“TX-RAMP” – you never would have expected the most important deal of your company’s history to hang on this six-letter acronym.
Your SaaS company has been presented with a golden opportunity: a major Texas state university is interested in your product. This could be the most significant deal of the year, potentially transforming the company’s future. The preliminary discussions are promising, but there’s a catch. The university’s procurement team highlights that any collaboration hinges on your company obtaining a “TX-RAMP certification” in the next 18 months.
Scrambling to complete a new cybersecurity certification in such a time frame is a daunting task, but your company has a potential reward beyond just one new customer: having a TX-RAMP certification can open up business opportunities with many Texas government agencies, universities, and companies.
But first you have to know what you’re in for.
What is TX-RAMP?
The Texas Risk and Authorization Management Program (TX-RAMP) is the cybersecurity standard developed by the State of Texas to regulate the security of cloud service organizations that do (or intend to do) business with the State, one of its agencies, or a higher education institution within it.
TX-RAMP is designed to regulate the protection of
Personally Identifiable Information (PII) and confidential data associated with operations for which the Texas state government has oversight or funding responsibilities. The standard is broken up into two compliance levels based on the type of data the complying business handles.
For example, an organization handling Public Health Information (PHI) that works with a state college or state hospital is required to comply with TX- RAMP security standards or risk losing them as clients. Many businesses working with government resources, even indirectly, are in a position where they may be required to comply with TX-RAMP security standards.
TX-RAMP is cut and dry with just three use-cases:
1. You are a “cloud service company” that’s providing services to a unit of the government of the State of Texas.
2. If you are providing critical services to a different TX-RAMP-certified company. 3. If you are providing services to a higher-education institution located within Texas and those schools need to be eligible for FAFSA or other financial aid from the State of Texas.
The State of Texas released a
simple-ish flowchart for determining whether or not TX-RAMP applies to your organization.
You’ll notice the words “cloud service provider” and “cloud service offering” in that flow chart. While “cloud services” often make people think of AWS or Azure, Texas’s definition is a little more broad! (It’s also a little inconsistent with the language, as the
TX-RAMP manual uses “Cloud Computing Service” instead of the two previous terms.)
How does TX-RAMP Define Cloud Service Provider?
Since only cloud service providers need TX-RAMP, it’s important to know what type of products and services Texas considers to be “cloud” services.
To make this important decision… Texas decided to copy the federal government’s homework. It uses the exact same definition that NIST does, as defined in
Special Publication 800-145.
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment.”
Ultimately NIST identifies three service models as typical cloud service providers: Software as a Service (SaaS), Platform as a Service, and Infrastructure as a Service.
If you are one of those types of companies, and fall into the use-cases listed above, be aware of your incoming compliance burden!
TX-RAMP cybersecurity requirements are based on NIST SP 800-53, a cybersecurity framework developed by the National Institute of Standards and Technology (NIST) containing hundreds of cybersecurity controls that U.S. government agencies can use to plan their cybersecurity programs and vendor management practices.
Even though it’s a state initiative, it’s built upon this document from the federal government. In practice, TX-RAMP is actually pretty similar to the FedRAMP certification.
TX-RAMP takes subsets of NIST SP 800-53’s controls to create different requirements for its two levels of certification.
What are the TX-RAMP Levels of Certification?
TX-RAMP has two levels of certification: Level 1 and Level 2. TX-RAMP Level 1 currently requires the implementation of 117 cybersecurity controls from NIST SP 800-53, while TX-RAMP Level 2 requires 223 controls.
TX-RAMP Level 1
TX-RAMP Level 1 has a lighter compliance burden with fewer cybersecurity controls, meaning that most businesses obtaining Level 1 compliance deal with public or non-confidential data and low-impact systems.
To comply with TX-RAMP Level 1, organizations must implement the 117 controls outlined by the first implementation group defined in the TX-RAMP Security Plan Workbook. Then, they need to complete a TX-RAMP Assessment conducted by the Texas Department of Information Resources (DIR).
Alternatively, a business can automatically be granted TX-RAMP Level 1 certification if they have already achieved StateRAMP Level 1 or FedRAMP Low Authorization – both of which are based on NIST SP 800-53 and have similar control requirements.
TX-RAMP Level 2
TX-RAMP Level 2 is the higher of the standard’s two certification levels. It is required for companies that handle confidential or regulated data in moderate or high risk systems. It generally encompasses vendors that work with PII or PHI.
TX-RAMP Level 2 originally consisted of 325 controls, but the second revision of the standard has reduced the number to 223 controls. The assessment process is the same for each, though Level 2 will require more work since it has almost twice as many controls!
Like with TX-RAMP Level 1, TX-RAMP Level 2 can be automatically awarded to a business if they are certified through a similar standard: StateRAMP Level 2 or FedRAMP Moderate Authorization.
TX-RAMP Level 1 vs Level 2
It’s easy to say that “TX-RAMP Level 2 has more required controls than Level 1 does,” but that’s just scratching the surface.
TX-RAMP Level 2’s control count is focused around expanding the broader cybersecurity controls and program of the complying company. While TX-RAMP Level 1 has fewer controls and is easier to implement, it skips certain controls that can make the cybersecurity program as a whole more robust.
For example, TX-RAMP Level 1 covers Access Controls that prevent unauthorized logins to systems that are within the scope of the TX-RAMP certification. TX-RAMP Level 2 takes this a step further, requiring the Access Controls to follow
least privilege permissioning practices, where the permissions of the user are meant to be as restrictive as possible while still allowing them to complete their work.
