TX-RAMP: Texas-friendly cloud security
The state’s risk and authorization management program ensures agencies find Texas-based businesses to provide secure cloud services.
In the months since the Texas Risk and Authorization Management Program (TX-RAMP) went into effect, the state’s Department of Information Resources (DIR) has certified more than 700 cloud computing services, including both providing provisional certifications and those already certified by the State Risk and Authorization Management Program (StateRAMP) and the Federal Risk and Authorization Management Program (FedRAMP), which align with TX-RAMP requirements.
“We’re starting to get an influx of the full assessment responses, so our teams are now ramping up – no pun intended,” said Matt Kelly, deputy chief information officer for policy and governance at DIR. “We’ve got a weekly cadence of bringing those to a group of folks that make the determinations for the full certification.”
Last June, the Texas legislature directed DIR to set up the program, which emulates StateRAMP and FedRAMP, both of which offer security authorizations to cloud vendors that handle sensitive data for public agencies.
A main reason why the state set up its own system, rather than adopt StateRAMP’s, is the cost to companies, said Nancy Rainosek, Texas’s chief information security officer.
Although it’s free for states to join StateRAMP – and 10 have done so, so far – businesses offering infrastructure-, platform- and software-as-a-service solutions that process, store and/or transmit government data must pay a $500 fee to become StateRAMP members. They also must pay $2,500 for StateRAMP’s Program Management Office to conduct a Ready Review to earn StateRAMP Ready status or $5,000 for an authorization review. The annual fee for continuous monitoring is $5,000.
“We have some smaller companies here in Texas that only serve state agencies in Texas, and so we didn’t want to do something that made it cost-prohibitive,” Rainosek said. “To go to StateRAMP, they would have to pay those costs. If they go through us, there is no charge.”
“It’s not so much reinventing the wheel [as] developing our own program in a singular channel,” Kelly added. TX-RAMP fast-tracks vendors that already hold StateRAMP and FedRAMP authorizations, although those programs don’t offer reciprocity to TX-RAMP at this time. “We’re seeing it more as … a complement, and it’s focused more on Texas, but we do recognize that those other programs have a great deal of influence.”
Like StateRAMP and FedRAMP, TX-RAMP has multiple certification levels depending on the type of data the vendor would handle. Level 1 is for nonconfidential or low-impact information resources, while Level 2 is for confidential information and moderate or high-impact resources. A provisional certification is good for 18 months, during which cloud offerings “must obtain a TX-RAMP certification (or equivalent StateRAMP/FedRAMP authorization).”
“We’re just asking vendors to have the same controls that we require of our state agencies,” Rainosek said.
DIR has received some pushback from vendors, Kelly said, mostly about the administrative effort involved: “‘Is this another form to fill out?’ – [that] kind of thing.” But through the standardization the program provides, agencies can start to reduce and phase out the one-off assessments and give vendors apples-to-apples comparisons, which will ultimately not only increase overall security, but speed procurement processes.
Unexpected benefits that Kelly sees taking shape include better communications between procurement and security and IT teams.
“Especially in the very large organizations, sometimes those folks don’t even know where the IT department is,” Kelly said. “They have all had to work together to develop frameworks internally…. Each one of them has their own nuances that they need to take into consideration when it comes time to go out and say, ‘Should we actually contract for this cloud service? Do we need to check on TX-RAMP and then what level of certification is needed?’ It’s really a collaborative effort on that front because no one group or division has all the knowledge when it comes to that.”
Another benefit is the formation of a central inventory of the cloud services used throughout the state. “That’s not a benefit that first comes to mind, but when you are the agency that’s responsible for informing state leadership about the goings-on throughout a federated state where we don’t always have access to that type of thing, I think that’s going to prove beneficial,” Kelly said.
Robert Lowe, chief executive officer of Wellspring, a web-based software provider, sees TX-RAMP overall as beneficial, especially as StateRAMP continues to bring on members one year after its launch.
“Having TX-RAMP being one of the more formalized states is only helping the entire process because they are investing in and communicating well with their public institutions,” Lowe said. “[They’re saying,] ‘These are the requirements you need to meet, these are the standards we need to uphold to,’ and that helps lay a road map for other states as they continue to come online over the next year to two years. I only support everything that the TX-RAMP is doing.”
He emphasized that although cybersecurity is always a priority, recent global events make it especially crucial. He pointed to the increase in cyber incidents as bad actors tried to obtain information on COVID vaccines and now the cyber conflict between Russia and Ukraine, which began before the physical invasion in February.
“The war in Ukraine has only accelerated everything that we’ve been seeing over the past couple years,” Lowe said. “It is true that a cyber war doesn’t have any borders. This is a global attack, and this is going to continue pervasively for the coming years. Even if somehow Ukraine and Russia come to terms, I don’t expect the cyberattacks will slow down.”
One of the biggest challenges for StateRAMP, he said, is in enforcement because it would be easy for agencies to ignore the requirements without it. Because StateRAMP, FedRAMP and TX-RAMP publish their authorizations and certifications publicly, it is easy for agencies to check the status of vendors they’re considering working with, making it a no-brainer for them to comply.
The next deadline for TX-RAMP is Jan. 1, 2023. On or after that date, cloud offerings subject to Level 1 certification must have a TX-RAMP certification to contract with state agencies, higher education institutions and public community colleges.
“The end result is security over the data that belongs to our citizens,” Rainosek said. “In the end, the citizens win.”
Stephanie Kanowitz is a freelance writer based in northern Virginia.