TX-RAMP Versus StateRAMP—Which is Right for My Business?

If your business provides cloud services to state, local, and education (SLED) agencies, you’ve probably heard about the Texas Risk and Authorization Management Program, aka TX-RAMP. Like its namesakes FedRAMP and StateRAMP, the TX-RAMP initiative has the goal of improving cybersecurity across Texas state organizations by evaluating and authorizing third-party cloud service offerings in a standardized manner.  

As of June 2021, Texas law and policies administered by its Department of Information Resources (DIR) requires cloud service providers (CSPs) conducting business in the state to achieve TX-RAMP, StateRAMP, or FedRAMP authorization. StateRAMP authorization satisfies all TX-RAMP requirements, and any StateRAMP Ready or Authorized offerings are automatically granted TX-RAMP authorization.  

So, why would a CSP consider TX-RAMP authorization? Why not just work towards StateRAMP authorization, which provides a common cybersecurity standard recognized across a growing number of additional states, including California, New York, Florida, Arizona, Massachusetts, Michigan, and Georgia? 

This article compares TX-RAMP and StateRAMP and shares considerations and scenarios for when to choose which.   

What is TX-RAMP? 

The State of Texas developed the TX-RAMP cybersecurity standard to ensure a consistent approach for security assessment, certification, and continuous monitoring of cloud computing services that seek to handle or process the data of one or more Texas state agencies or higher education institutions. TX-RAMP’s overall goal is to facilitate secure cloud service usage within the state’s public sector.  

TX-RAMP is designed to protect personally identifiable information (PII), public health information (PHI), and confidential data associated with state government operations. It defines two compliance levels (see below) based on the type of data being handled.  

There are three use cases for TX-RAMP: 

• Your business is a CSP that provides services to a Texas government agency or university. 

• Your business provides services to a Texas college or university that needs to comply with State of Texas financial aid guidelines.  

• Your business provides critical data-related services to a TX-RAMP authorized company. 

What are the TX-RAMP certification levels? 

TX-RAMP has two certification levels:  

1. Level 1 is for public or nonconfidential data and/or low-impact systems. TX-RAMP Level 1 certification requires applicants to submit the assessment responses and meet the associated minimum requirements (currently 117 controls from NIST 800-53). Firms that hold StateRAMP Category 1 authorization or FedRAMP Low authorization automatically comply with TX-RAMP Level 1.  

1. Level 2 is for confidential or regulated data (e.g., PII or PHI) in moderate or high-impact systems. TX-RAMP Level 2 certification requires applicants to submit the assessment responses and meet the associated minimum requirements (currently 223 controls from NIST 800-53). Organizations that already hold StateRAMP Category 2 authorization or FedRAMP Moderate authorization automatically comply with TX-RAMP Level 2.  

While the assessment process for the two levels is similar, Level 2 certification takes significantly more effort because of the greater number of controls. These added controls extend the basic capabilities within each control family to achieve a more robust cybersecurity posture suitable to protect sensitive data and support privacy compliance.  

For example, within the Security Assessment and Authorization control family, both Level 1 and Level 2 require continuous monitoring and security/privacy status reporting. But only Level 2 mandates annual or more frequent penetration testing for all applications that process confidential state data.  

Does my business need to comply with TX-RAMP? 

CSPs doing business with Texas organizations must demonstrate TX-RAMP compliance to achieve and maintain a certification for a cloud computing service. This applies to all cloud services that create, process, or store confidential, state-controlled data or connect with Texas agency systems or networks that do so.

However, some types of cloud services are not in scope for TX-RAMP because they do not fit the definition of cloud computing services as defined in Texas Government Code 2054.0593. These include: 

• Social media platforms or services 

• Low-impact SaaS products that do not handle confidential data 

• Services used to aggregate non-confidential market research or advisory data 

• GIS or mapping services not used for confidential purposes or associated with individual identities 

• Graphic design or illusion products or services 

• Email or notification services that do not create, process, or store confidential data 

• Survey and scheduling services that do not create, process, or store confidential data 

• Cloud offerings used to deliver training that do not create, process, or store confidential data 

• Cloud-based services that transmit copies of non-confidential data on behalf of external governing bodies for accreditation and compliance purposes 

Is there a provisional status for TX-RAMP applicants? 

Like FedRAMP and StateRAMP, TX-RAMP offers a provisional product certification status, which enables a state agency to use a CSP’s product for up to 18 months prior to achieving full TX-RAMP certification. Once provisional status is awarded, the CSP must achieve a TX-RAMP or equivalent certification within the provisional status period or risk losing its contract(s). 

