| (a) Mandatory Standards. Mandatory standards for Texas
cloud computing services identified by subsection (b)(1) of this section
shall be defined by the department in the program manual published
on the department's website. Revisions to such document will be executed
in compliance with subsection (d) of this section.
(b) Cloud Computing Standards Subject to the Texas
Risk and Authorization Management Program. The standards required
by subsection (a) of this section shall include the below stated baseline
standards for:
(1) TX-RAMP Public Controls Baseline (TX-RAMP Level
1) - This baseline is required for cloud computing services that:
(A) store, process, or transmit nonconfidential data
of an institution of higher education; or
(B) host low impact information resources.
(2) TX-RAMP Confidential Controls Baseline (TX-RAMP
Level 2) - This baseline is required for cloud computing services
that:
(A) store, process, or transmit confidential data of
an institution of higher education; and
(B) host moderate impact information resources or high
impact information resources.
(c) Responsibilities of Cloud Computing Service Vendors.
(1) To be certified under the TX-RAMP program, a cloud
computing service vendor shall:
(A) Provide evidence of compliance for information
they are storing, processing, or transmitting as detailed by the program
manual; and
(B) Demonstrate continuous compliance in accordance
with the program manual.
(2) Primary contracting vendors, including resellers,
who provide or sell cloud computing services to institutions of higher
education shall present evidence of certification of the cloud computing
service being sold in accordance with the program manual. Such certification
is required for all cloud computing services being provided through
the contract or in furtherance of the contract, including services
provided through subcontractors or third-party providers.
(3) Subcontractors or third-party providers responsible
solely for servicing or supporting a cloud computing service provided
by another vendor shall not be required to provide evidence of certification.
(d) Responsibilities of the Department in Developing
Updates to the Program Manual. Prior to publishing new or revised
program standards as required by subsections (a) - (d) of this section,
the department shall:
(1) solicit comment through the department's electronic
communications channels for proposed standards from the Information
Resources Managers, ITCHE, and Information Security Officers of agencies
and institutions of higher education at least 30 days prior to publication
of proposed program manual; and
(2) after reviewing comments provided during the comment
period described by paragraph (1) of this subsection, present the
proposed program manual to the department's Board and obtain approval
from the Board for publication.
(e) Responsibilities of an Institution of Higher Education
Contracting for Cloud Computing Services. An institution of higher
education contracting for cloud computing services that store, process,
or transmit data of the institution of higher education shall:
(1) confirm that vendors contracting with the institution
of higher education to provide cloud computing services for the institution
of higher education are certified through TX-RAMP prior to entering
or renewing a cloud computing services contract on or after January
1, 2022; and
(2) require a vendor contracting with the institution
of higher education to provide cloud computing services for the institution
of higher education that are subject to the state risk and authorization
management program to maintain program compliance and certification
throughout the term of the contract.
(f) Acceptance of Other RAMP Certifications.
(1) FedRAMP and StateRAMP certifications shall be accepted
in satisfaction of the above baselines once demonstrated by the vendor.
(2) At the department's discretion, another state's
risk and authorization management program certification may be accepted
in satisfaction of the above baselines once certification is demonstrated
by the vendor in alignment with program manual requirements.
|
