Texas Risk and Authorization Management Program (TX-RAMP)
Texas Risk and Authorization Management Program (TX-RAMP) provides a review of security measures taken by cloud products and services that transmit data to Texas state agencies. Cloud providers must comply with an established framework and continuous compliance to be accepted. TX-RAMP was established from requirements put forth in Senate Bill 475, and provides a standardized approach for security assessment, certification, and continuous monitoring of cloud computing services that process the data of Texas state agencies.
TX-RAMP Version 3 - UTSW Cloud Definition – Effective January 2024
Third-party computing services store, process, access, or transmit UT Southwestern data. To qualify as a cloud computing service, all five essential characteristics are required, irrespective of the data level or an interface with a UTSW application. Please note “consumer” refers to UT Southwestern (per Texas Department of Information Resources).
Send the TX-RAMP Certification Decision Matrix to your vendor to complete. Validate with your vendor if they meet the five criteria for cloud services to determine if TX‑RAMP certification is required.
- On-Demand Self-Service: Consumers can independently access and allocate computing resources without human interaction with service providers. Please note “consumer” refers to UT Southwestern (per Texas Department of Information Resources).
- Broad Network Access: Capabilities are accessible over the network through standard mechanisms, facilitating use on diverse client platforms.
- Resource Pooling: Providers pool computing resources in a multi-tenant model, dynamically assigning physical and virtual resources based on consumer demand.
- Rapid Elasticity: Capabilities can be swiftly provisioned or released, automatically scaling to meet demand fluctuations.
- Measured Service: Cloud systems optimize resource usage through automatic monitoring, control, and reporting, ensuring transparency for both providers and consumers.
If the answer is NO to any of the criteria – TX-RAMP is not required.
If the answer is YES to all 5 criteria – check Cloud Services Not Requiring TX‑RAMP Certification to identify the types of cloud computing services considered out of scope for TX‑RAMP certification.
If TX-RAMP certification is required, vendor must be certified or willing to apply for TX-RAMP certification, or UTSW cannot enter into a contract. Cloud Services Providers will submit requests using the online form TX-RAMP Assessment Request to request certification directly to DIR.
If assistance is needed for determination requirements InformationSecurity@UTSouthwestern.edu Information Security.