October 7, 2022

Volume XII, Number 280

Advertisement

October 06, 2022

Subscribe to Latest Legal News and Analysis

October 05, 2022

Subscribe to Latest Legal News and Analysis

October 04, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

TX-RAMP Requirements for Higher Education

Effective January 1, 2022, Texas institutions of higher education and public community colleges must comply with Texas Government Code 2054.0593 requirements when entering into or renewing contracts for cloud computing services. The new requirements are known as Texas Risk Assessment and Authorization Management Program (“TX-RAMP”). TX-RAMP provides a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process, store, or transmit the data of a state agency (which includes higher education and public community colleges).

Under this new program, cloud providers need to demonstrate compliance with the security criteria to receive and maintain a certification for a cloud computing service in Texas. Cloud computing vendors cannot enter into agreements with higher education institutions without this certificate.

Cloud offerings can obtain a TX-RAMP Level 1 certificate, Level 2 certificate or Provisional Status (which gives the vendor 18 months to obtain full certification). Level 1 certification is for cloud systems with either public/non-confidential information or low impact systems. Level 2 certification is for confidential or regulated data in moderate or high impact systems.

Because this is a new requirement, many vendors are forced to obtain provisional certification in order to comply. This allows the higher education institution to contract for use of the product for up to 18 months when the product does not have full TX-RAMP certification. Provisional status can be achieved through an agency sponsor or third-party assessment. In the case of an agency sponsored certificate, the institution of higher education must notify the Texas Department of Information Resources (DIR) of a previously conducted assessment for review. Alternatively, industry-standard assessment artifacts may be submitted for review. (SOC2, ISO 27k, Regulatory Audits, CSA STAR, etc.)

Certain cloud computing services are out-of-scope of TX-RAMP due to the unique characteristics of the cloud computing service. Examples include: (i) email or notification distribution services that do not create, process, or store confidential information; (ii) social media platforms and services; and (iii) graphic design or illustration products.

DIR conducted a webinar for agencies and institutions of higher education to learn about the mechanisms for completing TX-RAMP related activities within SPECTRIM on December 16, 2021 which is available here:

© 2022 Winstead PC.National Law Review, Volume XII, Number 89
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

The pace of change presents unique challenges to every financial services institution, whether large or small. This environment often requires legal counsel with nationwide experience in national trends and an understanding of specific regional issues. Winstead’s legal team utilizes a collaborative and interdisciplinary approach to draw on the right resources at the right time, using the firm’s broad experience to address legal issues across a full range of business needs.

214-745-5400
Advertisement
Advertisement
Advertisement