<<Prev Rule

Texas Administrative Code

Next Rule>>
TITLE 1ADMINISTRATION
PART 10DEPARTMENT OF INFORMATION RESOURCES
CHAPTER 202INFORMATION SECURITY STANDARDS
SUBCHAPTER BINFORMATION SECURITY STANDARDS FOR STATE AGENCIES
RULE §202.27Texas Risk and Authorization Management Program for State Agencies

(a) Mandatory Standards. Mandatory standards for Texas cloud computing services identified by subsection (b)(1) of this section shall be defined by the department in the program manual published on the department's website. Revisions to such document will be executed in compliance with subsection (d) of this section.

(b) Cloud Computing Standards Subject to the Texas Risk and Authorization Management Program. The standards required by subsection (a) of this section shall include the below stated baseline standards for:

  (1) TX-RAMP Public Controls Baseline (TX-RAMP Level 1) - This baseline is required for cloud computing services that:

    (A) store, process, or transmit nonconfidential data of a state agency; or

    (B) host low impact information resources.

  (2) TX-RAMP Confidential Controls Baseline (TX-RAMP Level 2) - This baseline is required for cloud computing services that:

    (A) store, process, or transmit confidential data of a state agency; and

    (B) host moderate impact information resources or high impact information resources.

(c) Responsibilities of Cloud Computing Service Vendors.

  (1) To be certified under the TX-RAMP program, a cloud computing service vendor shall:

    (A) Provide evidence of compliance for information they are storing, processing, or transmitting as detailed by the program manual; and

    (B) Demonstrate continuous compliance in accordance with the program manual.

  (2) Primary contracting vendors, including resellers, who provide or sell cloud computing services to state agencies shall present evidence of certification of the cloud computing service being sold in accordance with the program manual. Such certification is required for all cloud computing services being provided through the contract or in furtherance of the contract, including services provided through subcontractors or third-party providers.

  (3) Subcontractors or third-party providers responsible solely for servicing or supporting a cloud computing service provided by another vendor shall not be required to provide evidence of certification.

(d) Responsibilities of the Department.

  (1) Responsibilities of the Department in Developing Updates to the Program Manual. Prior to publishing new or revised program standards as required by subsections (a) - (d) of this section, the department shall:

    (A) solicit comment through the department's electronic communications channels for proposed standards from the Information Resources Managers, ITCHE, and Information Security Officers of agencies and institutions of higher education at least 30 days prior to publication of proposed program manual; and

    (B) after reviewing comments provided during the comment period described by section (1)(A) of this subsection, present the proposed program manual to the department's Board and obtain approval from the Board for publication.

  (2) Responsibilities of the Department for Certifying Vendor's Cloud Computing Products and Services. The department shall:

    (A) perform reviews to certify cloud computing services provided by cloud computing vendors; and

    (B) publish on the department's Internet website the list of cloud computing products certified under TX-RAMP.

(e) Responsibilities of a State Agency Contracting for Cloud Computing Services. A state agency contracting for cloud computing services that store, process, or transmit data of the state agency shall:

  (1) confirm that vendors contracting with the state agency to provide cloud computing services for the state agency are certified through TX-RAMP prior to entering or renewing a cloud computing services contract on or after January 1, 2022; and

  (2) require a vendor contracting with the state agency to provide cloud computing services for the state agency that are subject to the state risk and authorization management program to maintain TX-RAMP compliance and certification throughout the term of the contract.

(f) Acceptance of Other RAMP Certifications:

  (1) FedRAMP and StateRAMP certifications shall be accepted in satisfaction of the above baselines once demonstrated by the vendor.

  (2) At the department's discretion, another state's risk and authorization management program certification may be accepted in satisfaction of the above baselines once certification is demonstrated by the vendor in alignment with program manual standards.


Source Note: The provisions of this §202.27 adopted to be effective November 17, 2021, 46 TexReg 7775

Link to Texas Secretary of State Home Page | link to Texas Register home page | link to Texas Administrative Code home page | link to Open Meetings home page