TX-RAMP Compliance
TX-RAMP is a Texas state mandate requiring cloud service providers to meet defined security standards before serving state agencies.
TX-RAMP is a Texas state mandate requiring cloud service providers to meet defined security standards before serving state agencies.
Continue your mission
The Texas Risk and Authorization Management Program (TX-RAMP) is a state-mandated security certification program established by Texas Senate Bill 475 in 2021. Administered by the Texas Department of Information Resources (DIR), TX-RAMP requires cloud service providers offering services to Texas state agencies to meet defined security standards. The program was created to address the growing cybersecurity risks associated with cloud computing in state government operations. TX-RAMP categorizes services into two levels based on the sensitivity of data processed, and it became mandatory for all new cloud contracts starting January 2022.
TX-RAMP defines two certification levels. Level 1 applies to services handling data categorized as low impact and requires providers to complete a self-assessment questionnaire, provide evidence of security controls, and attest to compliance with baseline security requirements. Level 2 applies to services processing confidential or sensitive data and requires a more rigorous assessment including independent verification of controls aligned with NIST SP 800-53 and TX-RAMP-specific requirements. Providers with existing FedRAMP or StateRAMP authorizations receive reciprocity and an expedited certification path. DIR maintains the TX-RAMP Certified Products List, and state agencies are required to verify that cloud services hold valid certification before procurement. Certified providers must maintain their security posture and recertify as required.
TX-RAMP certification is a legal requirement for cloud providers selling to Texas state agencies. Texas is the second-largest state by population and budget, making it a significant market for technology vendors. Non-compliance means exclusion from state contracts. The program has influenced other states considering similar frameworks, signaling a broader trend toward state-level cloud security mandates. For organizations already holding FedRAMP or StateRAMP authorization, TX-RAMP reciprocity reduces the compliance burden while opening access to the Texas government market.
CDA Theater missions that address topics covered in this article.
Technical requirements for complying with California's privacy laws, including data mapping, consumer rights, and security obligations.
The CCPA is California's landmark privacy law granting consumers rights over their personal data and imposing obligations on businesses that collect it.
Written by CDA Editorial
Found an issue? Help improve this article.