Total 360 Security

Overview

TX-RAMP (Texas Risk and Authorization Management Program) is a state-mandated security certification program administered by the Texas Department of Information Resources (DIR). It establishes security requirements for cloud computing services used by Texas state agencies and institutions of higher education.

As of September 1, 2021, Texas state agencies are required to use only TX-RAMP certified cloud services for processing state data. The program is modeled after FedRAMP and StateRAMP, ensuring consistent security standards across all cloud services used by the state.

Texas State Mandate

Per Texas Government Code §2054.0593, state agencies must ensure cloud computing services meet TX-RAMP certification requirements before procurement.

Certification Levels

Level 1: Baseline

For cloud services handling public or non-confidential data

Basic security controls aligned with NIST 800-53 Low baseline
Annual security assessment
Basic incident response capabilities
Standard access controls

Level 2: Sensitive

For cloud services handling confidential or sensitive state data

Enhanced security controls aligned with NIST 800-53 Moderate baseline
Bi-annual security assessments
Advanced incident response and forensics
Multi-factor authentication required
Encryption at rest and in transit

Level 3: Highly Sensitive

For cloud services handling highly confidential or regulated data

Comprehensive security controls aligned with NIST 800-53 High baseline
Continuous monitoring and assessment
24/7 security operations center
Advanced threat detection and response
FIPS 140-2 validated encryption

Certification Timeline

Self-Assessment

2-4 weeks

Complete the TX-RAMP security questionnaire

Documentation

4-8 weeks

Prepare required security documentation

Third-Party Assessment

6-12 weeks

Engage a 3PAO for independent assessment

DIR Review

4-6 weeks

Texas DIR reviews assessment package

Certification

1-2 weeks

Receive TX-RAMP certification

Sample Assessment Questions

Our TX-RAMP assessment evaluates your readiness across key security domains. Here are examples of the types of questions you'll encounter:

Data Protection

1
Is all Texas state data stored within the continental United States?
2
Do you have documented data handling procedures for Texas state data?
3
Is data encrypted using FIPS 140-2 validated encryption modules?
4
Can you provide data residency reports upon request?

Access Management

1
Do you implement role-based access control for all state data?
2
Is multi-factor authentication required for administrative access?
3
Do you maintain audit logs of all access to Texas state data?
4
Is there a formal process for access provisioning and de-provisioning?

Incident Response

1
Can you notify the Texas DIR within 24 hours of a security incident?
2
Do you have a documented incident response plan specific to state data?
3
Is there a process for forensic investigation and evidence preservation?
4
Do you conduct regular incident response exercises?

Vendor Management

1
Do you maintain a list of all subcontractors with access to state data?
2
Are subcontractors required to meet TX-RAMP security requirements?
3
Is there a process for assessing subcontractor security?
4
Can you provide security assessments for critical subcontractors?

Benefits of TX-RAMP Certification

Texas Market Access

Gain access to the Texas state government market, one of the largest state IT markets in the United States with over 150 state agencies.

FedRAMP Alignment

TX-RAMP is aligned with FedRAMP and StateRAMP, making it easier to pursue multiple certifications with overlapping requirements.

Streamlined Procurement

TX-RAMP certification streamlines the procurement process for state agencies, reducing time-to-contract and security review overhead.

Security Credibility

Demonstrate your commitment to security with a state-recognized certification that validates your security controls and practices.