Senate Bill 475, passed by the Texas Legislature, requires the Texas Department of Information Resources (DIR) to establish a Texas Risk and Authorization Management program (TX-RAMP) that provides “a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.”
As of January 1, 2022, Texas Government Code § 2054.0593 mandates that state agencies (including Texas Woman’s) must only enter or renew contracts to receive cloud computing services that comply with TX-RAMP requirements. Current requirements state that these cloud services must have valid Provisional, Level 1 or Level 2 certification before a cloud service may be implemented. Certifications are granted by DIR after a valid state risk assessment is performed.
During this year of transition, TX-RAMP offers state agencies the ability to request a Provisional certification, which allows the agency to perform an internal risk assessment as evidence of compliance. This has allowed Texas Woman’s to expedite many TX-RAMP requests that have already been processed since January.
However, Provisional certification requests will not be available after this year. According to the TX-RAMP manual, TX-RAMP Provisional status may not be requested after January 1, 2023. This means that, beginning January 1, 2023, all cloud services must obtain a full Level 1 or Level 2 certification prior to contract initiation or renewal.
While Texas Woman’s will continue to do internal risk assessments to assess product risk to the university, DIR will be required to perform their own risk assessment in order to grant Level 1 or Level 2 certification. This process is extensive and will significantly increase the amount of time to procure cloud services.
TWU Information Security encourages all academic components and departments to review their current cloud service contracts now to determine when their renewals will take place. If a renewal is in the near future, TWU Information Security may be able to request Provisional certification for the cloud service, if an internal risk assessment is completed before January 1, 2023. To initiate a service evaluation and risk assessment, complete the request form.
While a Provisional certification request may decrease the time to procure cloud services compared to other certification levels, it is important to note that TX-RAMP Provisional status is effective until 18 months from the date the Provisional status is granted by DIR. It is a temporary certification, and the cloud service must undergo a full assessment with DIR to obtain a Level 1 or Level 2 certification within the 18-month provisional period to remain in compliance.
It is important for academic components and departments to have this conversation with their cloud service providers so that all parties are prepared for the certification process. Cloud service providers may learn more by visiting the TX-RAMP website.
For questions related to how certifications may affect the length of the procurement process, contact firstname.lastname@example.org.