Texas Administrative Code (Last Updated: March 27,2024) |
TITLE 1. ADMINISTRATION |
PART 10. DEPARTMENT OF INFORMATION RESOURCES |
CHAPTER 202. INFORMATION SECURITY STANDARDS |
SUBCHAPTER A. DEFINITIONS |
SECTION 202.5. Texas Risk and Authorization Management Program Responsibilities and Mandatory Standards
Latest version.
-
(a) Mandatory Standards for Cloud Computing Services Subject to the Texas Risk and Authorization Management Program. (1) The department shall define mandatory standards for Texas cloud computing services identified by subsection (a) of this section in the program manual published on the department's website. Revisions to this document will be executed in compliance with subsection (d) of this section. (2) The mandatory standards established by the department shall include at least the below stated baseline standards for: (A) TX-RAMP Level 1 Baseline - This baseline is required for cloud computing services that are subject to TX-RAMP certification and categorized by a state agency as Low Impact Information Resources; and (B) TX-RAMP Level 2 Baseline - This baseline is required for cloud computing services that are subject to TX-RAMP and categorized by a state agency as Moderate or High Impact Information Resources. (3) The department shall establish the categories and characteristics of cloud computing services that are subject to TX-RAMP requirements in the program manual published on the department's website pursuant to subsection (a)(1). (b) Responsibilities of Cloud Computing Service Vendors: (1) To be certified under TX-RAMP, a cloud computing service vendor shall: (A) Provide evidence of compliance with TX-RAMP requirements for the cloud computing service as detailed by the program manual; and (B) Demonstrate continuous compliance in accordance with the program manual. (2) Primary contracting vendors who provide or sell cloud computing services subject to TX-RAMP, including resellers who provide or sell these services, shall present evidence of certification of the cloud computing service being sold to the state agency or institution of higher education in accordance with the program manual. Such certification is required for all cloud computing services subject to TX-RAMP being provided through the contract or in furtherance of the contract, including services provided through subcontractors or third-party providers. (3) Subcontractors or third-party providers responsible solely for servicing or supporting a cloud computing service provided by another vendor shall not be required to provide evidence of certification. (c) Responsibilities of the Department: (1) Prior to publishing new or revised program standards as required by subsections (a) - (b) of this section, the department shall: (A) solicit comment through the department's electronic communications channels for the proposed standards to be changed from the Information Resources Managers and Information Security Officers of state agencies and institutions of higher education and ITCHE; and (B) after reviewing the comments provided, present the proposed program manual to the department's Board and obtain approval from the Board for publication. (2) The department shall: (A) perform assessments to certify cloud computing services provided by cloud computing vendors; and (B) publish on the department's website the list of cloud computing products certified under TX-RAMP. (d) Acceptance of External Assessments. (1) The department shall accept a vendor's compliance with FedRAMP or StateRAMP authorizations in satisfaction of the baselines established by subsection (a) once the department receives evidence of compliance with the respective program. (2) At the department's discretion, another state's risk and authorization management program certification may be accepted in satisfaction of the baselines established by subsection (a) once certification is demonstrated by the vendor in alignment with program manual standards. (3) At the department's discretion, the department may allow a third-party security assessment or third-party audit to satisfy certain mandatory program standards. A vendor may demonstrate satisfaction of certain mandatory program standards by submitting a third-party security assessment or third-party audit that the department has authorized to align with and satisfy these standards. Source Note: The provisions of this §202.5 adopted to be effective November 16, 2023, 48 TexReg 6579