TX Ramp

TX-RAMP Background

Texas Government Code 2054.0593 mandates that state agencies as defined by Texas Government Code 2054.003(13) must only enter or renew contracts to receive cloud computing services that comply with TX-RAMP requirements beginning January 1, 2022.

This requirement applies to cloud services including:

  • Software as a Service (SaaS)
  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)

TX-RAMP certification requirements were implemented in phases:

  • Effective January 1, 2022: Cloud computing services subject to Level 2 TX-RAMP were required to obtain TX-RAMP certification.
  • Effective January 1, 2024: This requirement was expanded to include cloud computing services subject to Level 1 TX-RAMP.

TX-RAMP Certification Overview

In alignment with this approach, The University of Texas at Arlington requires TX-RAMP certification for cloud computing services, when applicable, based on the nature of the service, the data classification involved, and contractual or regulatory obligations, ensuring compliance with state requirements while supporting institutional risk management objectives.

UTA Faculty and Staff procuring cloud computing services (Software as a Service, Infrastructure as a Service, or Platform as a Service) that meet these requirements should notify vendors of the applicable requirements early in the procurement process to help reduce delays in purchase approval and assessment review.

Cloud service providers seeking TX-RAMP certification or provisional status must submit a request through the Texas Department of Information Resources (DIR) TX-RAMP intake process. Vendors submitting a certification or provisional request must use the official TX-RAMP Request page, where submissions are managed through the Statewide Portal for Enterprise Cybersecurity Threat, Risk, and Incident Management (SPECTRIM). 


ISO Requirements

In accordance with institutional standards, third-party vendors subject to TX-RAMP Level 2 must meet The University of Texas at Arlington’s Information Security Requirements.

This classification applies to cloud vendors that store, process, or transmit Confidential data, are designated as Mission Critical, and contain more than 500 records of data.
This classification applies to cloud vendors that store, process, or transmit Confidential data, are designated as Mission Critical, but contain 500 or fewer data records.
This classification applies to third-party cloud vendors that meet requirements for TX-RAMP but have not yet fully obtained TX-RAMP certification. This certification allows third-party cloud vendors to provide services to state agencies for up to 18 months while pursuing the appropriate TX-RAMP certification level. Provisional certification satisfies The University of Texas at Arlington’s Information Security Office (ISO) TX-RAMP requirements during the duration of the provisional period. Third-party vendors that do not achieve full TX-RAMP certification by contract renewal are not eligible for continued use or license renewal upon contract expiration.

Certain cloud products and services may fall outside the scope of TX-RAMP requirements based on how they are used, the type of data involved, or level of institutional risk.

Cloud products are out-of-scope if they do not:

  • create, process, or store confidential state-controlled data (except as needed to provide a login capability, e.g. username, password, email), or
  • connect with agency systems or networks that create, process, or store confidential state-controlled data such that any security incident might affect such systems or networks.

Examples of out-of-scope cloud computing services include:

  • Consumption-focused cloud computing services such as advisory services, market research, or other non-confidential research resources
  • Graphic design or illustration products
  • Geographic Information Systems or mapping products not used for confidential purposes or tied to individual identities
  • Email or notification distribution services that do not create, process, or store confidential information
  • Social media platforms and services
  • Survey and scheduling services that do not create, process, or store confidential information
  • Cloud computing services used to deliver training that do not create, process, or store confidential information
  • Cloud computing services used to transmit copies of nonconfidential data for accreditation and compliance purposes


Low Impact Software-as-a-Service (SaaS) must meet the following criteria:

  • The product meets the definition of Software as a Service (SaaS) per NIST SP 800-145
  • No personally identifiable information (PII) is stored, except for login credentials
  • The service is a low impact information resource as defined by 1 TAC §202.1
  • The service operates within a TX-RAMP certified PaaS or IaaS


Additional Information

If you believe a vendor meets TX-RAMP requirements, please validate this by confirming the vendor is listed on the TX-RAMP Certified Cloud Products site. If there are any questions or uncertainty regarding a vendor’s status, contact the Information Security Office.

Reminder: Many online services have a “Click Through” agreement during purchase. This is a legal contract, and unless you are authorized by the University, you are violating policy and putting the University at risk by not following proper procedures for reviewing security, accessibility, and legal requirements.


TX-RAMP

Helpful Links

Information about the Texas Department of Information Resources (TX DIR) TX-RAMP can be found at

Texas Risk and Authorization Management Program