State of Texas and GovRAMP

Frequently Asked Questions

• What is TX-RAMP?

  The Texas Risk and Authorization Management Program (TX-RAMP) is a standardized approach to assessing and authorizing cloud computing services used by Texas state agencies. Established under Texas Government Code §2054.0593, TX-RAMP ensures these services meet minimum security requirements.

• What is GovRAMP?

  GovRAMP is a nonprofit, membership-based program that provides a standardized approach to cloud security verification for service providers serving state and local governments. Built on NIST standards and modeled after FedRAMP, GovRAMP enables providers to demonstrate compliance through an independent, third-party verification process recognized by participating governments—including the State of Texas.

• Do I need both GovRAMP and TX-RAMP?

  No. If your product is enrolled in GovRAMP’s Progressing Security Snapshot Program, it qualifies for TX-RAMP Provisional Certification. Products in this program are not subject to the 18-month provisional time limit.
  
  Important: A single Security Snapshot may also be used to obtain TX-RAMP Provisional Certification, but this approach is limited to 18 months. After that, your product must achieve TX-RAMP certification, GovRAMP Ready, or GovRAMP Authorized status to remain compliant.

• Is there reciprocity between GovRAMP and TX-RAMP?

  Yes, GovRAMP security statuses are recognized by TX-RAMP.

  However, TX-RAMP certification does not grant GovRAMP status.

• Do I need to notify DIR if I’m using GovRAMP for TX-RAMP reciprocity?

  Yes. Whether you’re newly enrolling in GovRAMP or updating your GovRAMP status (e.g., moving to Ready, unenrolling, etc.), you must complete the appropriate form:

  • Initial Certification:

    TX-RAMP Request Form

    (Required starting October 30, 2024)

  • Status Change:

    Status Change Request Form

  Be sure to use the same product and company name you submitted to GovRAMP so DIR can complete verification.

• How do I enroll in the GovRAMP Progressing Security Snapshot Program?

  To participate:

  1. Become a GovRAMP Member

  2. Submit a Progressing Security Snapshot Request

  3. Pay the applicable fee

  4. Receive onboarding instructions from the GovRAMP PMO

  You’ll receive:

  • A Snapshot score within ~3 weeks of payment

  • Quarterly updated Snapshots

  • Monthly one-hour consultative calls with GovRAMP’s security team

  If you’re responding to a solicitation, note your time constraints on the request form so we can prioritize accordingly.

• How much does a Snapshot cost?

  To participate in the GovRAMP Security Snapshot or Progressing Snapshot Program, providers must first hold an active GovRAMP membership. Membership fees range from $1,500 to $10,000, depending on the tier selected.

  GovRAMP Security Snapshot
  For products that have not yet achieved a GovRAMP Verified Status

  • $1,000 – Providers with less than $1M in annual revenue
  • $1,500 – Providers with $1M–$5M in annual revenue
  • $2,500 – Providers with more than $5M in annual revenue

  GovRAMP Progressing Security Snapshot (Subscription Option)
  Includes quarterly updated Snapshots and monthly advisory calls

  • $750/month – Providers with less than $1M in annual revenue
  • $1,000/month – Providers with $1M–$5M in annual revenue
  • $1,600/month – Providers with more than $5M in annual revenue

  View the full GovRAMP Fee Schedule.

• Do I need a certain Snapshot score to qualify for TX-RAMP Provisional?

  No. TX-RAMP Provisional Certification is based on artifact availability and access—not on a minimum score.

  However, you must grant access to DIR and relevant Texas agencies to view Snapshot documentation and Progressing Notes in order to qualify.

• How do I get a GovRAMP Verified Status?

  Visit the Getting Started with GovRAMP Guide to learn more. The guide includes:

  • Overview of the GovRAMP process

  • Step-by-step onboarding checklist

  • Requirements for verification

  Learn more about the GovRAMP Ready Status process here.

• What are the continuous monitoring requirements?

  GovRAMP requires monthly continuous monitoring once a product reaches Core, Ready, Provisional, or Authorized. This includes:

  • Security status checks
  • Vulnerability tracking and closure
  • Ongoing alignment with NIST control requirements

  Download GovRAMP’s Continuous Monitoring Guide.

• Which cloud services require TX-RAMP certification?

  Cloud services used by state agencies that process or store confidential or regulated data typically require TX-RAMP certification. Certain low-risk services—such as design tools, booking systems, or platforms used only for login or MFA—may be out of scope. Agencies are responsible for making this determination and maintaining documentation.

• What are the types of TX-RAMP certification?

  There are three certification paths:

  • Level 1: For services categorized as low impact
  • Level 2: For services categorized as moderate or high impact
  • Provisional: A temporary certification valid for 18 months while pursuing full certification. May be extended or maintained based on GovRAMP or FedRAMP status.

• How does a cloud provider achieve TX-RAMP certification?

  A provider may pursue certification through:

  1. Assessment by DIR using the TX-RAMP assessment process
  2. Recognition of an external status from GovRAMP or FedRAMP at the corresponding impact level
     1. Note: FedRAMP LI-SaaS is not accepted for TX-RAMP certification.

• How does TX-RAMP recognize GovRAMP statuses?

  The following GovRAMP statuses are recognized as meeting TX-RAMP Level 2 requirements:

  • GovRAMP Core
  • GovRAMP Ready
  • GovRAMP Provisional
  • GovRAMP Authorized

  Snapshot status may qualify for limited-duration Provisional Certification. Progressing Snapshot status remains valid while the provider is enrolled in the program.

• How does provisional certification work?

  Provisional Certification allows agencies to contract with a service while the provider works toward full certification. It is valid for 18 months unless backed by an active GovRAMP or FedRAMP status, in which case it remains valid as long as that external status is maintained.

• Where can I find the latest TX-RAMP Program Manual?

   You can view or download the most recent manual here: TX-RAMP Program Manual v3.1 – Texas DIR

• Still have questions?

  • GovRAMP FAQs

  • TX-RAMP FAQs

  For additional information on how to get started with the GovRAMP process, please contact info@govramp.org.

  If you have any questions about TX-RAMP, please contact: tx-ramp@dir.texas.gov.