TX-RAMP Level 2 — Texas Risk and Authorization Management Program

Why it Matters

TX-RAMP Level 2 provides a comprehensive approach for Texas stateagencies to manage cybersecurity risk when using cloud services forsensitive data.

Key benefits include:

• Strengthen third-party risk management

Enable agenciesto systematically assess and monitor cloud vendors, reducing exposureto risks from external service providers.

• Enhance data protection practices

Require robustcontrols that support secure processing, storage, and transmission ofconfidential and regulated information.

• Increase audit readiness

Maintain thoroughdocumentation and compliance evidence, supporting timely andefficient responses during regulatory audits and assessments.

• Improve regulatory alignment

Align securitypractices with Texas state requirements and national standards,simplifying compliance efforts across multiple frameworks.

• Promote ongoing compliance oversight

Facilitatecontinuous monitoring and regular assessments to ensure thatimplemented security measures remain effective over time.

How it Works

TX-RAMP Level 2 structures cloud security around a control catalogaligned with NIST SP 800-53 and the FedRAMP Moderate baseline,grouping requirements into control families and governance domains.It establishes an authorization lifecycle and formal risk managementprocesses, including continuous monitoring and periodic reassessmentsto maintain an authorized state.

Organizations implement TX-RAMP Level 2 by mapping security controlsto existing governance programs, performing risk assessments, andbuilding authorization packages for agency review. Teams deploytechnical and procedural security practices, run continuousmonitoring and vulnerability management, coordinate third-partyassessments, and execute incident response and remediation to sustaincompliance and reduce risk.

Within SmartSuite, teams operationalize TX-RAMP Level 2 usingconfigurable control libraries, a centralized risk register, andpolicy governance modules. SmartSuite supports evidence collection,automated compliance tracking, remediation workflows, audit readinesschecklists, and reporting dashboards to monitor posture anddemonstrate adherence to security controls, risk management,governance, and regulatory requirements.

Key Elements

• Security Control Requirements

Establishesdetailed categories of technical and administrative safeguardsmandated for cloud service providers.

• Confidential Data Safeguards

Describesprotocols and criteria for handling, storing, and transmittingconfidential or regulated information.

• Risk Assessment and Management

Outlinesprocesses for identifying, evaluating, and mitigating risksassociated with cloud-hosted sensitive data.

• Continuous Compliance Monitoring

Specifiesmechanisms for ongoing assessment and verification of adherence tosecurity and privacy standards.

• Documentation and Reporting Standards

Definesexpectations for maintaining, updating, and submittingcompliance-related documentation.

• Third-Party Oversight

Organizesresponsibilities and procedures for evaluating and managing thesecurity posture of external vendors.

Framework Scope

TX-RAMP Level 2 is adopted by Texas state agencies and cloud vendorsprocessing, storing, or transmitting confidential or regulated datawithin cloud environments. The framework governs cybersecuritycontrols and privacy safeguards, and is typically implemented whenaddressing regulatory requirements, improving risk management, andsupporting assurance programs for higher-risk data environments.

Framework Objectives

TX-RAMP Level 2 establishes requirements for cybersecurity, riskmanagement, and regulatory compliance for cloud services handlingsensitive Texas state data.

Safeguard confidential and regulated information through robust dataprotection controls

Strengthen risk management processes supporting higher-risk cloudenvironments

Ensure compliance with Texas state cybersecurity and privacyregulations

Enhance ongoing security governance and oversight of cloud serviceproviders

Improve audit readiness by maintaining documentation and evidencingcontrol effectiveness

Support operational resilience against evolving cybersecurity threatsand vulnerabilities TX-RAMP Level 2 aligns Texas cloud authorizationrequirements with FedRAMP and maps controls to NIST SP 800-53 (andcommonly to CIS Controls or the CSA Cloud Controls Matrix), enablingcloud service providers to pursue state authorization, demonstrateregulatory compliance, and strengthen security governance andoperational controls for sensitive state data.

Framework in Context

TX-RAMP Level 2aligns Texas cloud authorization requirements with FedRAMP and mapscontrols to NIST SP 800-53 (and commonly to CIS Controls or the CSACloud Controls Matrix), enabling cloud service providers to pursuestate authorization, demonstrate regulatory compliance, andstrengthen security governance and operational controls for sensitivestate data.

Common Framework Mappings

Organizations map TX-RAMP Level 2 to established federal,international, and industry frameworks to streamline controls, reuseevidence, and speed authorization across cloud, privacy, and riskprograms.

Mapped frameworks include:

CIS Critical Security Controls

CSA Cloud Controls Matrix

Federal Information Security Modernization Act (FISMA)

FedRAMP

HITRUST CSF

ISO/IEC 27001

NIST Cybersecurity Framework

NIST SP 800-171

NIST SP 800-53

‍