|(a) Mandatory Standards for Cloud Computing Services
Subject to the Texas Risk and Authorization Management Program.
(1) The department shall define mandatory standards
for Texas cloud computing services identified by subsection (a) of
this section in the program manual published on the department's website.
Revisions to this document will be executed in compliance with subsection
(d) of this section.
(2) The mandatory standards established by the department
shall include at least the below stated baseline standards for:
(A) TX-RAMP Level 1 Baseline - This baseline is required
for cloud computing services that are subject to TX-RAMP certification
and categorized by a state agency as Low Impact Information Resources;
(B) TX-RAMP Level 2 Baseline - This baseline is required
for cloud computing services that are subject to TX-RAMP and categorized
by a state agency as Moderate or High Impact Information Resources.
(3) The department shall establish the categories and
characteristics of cloud computing services that are subject to TX-RAMP
requirements in the program manual published on the department's website
pursuant to subsection (a)(1).
(b) Responsibilities of Cloud Computing Service Vendors:
(1) To be certified under TX-RAMP, a cloud computing
service vendor shall:
(A) Provide evidence of compliance with TX-RAMP requirements
for the cloud computing service as detailed by the program manual;
(B) Demonstrate continuous compliance in accordance
with the program manual.
(2) Primary contracting vendors who provide or sell
cloud computing services subject to TX-RAMP, including resellers who
provide or sell these services, shall present evidence of certification
of the cloud computing service being sold to the state agency or institution
of higher education in accordance with the program manual. Such certification
is required for all cloud computing services subject to TX-RAMP being
provided through the contract or in furtherance of the contract, including
services provided through subcontractors or third-party providers.
(3) Subcontractors or third-party providers responsible
solely for servicing or supporting a cloud computing service provided
by another vendor shall not be required to provide evidence of certification.
(c) Responsibilities of the Department:
(1) Prior to publishing new or revised program standards
as required by subsections (a) - (b) of this section, the department
(A) solicit comment through the department's electronic
communications channels for the proposed standards to be changed from
the Information Resources Managers and Information Security Officers
of state agencies and institutions of higher education and ITCHE;
(B) after reviewing the comments provided, present
the proposed program manual to the department's Board and obtain approval
from the Board for publication.
(2) The department shall:
(A) perform assessments to certify cloud computing
services provided by cloud computing vendors; and
(B) publish on the department's website the list of
cloud computing products certified under TX-RAMP.
(d) Acceptance of External Assessments.
(1) The department shall accept a vendor's compliance
with FedRAMP or StateRAMP authorizations in satisfaction of the baselines
established by subsection (a) once the department receives evidence
of compliance with the respective program.
(2) At the department's discretion, another state's
risk and authorization management program certification may be accepted
in satisfaction of the baselines established by subsection (a) once
certification is demonstrated by the vendor in alignment with program
(3) At the department's discretion, the department
may allow a third-party security assessment or third-party audit to
satisfy certain mandatory program standards. A vendor may demonstrate
satisfaction of certain mandatory program standards by submitting
a third-party security assessment or third-party audit that the department
has authorized to align with and satisfy these standards.