TX-RAMP Provisional Certification
TX-RAMP Provisional is a temporary certification that enables Texas state agencies to work with a cloud vendor’s product for up to 18 months while the vendor works to become certified at either of the two full TX-RAMP levels.
TX-RAMP Provisional is awarded to any business that completes the TX-RAMP Acknowledgement and Inventory Questionnaire.
It doesn’t actually matter what a company’s cybersecurity program looks like, they can get TX-RAMP Provisional by basically just asking! The State of Texas is at least aware of the risk associated with this practice and specifically warns its agencies to “carefully evaluate their business needs and organizational risk considerations when selecting a provisionally certified cloud computing service.”
If a business fails to achieve TX-RAMP Level 1 or Level 2 within the 18 months, a couple of extensions of the provisional certification status are available. First for six months, then for three months. If the vendor still fails and the provisional certification expires, the Texas state agency may be forbidden from renewing their contract with the vendor by law.
This is not a test you want to fail!
How to get TX-RAMP Certified
The first step to getting TX-RAMP certified is to
build a cybersecurity program that meets its requirements. Of course, that’s no simple task and it’s just the beginning!
Once you’ve built out a cybersecurity program that complies to TX-RAMP standards (this could take many months), you need to complete an assessment process before you get the certification.
Several specific documents must be created or completed and submit to Texas for review as part of the certification process:
1. System diagram of the service’s product infrastructure.
2. Data flow diagram, which shows where all the data goes.
3. A cybersecurity plan workbook that contains a list of all TX-RAMP controls for both Level 1 and Level 2.
4. A full list of policies and procedures that align with TX-RAMP controls.
Once you’ve built your cybersecurity program and completed this documentation, you can submit your TX-RAMP application through the state’s website. Additionally, 45 questions will need to be answered in the submission portal prior to the submission of the actual application.
Texas’s Solution to the StateRAMP Audit Problem
StateRAMP is an extremely rare cybersecurity certification:
only 62 companies . An additional 39 are under evaluation. total have a StateRAMP certification
Most states just don’t broadly ask their vendors to get StateRAMP for an understandable reason – regular StateRAMP calls for third-party audits that add tens of thousands of dollars of cost to a company seeking certification.
Texas solves that problem by putting the assessment responsibility on its own Department of Information Resources (DIR). While there won’t be an auditor sitting down and painstakingly looking through your organization’s practices, you are still required to create a large amount of documentation so that the DIR can adequately understand and certify your cybersecurity program.
The result? Fractional CISO alone is working with multiple companies currently pursuing TX-RAMP. There is a large demand for this certification.
Congratulations on becoming TX-RAMP certified! Your shiny new certification is good for three years, but you don’t get to take those three years off.
TX-RAMP places a heavy emphasis on continuous monitoring practices. You will need to continue these practices after getting the certification. Specifically, TX-RAMP requires that certified vendors conduct routine assessments and have other monitoring practices in place. Reports must be sent to the client organization periodically, depending on the level of the certification; Level 1 requires only annual reports, while Level 2 requires quarterly reports.
It is then the responsibility of the client agency to review the results and escalate any critical findings and ensure action is taken on them.
A number of different practices go into the continuous monitoring requirements, including:
Security Event Logging:
Logs collect a breadth of information, allowing a vendor to see what is happening within their environment. The logs should be reviewed regularly to look for any suspicious activity or errors.
Intrusion detection works with the logging system, allowing for security teams to see if malicious actors have entered the classified environment.
Vulnerability scans can quickly identify vulnerabilities in software or IT systems, enabling security teams to address them. They need to be performed frequently to gain the best results, but can be at least partially automated.
Note that TX-RAMP explicitly requires organizations to either: 1. describe a remediation plan to fix high-severity vulnerabilities, or 2. describe risk mitigation activities if the vulnerability is not being patched.
Continuous monitoring does little if you never take any action on the information! New patches need to be tested and applied in a timely manner to take care of known vulnerabilities.
Sometimes vulnerabilities are caused by misconfigurations, rather than bugs in code. Updating and checking configurations regularly will help remove and keep these vulnerabilities away.
Security Incident Response:
In the event that a breach or other incident is discovered, it’s the responsibility of the incident response team to handle the situation. Having a strong incident response plan
and practicing it regularly will help keep small incidents from becoming big ones.
TX-RAMP requires periodic security assessments of the information technology environment. Instead of a full cybersecurity risk assessment, these assessment requirements are more akin to penetration tests on the active environment.
Eighteen Months Later…
The TX-RAMP certification process, once a daunting task, is now a completed milestone for your company. As your team presents the certificate to the university’s procurement team, there’s a collective sense of accomplishment.
Yet, that was just the beginning. Word spread quickly in the tight-knit Texas educational community. Soon, invitations to discussions and negotiations started pouring in from various corners of the state. University after university, eager to implement your product, recognized the value of both your software and your dedication to cybersecurity. Your SaaS company, once a newcomer to the Lone Star State, is now a trusted partner to many of its esteemed institutions.
TX-RAMP, like all cybersecurity compliance frameworks, isn’t just about getting a stamp of approval. The process of improving your company’s cybersecurity, and earning recognition for it can solidify your position as a leader in your space.
Does your organization need help getting its TX-RAMP Certification? Fractional CISO is here to help! We have team members experienced with TX-RAMP who will ensure you meet your compliance goals. Click here to learn more about what we do, or here to get started.