Does your organization provide cloud services to Texas State agencies or institutions of higher education? If yes, your company is mandated to comply with the Texas Risk and Authorization Management Program (TX-RAMP), a creation of Senate Bill (SB) 475 (87th legislative session) administered by the Texas Department of Information Resources (DIR).
What is SB 475?
SB 475 relates to the state agency and local government information management and security, including the establishment of the state risk and authorization management program and the Texas volunteer incident response team, authorizing fees. Simply put, this bill is designed to address the growing threats of information security that could impact state agencies.
Anyone paying attention to the global trend will agree that organizations are retooling their strategies by moving their applications and services from on-prem to the cloud. There is no doubt that the cloud offers tremendous benefits in deploying IaaS, PaaS, or SaaS in terms of scalability, disaster recovery, and potential cost savings. However, the deployment and use of cloud services also expose Texas State agencies, thus, the need to establish a mechanism for evaluating cloud service provider’s security and privacy posture. SB 475 provided the foundation for DIR to establish the TX-RAMP program as a mechanism to assess and certify organizations that provide cloud services to Texas State agencies, including higher education institutions.
What are the Certifications Available in TX-RAMP?
TX-RAMP offers two primary certification levels – TX-RAMP level 1 certification and TX-RAMP level 2 certification.
TX-RAMP Level 1 Certification and Effective Date
The TX-RAMP Level 1 Certification is designed for cloud service providers (SPs) that process, transfer, or store public and non-confidential data or low-impact information resources (systems). DIR defines non-confidential data as information that is not required to be or may not be protected from unauthorized disclosure or public release based on state or federal law or other legal agreements. The effective certification date for Level 1 products and services is January 1, 2023.
TX-RAMP Level 2 Certification and Effective Date
The TX-RAMP Level 2 Certification is designed for cloud SPs that process, transfer, or store confidential data and moderate or high-impact information resources (systems). DIR defines confidential data as information that “typically is excepted from the Public Information Act.” It, therefore, suffices to say that the public release of organizations’ confidential data may adversely affect the organization. DIR listed common examples of confidential information as attorney-client communications, computer vulnerability reports, protected draft communications, net salary information, etc. The effective certification date for Level 2 products is January 1, 2022.
DIR has prioritized organizations seeking level 2 certifications for their products due to the moderate or high impact of such services to the state agencies. Realizing there would be no time to adequately assess and certify all cloud SPs between the timeframe the law was passed and the effective date of implementation, DIR has included another certification – TX-RAMP Provisional Certification – to bridge the gap.
TX-RAMP Provisional Certification
The TX-RAMP Provisional Certification is designed to ensure that organizations that provide or desire to provide cloud services to Texas State agencies and institutions of higher education have a valid certification to do so. The provisional accreditation provides SPs a breathing space to undergo complete certifications without stopping the services they are engaged to perform. Obtaining the TX-RAMP Provisional Certification gives an SP 18months to seek the appropriate Level 1 or Level 2 certification while providing the required services. There are two paths to obtain TX-RAMP Provisional Certifications Status: (1). Agency Sponsored or (2). Third-Party assessment review.
Agency Sponsored. This option is available for agencies that wish to sponsor a service provider. The agency must notify DIR of the assessment criteria utilized, date of the assessment, impact level authorized, and any other relevant information as deemed necessary. The agency can keep the raw assessment results, and it is not required to provide those details to DIR. The acceptable common assessments that could be relied upon by agencies include Consensus Assessment Initiative Questionnaire (CAIQ), Center for Internet Security 18 Critical Security Controls (CIS 18), or Higher Education Community Vendor Assessment Toolkit (HECVAT). Agencies can also rely on the Texas Administrative Code (TAC 202), SOC 2, NIST 800-171, or Agency internally developed framework.
Third-Party Review and Attestation. The SPs using this path must complete and submit their assessment request form to DIR directly. Such SPs must include the third-party review evidence the basis for which the request is made. The acceptable common assessment reports include ISO 27001, SOC 2, Cloud Security Alliance (CSA) STAR, and Regulatory audits. If in doubt as to whether your certification is acceptable or not, don’t hesitate to get in touch with DIR.
Please note that irrespective of the option used, it is the responsibility of DIR to conduct, review and grant the provisional certification.
What Other Existing RAMP Statuses are Acceptable to DIR in place of TX-RAMP
Organizations that have acquired the Federal Risk and Authorization Management Program (FedRAMP) authorization for their product(s) or service(s) and listed in the FedRAMP Marketplace have no cause for alarm. DIR accepts and certifies these services to TX-RAMP equivalent certification. Your organization requires no further action except when seeking a higher-level certificate other than previously authorized.
Similarly, DIR also accepts and certifies organizations that have obtained the StateRAMP authorization for the product(s) under consideration and are contained in the StateRAMP authorized vendor list.
What is the Cost of Obtaining TX-RAMP Certification?
Unlike the FedRAMP and StateRAMP, the DIR has no fee for obtaining TX-RAMP certification. Of course, you will have to pay any consultant or employees engaged for this assignment.
Can my Company Pursue Level 1 or Level 2 Certification Directly Instead of Going Through the Provisional Certification Route?
Nothing prevents your organization from pursuing TX-RAMP level 1 or 2 certifications. However, remember that obtaining these certifications requires extensive review and more scrutiny from DIR. Your company cannot renew or enter a new contract/agreement with state agencies effective January 1, 2022, for Level 2 and January 1, 2023, Level 1 services while these reviews are ongoing. Our advice is to go for the Provisional Certificate while your organization takes time to work through the primary certification process.
How Can Riskonsults be of Assistance to Your Organization?
RisKonsults is a consulting firm specializing in assisting organizations in establishing, implementing, maintaining, and maturing their information security and privacy programs. We are here to support you in your TX-RAMP certification journey. If your organization is a cloud SP or a state agency struggling to make meaning on how to approach the TX-RAMP certification for your critical cloud services, we are here to help. Please contact us using firstname.lastname@example.org or visit our website (www.riskonsults.com) to schedule a consultative meeting on the best path forward to meeting your requirements.
Lastly, Riskonsults does not represent the State of Texas Department of Information Resources or any of its affiliates. The information presented in this article describes our view and understanding of the TX-RAMP process and is not meant to constitute legal advice. If you doubt the accuracy of the information presented, please consult with your legal counsel, implementation partners, or DIR directly.