Texas state agencies face a critical deadline: all vendor contracts must comply with TX-RAMP requirements. If you're a state agency administrator, IT manager, or compliance professional working with third-party vendors, you need a clear roadmap to meet these mandatory cybersecurity standards.
Since January 2022, Texas agencies can only contract with vendors who meet these standardized security requirements. Getting your vendors certified and maintaining ongoing compliance can feel overwhelming, but breaking it down into manageable steps makes the process much clearer.
This guide walks you through the five essential steps to achieve Texas state compliance. You'll learn how to classify your vendors based on TX-RAMP program requirements and discover the fastest path to provisional certification Texas allows. We'll also cover how to set up continuous vendor monitoring systems that keep you compliant long-term, ensuring your agency meets all regulatory obligations while protecting critical state data.
Understanding TX-RAMP Program Structure and Requirements
Baseline Security Requirements for Level 1 and Level 2 Classifications
When you're implementing TX-RAMP compliance, your first step involves understanding the two distinct certification levels that determine your security requirements. TX-RAMP establishes Level 1 certification for organizations handling public or non-confidential information within low impact systems. This baseline level focuses on fundamental security controls appropriate for data that poses minimal risk if compromised.
Level 2 certification applies when you're managing confidential or regulated data in moderate to high impact systems. This classification demands more stringent security measures and comprehensive controls to protect sensitive information. Your organization must carefully evaluate the data types and system impact levels to determine which baseline requirements apply to your specific use case.
You can achieve Level 1 Certification by submitting assessment responses that meet minimum requirements for Level 1 Assessment Criteria. Alternatively, you may provide evidence of StateRAMP Category 1 authorization or FedRAMP Low authorization as equivalent certifications. For Level 2 Certification, you must demonstrate compliance with Level 2 Assessment Criteria or present StateRAMP Category 2 or FedRAMP Moderate authorization documentation.
The TX-RAMP Security Control Baselines spreadsheet contains your specific technical assessment criteria for both levels, providing detailed requirements you must address during the certification process.
Three Types of TX-RAMP Certifications Available
Your TX-RAMP compliance journey offers three distinct certification pathways, each designed to meet different organizational needs and timelines. Understanding these options helps you select the most appropriate route for your cloud computing services.
TX-RAMP Provisional Status serves as your initial entry point into the program, providing provisional product certification that permits your state agency to contract for cloud services up to 18 months without requiring full certification. You achieve Provisional Certification Status by completing the TX-RAMP Acknowledgment and Inventory Questionnaire, which you initiate through the TX-RAMP Request Form online. This provisional pathway gives you operational flexibility while working toward full compliance.
Level 1 Certification represents your standard certification for lower-risk scenarios. You obtain this certification by successfully completing the assessment process and demonstrating compliance with Level 1 security criteria, or by providing equivalent StateRAMP Category 1 or FedRAMP Low authorization evidence.
Level 2 Certification constitutes your comprehensive certification for higher-risk environments. You secure this certification through rigorous assessment against Level 2 criteria or by presenting StateRAMP Category 2 or FedRAMP Moderate authorization documentation. Each certification type aligns with specific data sensitivity levels and operational requirements within your organization.
Continuous Monitoring and Quarterly Assessment Obligations
Now that you understand the certification types, you must prepare for your ongoing compliance responsibilities. TX-RAMP program requirements extend beyond initial certification to encompass continuous monitoring obligations that ensure sustained security posture throughout your service lifecycle.
Your provisional certification period creates a critical 18-month window during which you must transition to full TX-RAMP certification or equivalent authorization. This timeline establishes your compliance roadmap and determines when you must complete comprehensive assessments to maintain program compliance.
The continuous monitoring framework requires you to maintain vigilant oversight of your security controls and operational procedures. While specific quarterly assessment details aren't fully outlined in the available documentation, the program structure indicates ongoing evaluation requirements that you must integrate into your compliance strategy.
Your monitoring obligations apply specifically to cloud computing services as defined by Texas Government Code, section 2054.0593(a). You should note that certain cloud computing services fall outside TX-RAMP scope, and detailed exclusions are available in the TX-RAMP Program Manual for your reference during implementation planning.
Classifying Your Vendors for TX-RAMP Compliance
Conducting Vendor Inventory Using TX-RAMP Program Manual Guidelines
Now that you understand the TX-RAMP program structure, you need to systematically catalog all your vendors to determine which ones fall under TX-RAMP compliance requirements. Begin by consulting the TX-RAMP Program Manual, which provides specific guidelines for identifying cloud computing services within your organization's vendor portfolio.