To request provisional certification status, an applicant must first request, complete, and return TX-RAMP’s Acknowledgement and Inventory Questionnaire.  

What is TX-RAMP’s continuous monitoring requirement? 

TX-RAMP requires CSPs to regularly assess their compliance in accordance with their certification level, as described below. Texas state agencies can also mandate additional monitoring requirements in their contracts with CSPs. 

The current TX-RAMP continuous monitoring requirements are: 

• For cloud services certified at TX-RAMP Level 1, CSPs must provide the Texas DIR with annual vulnerability reports. 

• For cloud services certified at TX-RAMP Level 2, CSPs must provide the Texas DIR with quarterly vulnerability reports. 

These vulnerability reports must include a breakdown of identified vulnerabilities and their severity categorizations, plus descriptions of associated mitigation plans/activities for Critical/High severity vulnerabilities. 

In addition, CSPs must disclose any data breach or cybersecurity incident pertaining to the TX-RAMP certified cloud service within 48 hours of its discovery. 

How does TX-RAMP compare with StateRAMP? 

While StateRAMP and TX-RAMP have similar goals and share many of the same control requirements from NIST 800-56, there are several important differences that make TX-RAMP certification significantly quicker and less expensive to attain. 

In fact, one of the main reason why Texas chose to create its own cloud services assessment program was to reduce the cost of certification for small CSPs that only serve Texas-based state agencies. TX-RAMP also sets the cybersecurity bar at the same level the state had already set for its government agencies, which is less strict than StateRAMP.  

Another important difference is that TX-RAMP certification submissions are validated by an in-house DIR team, whereas StateRAMP requires a third-party audit by one of the limited number of third-party assessment organizations (3PAOs) authorized to conduct FedRAMP audits. The evaluation time for TX-RAMP has been much faster, with hundreds of cloud services since the program began.  

Also, a TX-RAMP evaluation is free, while a StateRAMP 3PAO audit will likely cost $70,000 and up. StateRAMP also charges some additional fees that TX-RAMP foregoes, totaling over $10,000.  

But while StateRAMP certification costs significantly more, it offers the potential to do business in other states in addition to Texas. It also sets a higher standard for cybersecurity that may confer competitive advantage even when not required for compliance.   

Another advantage of achieving StateRAMP certification is that it simplifies the compliance challenges associated with serving agencies across multiple states. Instead of dealing with multiple regulatory standards, StateRAMP certified products/services are automatically granted certification to TX-RAMP, AZRAMP, and a growing number of other state-level cybersecurity verification programs.  

What are TX-RAMP’s business benefits?  

CSPs that achieve TX-RAMP certification stand to accrue a range of business benefits, such as: 

• Improved cybersecurity posture and reduced cyber incident risk.
  Achieving TX-RAMP compliance/certification demonstrates robust cybersecurity and data protection capabilities, including continuous monitoring and intrusion detection to quickly spot and stop attacks and reduce their potential impacts. 

• Enhanced compliance profile.
  TX-RAMP certification helps ensure compliance with cybersecurity requirements and other industry and government mandates, including ongoing TX-RAMP compliance to maintain contracts and gain new contracts with Texas SLED entities.  

• Peace of mind for stakeholders.
  TX-RAMP certification contributes to peace of mind for customers, prospects, employees, senior management, your board, regulators, etc. regarding your business continuity and ability to keep sensitive data safe.  

• A solid foundation for more difficult certifications.
  TX-RAMP compliance is a solid foundation for pursuing StateRAMP or FedRAMP authorization in the future, if desired. 

Should my company go for TX-RAMP certification? 

Mike Craig, founding principal and CEO at Vanaheim Security, advises that the key factor in deciding what state-level cloud service certification(s) to pursue is your current and projected book of business. Mike suggests framing the discussion around these core questions: 

• Are you solidly committed to seeking business only within the Texas state/local government and education (SLED) sector for the foreseeable future? 

• Do you anticipate market demand or business plans to seek SLED business in US states other than Texas in the foreseeable future? 

If TX-RAMP certification alone will allow you to serve all your existing clients and prospects, you might choose to achieve TX-RAMP certification first and then optionally tackle StateRAMP later, since the former will be faster and less expensive while positioning you for success with StateRAMP. 

If your business plans call for seeking new business outside Texas, you might choose to attain StateRAMP authorization, to avoid the extra resources required to first get a TX-RAMP certification and then a StateRAMP authorization. But limiting factors may come into the equation, especially financial, expertise, and/or bandwidth constraints.  

What’s next? 

For more guidance on this topic, listen to Episode 144 of The Virtual CISO Podcast with guest Mike Craig, founding principal and CEO at Vanaheim Security.