For questions, assistance, or to report an issue, please visit the UTRGV Support Center.Visit UTRGV Support Center
When does it take effect?
- Cloud offerings subject to TX-RAMP Level 1 certification must obtain a TX-RAMP certification to contract with state agencies or institutions of higher education and public community colleges on or after January 1, 2024.
- Cloud offerings subject to TX-RAMP Level 2 certification must obtain a TX-RAMP certification to contract with state agencies or institutions of higher education and public community colleges on or after January 1, 2022.
- Cloud offerings that obtain TX-RAMP Provisional Status must obtain a TX-RAMP certification (or equivalent StateRAMP/FedRAMP authorization) within 18 months from the date that Provisional Status is conferred as reflected in DIR’s files.
Which organizations must comply with TX-RAMP requirements?
- TX-RAMP requirements apply to state agencies, institutions of higher education, and public community colleges (Texas Government Code 2054.003 (13).
- Agencies need to comply with the statutory requirements of contracting for cloud services with appropriate certification.
- Cloud providers need to demonstrate compliance with the security criteria to receive and maintain certification for a cloud computing service.
TX-RAMP has two assessment levels:
- Level 1 for public/non-confidential information or low-impact systems.
- Level 2 for confidential/regulated data in moderate or high-impact systems.
How do vendors get TX-RAMP certified?
There are three possible TX-RAMP certifications a vendor can receive depending on the sensitivity of the information or material they handle. DIR will define Low, Moderate, and High Impact information resources according to the Texas Administrative Code Chapter 202.1 and as determined by UTRGV.
Step 1 – Obtain level determination from UTRGV
The first step is to obtain your appropriate TX-RAMP level based on confidentiality requirements and the organizational impact determination from UTRGV. Once categorized, vendors must obtain TX-RAMP certification from Texas DIR and submit a TX-RAMP Assessment Request to Texas DIR before their provisional certification expires.
We strongly recommend that you do this today to avoid a lapse in contracted services due to non-compliance.
Step 2 – Obtain the required TX-RAMP Certification
Apply and complete certification.
Step 3 – Notify UTRGV and submit a copy of the DIR TX-RAMP Certification
Submit a copy of the DIR TX-RAMP certificate and the corresponding product SKU number(s) to UTRGV via email to email@example.com and firstname.lastname@example.org.
Step 4 – Complete Requirements for Continuous Monitoring
TX-RAMP requires agencies to routinely assess and monitor their vendors to ensure that their security posture is acceptable to maintain their certification. Vendors who are certified through TX-RAMP will be required to fill out a quarterly or yearly (for TX-RAMP Level 2 and Level 1, respectively) vulnerability questionnaire from DIR. Afterward, agencies are responsible for analyzing the results and reporting any critical findings to DIR.
Step 5 – Vendor must notify UTRGV when they are no longer TX-RAMP certified
If TX-RAMP Certification is revoked, the vendor must notify UTRGV via email to email@example.com and firstname.lastname@example.org.
For more information on the TX-RAMP certification process, please visit:
- TX -RAMP Assessment Request for Vendors
- TX-RAMP Overview for Vendors
Like most modern organizations, UTRGV utilizes software to perform many essential tasks. Much of that software is accessible via a “cloud” computing structure typically shared by other businesses and organizations and not hosted on university property.
While these systems are effective, they are not perfect. To better protect state data from future cybersecurity threats, the state has implemented the Texas Risk and Authorization Management Program (TX-RAMP), which requires state agencies and institutions, including UTRGV, to only contract with cloud vendors that comply with TX-RAMP certification standards.
How do we know if our software is TX-RAMP compliant?
UTRGV’s Information Technology and Information Security departments are tasked with actively assessing all software utilized by University employees and students on an ongoing basis. However, this is a huge undertaking, and we need your help to ensure UTRGV successfully complies with this new law.
All faculty and staff members who make software procurement decisions must submit a Software Assessment Request when a new product/vendor has been identified for purchase or 60 days before renewing an existing product/vendor.
Please note the following:
We thank you for taking this critical step toward protecting UTRGV and our campus community.
For assistance with TX-RAMP, contact TX-RAMP@utrgv.edu.
For questions about how TX-RAMP certifications may affect procurement contracts, contact email@example.com.
Resource LinksTexas Senate Bill 475
- Texas Senate Bill (SB) 475 - PDF
- Texas Government Code 2054.001 (SB 475) - Legislative Findings and Policy
- Texas Government Code 2054.0593 (SB 475) - Cloud Computing State Risk and Authorization Management Program
- Texas Government Code 2062 (SB 475) on Biometric Data
Texas Department of Information Resources (DIR)
- Texas Risk and Authorization Management Program (TX-RAMP) Website
- TX-RAMP Program Manual v2.0 - PDF
- TX-RAMP Assessment Request
UTRGV Information Security
- UTRGV Information Security Policies, Standards, and Compliance
- UTRGV’s Data Classification Standard - PDF