Skip to main content

University of Houston System

  1. UH System
  2. Offices
  3. Information Security
  4. Cybersecurity Resources and Support
  5. TX-RAMP

Offices

TX-RAMP

What is TX-RAMP: TX-RAMP (Texas Risk and Authorization Management Program) is a cybersecurity certification program managed by the Texas Department of Information Resources (DIR). It standardizes how state agencies and public higher education institutions purchase and use cloud services.

What is a cloud service: Cloud services such as software, storage, or infrastructure are delivered over the internet rather than on local servers or personal devices. These services that store and manage university data are maintained and secured by the provider, offering convenience, scalability, and flexibility without managing their own hardware.

Is TX-RAMP required: Yes, if the service you are looking at acquiring is a cloud service, it will need to be evaluated to see if a TX-RAMP certification is required.

TX-RAMP flowchart describing the TX-RAMP process. If it is a cloud service, the service neews to go through TX-RAMP review, otherwise TX-RAMP review is not required.Sample TX-RAMP Evaluation Workflow

What do you need to do: UHS Information Security reviews a vendor's TX-RAMP status as part of the Third Party Risk Management (TPRM) process.  If you are purchasing a new service you do not need to do anything else, just submit your Vendor Security Assessment (VSA) request, and Information Security will do the rest.

Levels of certification: Vendors can achieve different levels of TX-RAMP certification that allow data of different sensitivities to be stored or processes by the vendor.  There are two differenet levels of TX-RAMP certification:

  • TX-RAMP Level 1 - For low impact information data
  • TX-RAMP Level 2 - For Level 1 (such as confident or regulated) data

Provisional certification: Companies can achieve provisional TX-RAMP certification that is good for up to 18 months after submitting the DIR Acknowledgement and Inventory Questionnaire.  DIR will then review and privisonally approve a vendor to be TX-RAMP certified.

Transition plans: If you have a piece of software that is not TX-RAMP certified, or the vendor does not want to certify, you have up to 24 months to transition off the product to a different TX-RAMP certified product, or to stop using the product.  Contact UHS Information Security to talk with us about your options.

Exceptions: The TX-RAMP manual allows for certain categories of cloud services to be exempt from TX-RAMP, however, it also matters what type of data is being stored in the cloud service.  Storing Level 1 data could bring an exempt service back into TX-RAMP scope.

Go deeper: If you would like to learn more about TX-RAMP visit the following resources