TX-RAMP is a program of the Texas Department of Information Resources that provides "a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency."
As a public institution, UTMB complies with TX-RAMP and requires one of three TX-RAMP certifications from cloud service providers as part of the procurement process.
The three TX-RAMP certification levels are:
- LEVEL 1: for public/non-confidential information or low impact systems
- LEVEL 2: for confidential/regulated data in moderate or high impact systems
- PROVISIONAL: permits a state agency to contract for the use of a product for up to 18 months without a full Level 1 or 2 certification. Full certification or equivalent will need to be attained during the provisional period.
Vendors are responsible for initiating the assessment and certification process with DIR. This process can be started here: https://survey.alchemer.com/s3/6510630/TX-RAMP-Vendor-Contact
In the event that a vendor is not certified, or their certification is set to expire before the start of a contract specifically with UTMB, a 60-day "Interim-Provisional" certification can be requested here: https://utmb.us/284
who are currently certified through TX-RAMP, or a
recognized StateRAMP or FedRAMP certification program, need not undergo
the assessment process again when contracting with UTMB. A list of
current fully and provisionally certified products/vendors can be found here: https://dir.texas.gov/texas-risk-and-authorization-management-program-tx-ramp
If you have any questions, please email CIRT@utmb.edu.
Cloud Services Not Requiring TX-TAMP Certification
The following types of cloud computing services may be determined to be out of scope for TX-RAMP certification. Contracting agencies may elect to require TX-RAMP certification for any of the following categories, based on their assessment of risk and potential impact associated with the use of a given cloud computing service.
- Consumption-Focused Cloud Computing Services: Advisory services, market research, or other resources that are used to gather research or advisory information.
- Graphic Design or Illustration Products: Tools used for design tasks.
- Geographic Information Systems (GIS) or Mapping Products: Applications for geographic mapping and spatial analysis.
- Email or Notification Distribution Services: Platforms used for generic communication or notifications.
- Social Media Platforms: Tools for social interaction and public communication.
- Survey Tools: Survey tools not intended to collect confidential or regulated information.
- Collaboration/Productivity Tools: Standard collaboration tools for non-sensitive projects, such as shared document editing or project management.
- Cloud Computing Services for Transmitting Non-Confidential Data: Cloud computing services used to transmit data as required by external governing bodies for purposes of accreditation and compliance.
- General Procurement/eCommerce Services: Services used for purchasing supplies, travel and booking accommodations, reservations, or other general-purpose procurement applications that only access payment information of the agency or agency personnel.
- Public-facing Websites: Hosting static, public-facing websites, or web content that does not process or store confidential state-controlled data.
- Development and Testing Environments: Utilizing cloud resources for development and testing activities for non production, non-critical systems.
- Educational or Training Platforms: Cloud platforms that host training materials or educational content, excluding any data regarding sensitive personal information, regulated education records, or proprietary research.
- Marketing and Social Media Analysis: Tools used to gather and analyze public social media data, customer feedback, or market trends.