8 months ago

TX-RAMP (Texas Risk and Authorization Management Program) is a cybersecurity program that was modeled after the similarly named FedRAMP and StateRAMP programs to ensure that cloud computing services that work with federal or state agencies have adequate security controls in place. The program comes from the passing of https://capitol.texas.gov/tlodocs/87R/billtext/pdf/SB00475F.pdf#navpanes=0 by the Texas State Legislature, which required the Texas DIR to provide a “standardized approach for security assessment, authorization, and https://www.upguard.com/blog/continuous-security-monitoring of cloud computing services that process the data of a state agency.” As a result, all cloud providers contracted with Texas state agencies must comply with TX-RAMP requirements and maintain TX-RAMP certifications.

As such, DIR has established the following continuous monitoring criteria for CSPs contracting with state agencies: TX-RAMP Level 1 Certified cloud services must provide annual vulnerability reports of identified vulnerabilities and corresponding mitigation activities to Texas DIR.

Events that can result in a TX-RAMP certification being revoked include, but are not limited to, the following: Failure to inform required parties of significant changes to the cloud computing service within 30 days Failure to inform required parties of the loss of other accepted risk and authorization management program (FedRAMP, StateRAMP) certifications Failure to provide the required continuous monitoring documents The report of false or misleading information to DIR or other relevant state agency Referencing non-certified cloud computing services as TX-RAMP certified Failure to report a breach of system security to DIR within 48 hours of discovery