| (a) Mandatory Standards. Mandatory standards for Texas
cloud computing services identified by subsection (b)(1) of this section
shall be defined by the department in the program manual published
on the department's website. Revisions to such document will be executed
in compliance with subsection (d) of this section.
(b) Cloud Computing Standards Subject to the Texas
Risk and Authorization Management Program. The standards required
by subsection (a) of this section shall include the below stated baseline
standards for:
(1) TX-RAMP Public Controls Baseline (TX-RAMP Level
1) - This baseline is required for cloud computing services that:
(A) store, process, or transmit nonconfidential data
of a state agency; or
(B) host low impact information resources.
(2) TX-RAMP Confidential Controls Baseline (TX-RAMP
Level 2) - This baseline is required for cloud computing services
that:
(A) store, process, or transmit confidential data of
a state agency; and
(B) host moderate impact information resources or high
impact information resources.
(c) Responsibilities of Cloud Computing Service Vendors.
(1) To be certified under the TX-RAMP program, a cloud
computing service vendor shall:
(A) Provide evidence of compliance for information
they are storing, processing, or transmitting as detailed by the program
manual; and
(B) Demonstrate continuous compliance in accordance
with the program manual.
(2) Primary contracting vendors, including resellers,
who provide or sell cloud computing services to state agencies shall
present evidence of certification of the cloud computing service being
sold in accordance with the program manual. Such certification is
required for all cloud computing services being provided through the
contract or in furtherance of the contract, including services provided
through subcontractors or third-party providers.
(3) Subcontractors or third-party providers responsible
solely for servicing or supporting a cloud computing service provided
by another vendor shall not be required to provide evidence of certification.
(d) Responsibilities of the Department.
(1) Responsibilities of the Department in Developing
Updates to the Program Manual. Prior to publishing new or revised
program standards as required by subsections (a) - (d) of this section,
the department shall:
(A) solicit comment through the department's electronic
communications channels for proposed standards from the Information
Resources Managers, ITCHE, and Information Security Officers of agencies
and institutions of higher education at least 30 days prior to publication
of proposed program manual; and
(B) after reviewing comments provided during the comment
period described by section (1)(A) of this subsection, present the
proposed program manual to the department's Board and obtain approval
from the Board for publication.
(2) Responsibilities of the Department for Certifying
Vendor's Cloud Computing Products and Services. The department shall:
(A) perform reviews to certify cloud computing services
provided by cloud computing vendors; and
(B) publish on the department's Internet website the
list of cloud computing products certified under TX-RAMP.
(e) Responsibilities of a State Agency Contracting
for Cloud Computing Services. A state agency contracting for cloud
computing services that store, process, or transmit data of the state
agency shall:
(1) confirm that vendors contracting with the state
agency to provide cloud computing services for the state agency are
certified through TX-RAMP prior to entering or renewing a cloud computing
services contract on or after January 1, 2022; and
(2) require a vendor contracting with the state agency
to provide cloud computing services for the state agency that are
subject to the state risk and authorization management program to
maintain TX-RAMP compliance and certification throughout the term
of the contract.
(f) Acceptance of Other RAMP Certifications:
(1) FedRAMP and StateRAMP certifications shall be accepted
in satisfaction of the above baselines once demonstrated by the vendor.
(2) At the department's discretion, another state's
risk and authorization management program certification may be accepted
in satisfaction of the above baselines once certification is demonstrated
by the vendor in alignment with program manual standards.
|
