of the provider. It begins once a product achieves a StateRAMP milestone status of Ready, Provisional, or Authorized. Continuous monitoring ensures a service provider’s solution is progressing with its security requirements and maintaining a secure state of system. It gives insights into a solution’s vulnerabilities, and monthly checks allow service providers to close out items and align with StateRAMP requirements. Continuous monitoring helps identify areas of risk so service providers can take action to protect the system as soon as possible.
If you have additional questions regarding StateRAMP, please visit: Frequently Asked Questions – StateRAMP
If you have additional questions about TX-RAMP please visit: Frequently Asked Questions – TX-RAMP
For questions or more information about StateRAMP, please contact: info@stateramp.org
If you have any questions about TX-RAMP, please contact: tx-ramp@dir.texas.gov
Announcements
Check out the recent webinar between StateRAMP and TX-RAMP below!
Overview of TX-RAMP
TX-RAMP stands for Texas Risk and Authorization Management Program. It is a program of the Texas Department of Information Resources (DIR) that provides a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.
TX-RAMP has two assessment and certification levels: Level 1 for public/non-confidential information or low impact systems, and Level 2 for confidential/regulated data in moderate or high impact systems. Cloud computing services that do not create, process, or store confidential state-controlled data, or connect with agency systems or networks that create, process, or store confidential state-controlled data are not required to be TX-RAMP certified.
For more information on the TX-RAMP program and its requirements, download the TX-RAMP Program Manual below.
TX-RAMP Certified Products
You can find more information about TX-RAMP Certified Products and the differences between provisional and full certification at the link below.
TX-RAMP Resources
For additional TX-RAMP resources, click below to go to the TX-RAMP Resource Library.
StateRAMP Overall Statement
StateRAMP is accepted by Texas and other states. Click below to see a list of StateRAMP’s participating governments.
State and Local Government
Contact us and schedule a conversation to get started. For more information about how StateRAMP works with governments, visit our Governments page.
Providers
For many service providers, meeting security standards and supplying documentation to governments can be time consuming and costly. StateRAMP allows service providers to leverage their verified IaaS, PaaS, and SaaS solutions across multiple government contracts. Learn more about the benefits and process for service providers, or contact our team to get started.