TX-RAMP Level 2 — Texas Risk and Authorization Management Program

Overview

TX-RAMP Level 2is a cybersecurity and risk management framework established toassess and authorize cloud computing services used by Texas stateagencies handling confidential or regulated data. It aims to ensurethat service providers implement robust security controls and meetcompliance obligations specific to higher-risk data environments.

Published by theTexas Department of Information Resources (DIR), TX-RAMP applies tocloud vendors and state agencies across Texas that process, store, ortransmit confidential or regulated information. The frameworkoutlines requirements for cybersecurity controls, privacy safeguards,risk assessment, and ongoing compliance oversight in alignment withstate regulations.

Organizationsachieve TX-RAMP Level 2 compliance by implementing prescribedsecurity controls, maintaining documentation, and undergoing regularassessments to verify compliance. The program supports state agenciesin fulfilling regulatory requirements for third-party risk managementand aligns with broader security frameworks such as NIST SP 800-53 tofacilitate interoperability within established information securityprograms.

Why it Matters

TX-RAMP Level 2provides a comprehensive approach for Texas state agencies to managecybersecurity risk when using cloud services for sensitive data.

Key benefitsinclude:

•  Strengthen third-party risk management

Enable agenciesto systematically assess and monitor cloud vendors, reducing exposureto risks from external service providers.

•  Enhance data protection practices

Require robustcontrols that support secure processing, storage, and transmission ofconfidential and regulated information.

•  Increase audit readiness

Maintainthorough documentation and compliance evidence, supporting timely andefficient responses during regulatory audits and assessments.

•  Improve regulatory alignment

Align securitypractices with Texas state requirements and national standards,simplifying compliance efforts across multiple frameworks.

•  Promote ongoing compliance oversight

Facilitatecontinuous monitoring and regular assessments to ensure thatimplemented security measures remain effective over time.

How it Works

TX-RAMP Level 2structures cloud security around a control catalog aligned with NISTSP 800-53 and the FedRAMP Moderate baseline, grouping requirementsinto control families and governance domains. It establishes anauthorization lifecycle and formal risk management processes,including continuous monitoring and periodic reassessments tomaintain an authorized state.

Organizationsimplement TX-RAMP Level 2 by mapping security controls to existinggovernance programs, performing risk assessments, and buildingauthorization packages for agency review. Teams deploy technical andprocedural security practices, run continuous monitoring andvulnerability management, coordinate third-party assessments, andexecute incident response and remediation to sustain compliance andreduce risk.

WithinSmartSuite, teams operationalize TX-RAMP Level 2 using configurablecontrol libraries, a centralized risk register, and policy governancemodules. SmartSuite supports evidence collection, automatedcompliance tracking, remediation workflows, audit readinesschecklists, and reporting dashboards to monitor posture anddemonstrate adherence to security controls, risk management,governance, and regulatory requirements.

Key Elements

•  Security Control Requirements

Establishesdetailed categories of technical and administrative safeguardsmandated for cloud service providers.

•  Confidential Data Safeguards

Describesprotocols and criteria for handling, storing, and transmittingconfidential or regulated information.

•  Risk Assessment and Management

Outlinesprocesses for identifying, evaluating, and mitigating risksassociated with cloud-hosted sensitive data.

•  Continuous Compliance Monitoring

Specifiesmechanisms for ongoing assessment and verification of adherence tosecurity and privacy standards.

•  Documentation and Reporting Standards

Definesexpectations for maintaining, updating, and submittingcompliance-related documentation.

•  Third-Party Oversight

Organizesresponsibilities and procedures for evaluating and managing thesecurity posture of external vendors.

Framework Scope

TX-RAMP Level 2is adopted by Texas state agencies and cloud vendors processing,storing, or transmitting confidential or regulated data within cloudenvironments. The framework governs cybersecurity controls andprivacy safeguards, and is typically implemented when addressingregulatory requirements, improving risk management, and supportingassurance programs for higher-risk data environments.

Framework Objectives

TX-RAMP Level 2establishes requirements for cybersecurity, risk management, andregulatory compliance for cloud services handling sensitive Texasstate data.

•  Safeguard confidential and regulated information through robustdata protection controls

•  Strengthen risk management processes supporting higher-riskcloud environments

•  Ensure compliance with Texas state cybersecurity and privacyregulations

•  Enhance ongoing security governance and oversight of cloudservice providers

•  Improve audit readiness by maintaining documentation andevidencing control effectiveness

•  Support operational resilience against evolving cybersecuritythreats and vulnerabilities TX-RAMP Level 2 aligns Texas cloudauthorization requirements with FedRAMP and maps controls to NIST SP800-53 (and commonly to CIS Controls or the CSA Cloud ControlsMatrix), enabling cloud service providers to pursue stateauthorization, demonstrate regulatory compliance, and strengthensecurity governance and operational controls for sensitive statedata.

Common Framework Mappings

Organizationsmap TX-RAMP Level 2 to established federal, international, andindustry frameworks to streamline controls, reuse evidence, and speedauthorization across cloud, privacy, and risk programs.

Mappedframeworks include:

CIS CriticalSecurity Controls

CSA CloudControls Matrix

FederalInformation Security Modernization Act (FISMA)

FedRAMP

HITRUST CSF

ISO/IEC 27001

NISTCybersecurity Framework

NIST SP 800-171

NIST SP 800-53