Need help?
For questions, assistance, or to report an issue, please visit the UTRGV Support Center.
Visit UTRGV Support CenterTX-RAMP
When does it take effect?
- Cloud offerings subject to TX-RAMP Level 1 certification must obtain a TX-RAMP certification to contract with state agencies or institutions of higher education and public community colleges on or after January 1, 2023.
- Cloud offerings subject to TX-RAMP Level 2 certification must obtain a TX-RAMP certification to contract with state agencies or institutions of higher education and public community colleges on or after January 1, 2022.
- Cloud offerings that obtain TX-RAMP Provisional Status must obtain a TX-RAMP certification (or equivalent StateRAMP/FedRAMP authorization) within 18 months from the date that Provisional Status is conferred as reflected in DIR’s files.
Which organizations must comply with TX-RAMP requirements?
- TX-RAMP requirements apply to state agencies, institutions of higher education, and public community colleges (Texas Government Code 2054.003 (13).
- Agencies need to comply with the statutory requirements of contracting for cloud services with appropriate certification.
- Cloud providers need to demonstrate compliance with the security criteria to receive and maintain certification for a cloud computing service.
Certification Levels
TX-RAMP has two assessment levels:
- Level 1 for public/non-confidential information or low-impact systems.
- Level 2 for confidential/regulated data in moderate or high-impact systems.
TX-RAMP has three statuses:
- Level 1 Certification is achieved after submitting the assessment responses and meeting the minimum requirements for the Level 1 Assessment Criteria or by submitting evidence of StateRAMP Category 1 authorization or FedRAMP Low authorization.
- Level 2 Certification is achieved after submitting the assessment responses and meeting the minimum requirements for the Level 2 Assessment Criteria or by submitting evidence of StateRAMP Category 3 authorization or FedRAMP Moderate authorization.
- TX-RAMP Provisional Certification Status provides a provisional product certification permitting a state agency to contract for the use of a product for up to 18 months without receiving full TX-RAMP certification. Upon achieving provisional status, the cloud computing service will need to be certified through a TX-RAMP assessment or equivalent within the provisional status period to maintain compliance with program requirements. This status shall not be sought for the same cloud offering more than once. Provisional Certification Status can be achieved in two ways:
- Agency-sponsored: Agencies can notify DIR of a previously conducted assessment for review
- Third-party Assessment: Industry-standard assessment artifacts may be submitted for review
TX-RAMP Provisional Certification Status may not be requested after January 1, 2023.
Action Required
How do vendors get TX-RAMP certified?
There are three possible TX-RAMP certifications a vendor can receive depending on the sensitivity of the information or material they handle. DIR will define Low, Moderate, and High Impact information resources according to the Texas Administrative Code Chapter 202.1 and as determined by UTRGV.
Step 1 – Obtain level determination from UTRGV
The first step is to obtain your appropriate TX-RAMP level based on confidentiality requirements and the organizational impact determination from UTRGV. Once categorized, vendors must obtain TX-RAMP certification from Texas DIR and submit a TX-RAMP Assessment Request to Texas DIR before their provisional certification expires.
We strongly recommend that you do this today to avoid a lapse in services due to non-compliance.
Step 2 – Obtain the required TX-RAMP Certification
Apply and complete certification.
Step 3 – Notify UTRGV and submit a copy of the DIR TX-RAMP Certification
Submit a copy of the DIR TX-RAMP certificate and the corresponding product SKU number(s) to UTRGV [To who or where? Link?]
Step 4 – Complete Requirements for Continuous Monitoring
TX-RAMP requires agencies to routinely assess and monitor their vendors to ensure that their security posture is acceptable to maintain their certification. Vendors who are certified through TX-RAMP will be required to fill out a quarterly or yearly (for TX-RAMP Level 2 and Level 1, respectively) vulnerability questionnaire from DIR. Afterward, agencies are responsible for analyzing the results and reporting any critical findings to DIR.
Step 5 – Vendor must notify UTRGV when they are no longer TX-RAMP certified
If TX-RAMP Certification is revoked, the vendor must notify UTRGV.
Events that may result in a revocation include (not limited to) the following:
• Failure of a vendor to maintain baseline compliance with TX-RAMP requirements.
• Failure to inform parties in a timely manner of significant changes to the cloud offering.
• Failure to inform required parties of the loss of other accepted RAMP certification.
• Failure to provide required continuous monitoring documents.
• The report of false or misleading information to DIR or a state agency.
• Referencing non-certified cloud computing services as TX-RAMP certified.
• Failure to report a breach of system security to DIR within 48 hours of discovery.
What else do Vendors need to do?
Vendors also need to support the following standards:
- SAML Authentication
- TLS Encryption
|
Like most modern organizations, UTRGV utilizes software to perform many essential tasks. Much of that software is accessible via a “cloud” computing structure typically shared by other businesses and organizations and not hosted on university property. While these systems are effective, they are not perfect. To better protect state data from future cybersecurity threats, the state has implemented the Texas Risk and Authorization Management Program (TX-RAMP), which requires state agencies and institutions, including UTRGV, to only contract with cloud vendors that comply with TX-RAMP certification standards.
How do we know if our software is TX-RAMP compliant? UTRGV’s Information Technology and Information Security departments are actively assessing all software currently utilized by University employees and students. However, this is a huge undertaking, and we need your help to ensure UTRGV successfully complies with this new law.
All faculty and staff members who make software procurement decisions must submit a Software Assessment Request when a new product/vendor has been identified for purchase or 60 days before renewing an existing product/vendor. Please note the following:
Why do we have to submit this form? Submitting this Software Assessment Request is critical to limiting delays in purchasing and implementing software and reducing duplication and risk to the University. Additionally, this process aligns key University stakeholders and provides a single starting point for software assessments that were previously tracked through disparate processes
We thank you for taking this critical step toward protecting UTRGV and our campus community.
|
Contact Information
For assistance with TX-RAMP, contact TX-RAMP@utrgv.edu.
For questions about how TX-RAMP certifications may affect procurement contracts, contact purchcontracts@utrgv.edu.
Resource Links
Texas Senate Bill 475- Texas Senate Bill (SB) 475 - PDF
- Texas Government Code 2054.001 (SB 475) - Legislative Findings and Policy
- Texas Government Code 2054.0593 (SB 475) - Cloud Computing State Risk and Authorization Management Program
- Texas Government Code 2062 (SB 475) on Biometric Data
Texas Department of Information Resources (DIR)
- Texas Risk and Authorization Management Program (TX-RAMP) Website
- TX-RAMP Program Manual - PDF
- TX-RAMP Assessment Request
UTRGV Information Security
- UTRGV Information Security Policies, Standards, and Compliance
- UTRGV’s Data Classification Standard - PDF