Your vendor inventory process should focus specifically on cloud computing services, as defined by Texas Government Code, section 2054.0593(a). This means you'll need to distinguish between traditional software vendors and cloud service providers. The manual clearly states that only cloud computing services are within scope for TX-RAMP, while products or services that don't qualify as cloud computing services are exempt from these requirements.
When conducting your inventory, document each vendor's service type, data handling capabilities, and integration points with your systems. This comprehensive approach ensures you capture all relevant cloud services while avoiding unnecessary compliance burden on vendors that fall outside TX-RAMP scope. Remember that certain specific cloud computing services are explicitly excluded from Texas Government Code, section 2054.0593, making them exempt from TX-RAMP requirements altogether.
Determining Level 1 vs Level 2 Requirements Based on Data Sensitivity
With your vendor inventory complete, you must now classify each qualifying cloud service provider based on the sensitivity of data they'll handle. TX-RAMP compliance operates on a two-tier system that directly correlates with your data classification and system impact levels.
Level 1 TX-RAMP certification is required when your vendors will handle public or non-confidential information in low impact systems. This level provides baseline security controls appropriate for data that poses minimal risk if compromised. You can achieve Level 1 certification for your vendors through several pathways: meeting TX-RAMP Level 1 Assessment Criteria, providing StateRAMP Category 1 authorization evidence, or demonstrating FedRAMP Low authorization.
Level 2 TX-RAMP certification becomes mandatory when vendors will process confidential or regulated data in moderate or high impact systems. This elevated certification level implements more stringent security controls to protect sensitive information. Your vendors can satisfy Level 2 requirements by meeting TX-RAMP Level 2 Assessment Criteria, presenting StateRAMP Category 2 authorization, or providing FedRAMP Moderate authorization documentation.
Certification Level | Data Type | System Impact | Alternative Certifications |
Level 1 | Public/Non-confidential | Low impact | StateRAMP Category 1, FedRAMP Low |
Level 2 | Confidential/Regulated | Moderate/High impact | StateRAMP Category 2, FedRAMP Moderate |
Identifying Vendors Exempt from TX-RAMP Requirements
Not every vendor in your portfolio requires TX-RAMP certification. Understanding these exemptions prevents unnecessary compliance costs and administrative burden while maintaining proper security oversight.
The most straightforward exemption applies to vendors that don't provide cloud computing services as defined by Texas Government Code. If your vendor relationships involve traditional on-premises software, hardware providers, or professional services that don't include cloud components, these fall outside TX-RAMP scope entirely.
Additionally, the TX-RAMP Program Manual specifically identifies certain cloud computing services that remain outside the scope of Texas Government Code, section 2054.0593. These exempted services, while technically cloud-based, don't trigger TX-RAMP compliance requirements due to their specific characteristics or usage patterns outlined in the program documentation.
When evaluating exemptions, carefully review each vendor's service delivery model against the official definitions provided in the program manual. This detailed analysis ensures you correctly identify exempt vendors while avoiding compliance gaps that could expose your organization to regulatory violations or security risks.
Obtaining Provisional Certification for Your Vendors
Third-Party Audit and Attestation Review Options
Now that you have classified your vendors for TX-RAMP compliance, you can leverage existing third-party audit reports to expedite your provisional certification process. The TX-RAMP Fast Track Assessment allows you to submit recognized third-party assessments or audit reports to provide verified evidence of your security practices.
DIR accepts several types of third-party assessments for Fast Track consideration:
SOC 2 Type II reports
HITRUST Authorized External Assessor Validated Assessment
PCI DSS Qualified Security Assessor Audit Report on Compliance
ISO 27001 certification
ISO 27017 and ISO 27018 certifications
CSA STAR certification
FISMA compliance documentation
Your existing compliance certifications can significantly reduce the time required to achieve provisional certification. When submitting your TX-RAMP Assessment Request, you should provide details about your cloud service, deployment model, security measures, and any existing compliance certifications you possess.
It's important to note that DIR cannot enter into nondisclosure agreements with cloud service providers for any components of the TX-RAMP process, including the review of third-party assessment or audit reports required for the Fast Track certification route.
Agency-Sponsored Provisional Status Using HECVAT Assessments
For institutions of higher education seeking provisional certification, you can utilize Higher Education Community Vendor Assessment Tool (HECVAT) assessments to support your application. This pathway is particularly relevant for educational institutions that have already completed HECVAT evaluations as part of their vendor assessment processes.
The agency-sponsored provisional status allows state agencies to work directly with vendors during the assessment process. When pursuing this route, your sponsoring agency should include contractual provisions requiring notification if your service's certification status changes during the provisional period.
You must ensure that your HECVAT assessment aligns with TX-RAMP security control requirements and provides adequate documentation of your security posture. The assessment should demonstrate compliance with the security criteria necessary for the appropriate TX-RAMP certification level your service requires.
