Level 1 for low-impact work
DIR describes Level 1 as the minimum level for cloud services handling public or nonconfidential information, or other low-impact systems.
§ TX-RAMP
TX-RAMP readiness for cloud services selling into Texas.
TX-RAMP is the Texas path for qualifying in-scope cloud services used by state agencies, higher education, and public community colleges. SentrIQ helps teams organize evidence, tighten documentation, and reduce rework across the Level 1, Level 2, or reciprocity path.
§ What it is
A Texas-specific program with its own scope, levels, and review process.
TX-RAMP is run by the Texas Department of Information Resources for cloud computing services used by Texas state agencies, institutions of higher education, and public community colleges. The first question is not whether you sell software. It is whether your offering is an in-scope cloud service under the statute and DIR guidance.
From there, the path depends on the data and impact level. TX-RAMP uses Level 1 and Level 2 assessment and certification levels, plus Provisional Certification for a limited period when an agency needs to move before full certification is complete.
Level 2 for confidential or regulated data
Level 2 is the heavier path for confidential data and moderate or high impact systems. It is the route most teams compare to FedRAMP Moderate because the documentation and control burden is much closer to that level of rigor.
Provisional is real, but temporary
TX-RAMP Provisional Certification can let an agency contract for up to 18 months before full certification is complete. It helps active procurements move, but it is not the same thing as being done.
DIR runs the review
TX-RAMP does not require a 3PAO. DIR conducts the assessment process internally, though existing third-party reports and other program evidence can still help accelerate the review.
§ How teams usually approach it
Use reciprocity where it helps. Do not assume it is automatic.
TX-RAMP gives teams a few ways in, but the cleanest path still depends on evidence quality. Good documentation does not just help with the first review. It shortens the back-and-forth with DIR and makes later recertification less painful.
Confirm the service is actually in scope
TX-RAMP only applies to cloud computing services in scope under Texas law and DIR guidance. That scoping decision matters because some offerings that sound cloud-adjacent are still out of scope.
Match the right level to the data
Level 1 and Level 2 are driven by data sensitivity and impact. Teams lose time when they guess at the required path instead of grounding it in the actual agency use case and information type.
Use FedRAMP or StateRAMP reciprocity correctly
DIR allows reciprocity requests based on current FedRAMP or StateRAMP status, but it is no longer automatic. The vendor still has to submit the TX-RAMP request so DIR can validate the external status and issue the Texas certification.
Keep the package current after certification
TX-RAMP is tied to continuous monitoring and recertification. Teams that keep evidence and implementation detail current avoid turning every change request or renewal into another full cleanup exercise.
§ TX-RAMP FAQ
Common questions about TX-RAMP.
No. TX-RAMP is about in-scope cloud computing services, not every contract a vendor might sign with the state.
DIR says the program applies when a cloud computing service falls within the statute and is used by a state agency, institution of higher education, or public community college. The first step is always confirming the service is actually in scope.
§ Related paths
Other public-sector paths teams often compare.
§ Next step
Selling into Texas state government?
30 minutes. We will talk through your offering, whether it is in scope, and whether your current documentation gives you a real head start.
No hard sell. If the fit is wrong, we will say so.