TX-RAMP Adoption Going Smoothly, DIR Says

Several months into its Texas Risk and Authorization Management Program (TX-RAMP) certification for vendors, the Department of Information Resources (DIR) says things are going smoothly.

Texas’ law went into effect in January, a little over a decade after the federal government moved to standardize the secure handling of information and activity conducted in the cloud.

“The response to TX-RAMP has been very good,” a DIR spokesperson said in response to email questions from Industry Insider — Texas.

“Right away we began receiving responses, and as of April 25, we have more than 750 products certified. While we expected a high volume of certification requests, the speed in which the certifications have been sought is faster than we expected.”

TX-RAMP provides a standardized approach for security assessment, authorization and continuous monitoring of cloud computing services that process, store or transmit the data of a state agency, according to the department’s website.

DIR says it has noticed some trends since January.

“There are certainly some commonalities (among new applicants). Our control criteria are based on the National Institute of Standards and Technology (NIST), which isn’t always the go-to framework for the private sector.

“If they haven’t worked with the public sector or NIST in particular, it can be a challenge in understanding how things are structured, and the best way to demonstrate compliance,” the DIR spokesperson said. "Most providers have had some sort of third-party assessment/audit, so the majority of them are familiar with similar processes.”

To handle the new responsibilities, the DIR said it has acquired “staff augmentation resources” and restructured internally to allocate resources to TX-RAMP.

Vendor response has been mostly positive, the spokesperson said.

“Vendors want to demonstrate that they take security seriously. In some cases, they may see it as an added burden or (a) duplicative effort in relation to their other audits/assessments/certifications as there is often overlap in what is being assessed. But the goal of the program is to take a standardized approach to the assessments, rather than relying on a variety of standards and artifacts in assessing security posture.

“Vendors have been appreciative of DIR’s approach in leveraging recent historical assessments to obtain provisional certification, which permits continuity of service while providing vendors time to plan for achieving full certification.”

Besides the Resource Library on the DIR’s website, vendors have other resources.

“DIR staff and the TX-RAMP team work hard to accommodate specific inquiries, and we regularly meet with providers to discuss the program and answer questions,” the department said. “Vendors are encouraged to email tx-ramp@dir.texas.gov if they have any questions or would like to schedule a call with the team to discuss.”