Submitting Documentation to DIR for 18-Month Provisional Approval
With your third-party audit documentation or HECVAT assessment prepared, you can now submit your complete application package to DIR for provisional certification. The TX-RAMP Provisional Status provides a provisional product certification that permits state agencies to contract for your services for up to 18 months without requiring full TX-RAMP certification.
To initiate the provisional certification process, you must:
Complete the TX-RAMP Request Form online through the ARCHER Engage platform
Submit the Assessment Request including your cloud service name and description, deployment model, service provider information, existing compliance certifications, and intended use by Texas state agencies
Complete the Acknowledgment and Inventory Questionnaire that DIR sends after reviewing your initial submission
Provide supporting documentation including your latest SOC 2 Type II report, ISO 27001 certificate, HECVAT assessment, or other relevant audit reports
DIR will review your submission and supporting documentation to determine your eligibility for provisional status. The goal is to complete the review and issue a recommendation within four weeks, assuming your documentation is complete and responses to requests for additional information are timely.
Upon achieving provisional status, you must work toward full TX-RAMP Level 1 or Level 2 certification within the 18-month provisional period. Cloud service providers may request a full TX-RAMP assessment at any time during the provisional certification period, but you should be aware that the full assessment process requires additional time for completion.
Your provisional certification permits agencies to begin contracting for your services immediately while you work toward full compliance with TX-RAMP program requirements.
Implementing Continuous Vendor Monitoring Systems
Setting Up Quarterly and Annual Vulnerability Questionnaires
Now that you've obtained provisional certification for your vendors, you need to establish a robust continuous monitoring framework to maintain TX-RAMP compliance. The Texas DIR requires different reporting frequencies based on your certification level, and setting up these questionnaires properly is crucial for ongoing compliance.
For TX-RAMP Level 1 certified cloud services handling public or non-confidential information, you must provide annual vulnerability reports to the Texas DIR. These reports must detail identified vulnerabilities and corresponding mitigation activities your vendors have implemented throughout the year.
TX-RAMP Level 2 certified services processing confidential or regulated data require more stringent monitoring. You'll need to collect quarterly vulnerability reports from these vendors, ensuring they provide comprehensive documentation of vulnerabilities and remediation efforts every three months.
Your vulnerability questionnaires must include specific components to meet TX-RAMP requirements:
Vulnerability severity categories for all identified issues
Detailed descriptions of remediation plans for High and Critical-severity vulnerabilities
Documentation of completed mitigation activities
Timeline for addressing outstanding vulnerabilities
Analyzing Results and Reporting Critical Findings to DIR
With continuous vendor monitoring systems in place, your next critical step involves analyzing the vulnerability data you collect and ensuring timely reporting to DIR. This process requires systematic evaluation and prompt communication of significant security findings.
When reviewing quarterly and annual vulnerability reports from your vendors, focus on identifying patterns and trends that could indicate systemic security issues. Pay particular attention to High and Critical-severity vulnerabilities, as these require detailed remediation documentation in your reports to DIR.
Your analysis should categorize findings based on:
Severity levels (Critical, High, Medium, Low)
Remediation status (Resolved, In Progress, Planned)
Impact assessment on your agency's operations
Compliance implications for ongoing TX-RAMP certification
Critical findings must be reported to DIR within specific timeframes. Any system or security breach of a certified cloud service must be disclosed to DIR within 48 hours of breach discovery. This rapid reporting requirement ensures DIR maintains awareness of potential risks across the Texas state agency ecosystem.
Establishing Scalable Vendor Risk Management Processes
Previously, you've set up monitoring questionnaires and reporting protocols. With this foundation in mind, you now need to develop scalable processes that can grow with your vendor portfolio while maintaining compliance effectiveness.
Your scalable vendor risk management process should incorporate automated workflows wherever possible. Consider implementing systems that can:
Track certification expiration dates (remember, TX-RAMP certifications are valid for three years)
Send automated reminders to vendors for upcoming questionnaire submissions
Flag vendors approaching their 18-month provisional certification deadlines
Monitor changes in vendor service offerings that might require recertification
Establish clear escalation procedures for different types of findings. Critical vulnerabilities should trigger immediate review and potential contract modifications, while lower-severity issues can follow standard quarterly review cycles.
Documentation is essential for scalability. Maintain comprehensive records of all vendor assessments, communications, and remediation activities. This documentation becomes invaluable during DIR reviews and helps demonstrate your agency's commitment to continuous monitoring requirements.
Consider implementing risk scoring methodologies that help prioritize vendor oversight efforts. Vendors handling confidential data or providing critical services should receive enhanced monitoring, while lower-risk providers can follow standard procedures. This tiered approach ensures you allocate resources efficiently while maintaining compliance across your entire vendor ecosystem.
Transitioning from Provisional to Full TX-RAMP Certification
Preparing Vendors for Level 1 and Level 2 Full Certification
With provisional status established, you must now guide your vendors toward achieving full TX-RAMP certification. The preparation process requires understanding the specific requirements for each certification level and ensuring vendors have adequate time to complete the transition.
For Level 1 certification, your vendors need to demonstrate compliance with security controls for public or non-confidential information systems with low impact classifications. This certification is achieved by submitting assessment responses that meet the minimum requirements for Level 1 Assessment Criteria. Your vendors should prepare comprehensive documentation covering their security implementations, policies, and procedures aligned with NIST 800-53 standards.
Level 2 certification demands more rigorous preparation, as it applies to confidential or regulated data in moderate or high impact systems. Your vendors must meet the minimum requirements for Level 2 Assessment Criteria, which involves more extensive security documentation review, technical security controls validation, and comprehensive compliance checks against state requirements.
To effectively prepare your vendors, ensure they understand the assessment process includes security documentation review, technical security controls validation, and compliance checks. The quality and completeness of initial documentation significantly affects review duration, so emphasize thorough preparation. DIR's goal is to complete reviews within four weeks when proper documentation is provided promptly.
Leveraging StateRAMP or FedRAMP Certifications as Alternatives
You can significantly streamline your vendors' path to TX-RAMP certification by leveraging existing StateRAMP or FedRAMP certifications. TX-RAMP recognizes these equivalent authorizations as valid alternatives to the standard assessment process.
For Level 1 TX-RAMP certification, vendors can submit evidence of StateRAMP Category 1 authorization or FedRAMP Low authorization instead of completing the full TX-RAMP assessment. Similarly, Level 2 certification can be achieved by providing evidence of StateRAMP Category 2 authorization or FedRAMP Moderate authorization.
To utilize this reciprocity pathway, your vendors must submit a TX-RAMP certification request specifically for reciprocity consideration. As of October 30, 2024, FedRAMP and StateRAMP certified products are no longer automatically added to the TX-RAMP certified products list. Instead, you need to submit a formal reciprocity request through the TX-RAMP Assessment Request process.
The reciprocity approach offers several advantages: faster certification timelines, reduced documentation requirements, and cost savings. However, your TX-RAMP certification remains valid only as long as the cloud service maintains appropriate status with the external RAMP program. You must monitor and report any changes in FedRAMP or StateRAMP status using the Change in RAMP status request form.
Meeting January 1, 2022 Mandate Deadline Requirements
Previously established under Texas Government Code § 2054.0593, the TX-RAMP mandate requires state agencies to only enter or renew contracts for cloud computing services that comply with TX-RAMP requirements. Understanding this regulatory foundation is crucial for maintaining ongoing compliance.
Your transition from provisional to full certification must occur within the 18-month provisional period. Since provisional certification is valid for exactly 18 months from the date granted by DIR, you need to plan your full certification timeline carefully. Cloud service providers may request TX-RAMP Level 1 or Level 2 assessment at any time during the provisional period, but you should account for processing time in your planning.
The continuous monitoring requirements become critical once full certification is achieved. For Level 1 certified services, your vendors must submit annual vulnerability reports detailing identified vulnerabilities and mitigation activities. Level 2 certified services require quarterly vulnerability reports outlining identified vulnerabilities and corresponding mitigation efforts. These reports must include vulnerability severity levels, remediation plans, and mitigation activities, especially for high and critical-severity vulnerabilities.
Additionally, your vendors must disclose any system or security breaches to DIR within 48 hours of discovery. Full TX-RAMP Level 1 and Level 2 certifications remain valid for three years from the certification date, provided your cloud service maintains compliance with program requirements. The recertification process requires reviewing and updating control implementation details, with DIR providing automated notifications at least 12 months and six months prior to certification expiration.
Successfully navigating TX-RAMP compliance requires a systematic approach that begins with understanding the program structure and vendor classification requirements. By following the five essential steps—from classifying your vendors and obtaining provisional certification to implementing continuous monitoring systems and transitioning to full certification—you can ensure your organization meets Texas state compliance mandates while maintaining strong vendor relationships.
The 18-month provisional certification window provides valuable time to prepare both your agency and vendors for full compliance, but planning ahead is crucial for long-term success. As TX-RAMP requirements continue to evolve, establishing a robust vendor risk management process will not only help you meet current obligations but also strengthen your overall cybersecurity posture. Remember that compliance is an ongoing journey, not a one-time destination—invest in the right tools and processes now to build a sustainable TX-RAMP program that protects your organization's critical data and maintains regulatory compliance for years to come.