TX-RAMP Certification Guide 2026: Requirements, Process & How It Compares to FedRAMP

TX-RAMP (Texas Risk and Authorization Management Program) is Texas's state-level cloud security certification framework. If you're a cloud service provider selling software or services to Texas state agencies, TX-RAMP authorization is not optional it's a legal requirement under Texas Government Code §2054.0593. Think of it as a state-level equivalent of FedRAMP, built specifically for the Texas public sector market.

This guide covers everything you need to know: who needs it, what the two certification levels require, how the process works, how TX-RAMP compares to FedRAMP, and where penetration testing fits into the authorization process.

1. What Is TX-RAMP?
2. Who Needs TX-RAMP Certification
3. TX-RAMP Level 1 vs Level 2: Full Requirements Breakdown
4. TX-RAMP vs FedRAMP: Key Differences
5. TX-RAMP Certification Timeline
6. The Role of Penetration Testing in TX-RAMP
7. How SecurityWall Supports TX-RAMP Authorization
8. Book a TX-RAMP Consultation

What Is TX-RAMP?

TX-RAMP is a cloud security authorization framework administered by the Texas Department of Information Resources (DIR). It was established under Texas Government Code §2054.0593 and became a mandatory requirement for cloud service providers (CSPs) contracting with Texas state agencies in 2021.

The program is modeled on the federal FedRAMP framework but scoped to the Texas state government environment. Its purpose is to ensure that cloud services used by state agencies meet a defined baseline of security controls before sensitive state data is processed, stored, or transmitted on those platforms.

TX-RAMP authorization is tied to the Texas Unified Risk Management Framework the same control set that governs cybersecurity across Texas state government. For vendors, this means the certification process involves demonstrating control implementation, not just documenting policy.

What TX-RAMP is not: It is not a one-time checkbox. Authorization must be maintained. Control changes, significant system updates, and periodic reassessment requirements mean TX-RAMP is an ongoing compliance obligation, not a project with a finish line.

Who Needs TX-RAMP Certification

TX-RAMP certification is required for any cloud service provider that:

• Contracts with a Texas state agency
• Processes, stores, or transmits state data through a cloud service
• Offers a cloud-based product or SaaS solution to any entity covered under the Texas Government Code

"State agency" under TX-RAMP includes state departments, boards, commissions, and other governmental bodies — but not necessarily local government entities like cities or school districts (though DIR is extending the framework's reach).

Who specifically triggers the requirement:

• SaaS vendors selling into Texas state government
• IaaS/PaaS providers used by state agencies
• Managed service providers that host state data in cloud infrastructure
• Technology vendors whose products process state data as part of their service

Who is typically exempt:

• On-premises software with no cloud component
• Vendors whose contracts explicitly exclude cloud data processing
• Some federally operated systems already covered under FedRAMP (with DIR approval)

If your organization is in the process of pursuing or has recently won a Texas state contract, confirm with your procurement contact whether TX-RAMP authorization is required as a condition of the contract. DIR maintains a public registry of authorized products if you're not on it, you shouldn't be processing state data.

TX-RAMP Level 1 vs Level 2: Full Requirements Breakdown

TX-RAMP has two certification levels, differentiated by the sensitivity of the state data being processed. Understanding which level applies to your product determines the scope of your authorization effort and the cost.

Level 1 in practice: Designed for cloud services that handle low-sensitivity state data general productivity tools, non-sensitive document management, basic collaboration platforms. The process is largely self-attested: you complete the TX-RAMP security questionnaire, demonstrate control implementation, and DIR reviews and approves. No third-party assessor is required.

Level 2 in practice: Required for any service that handles sensitive, confidential, or personally identifiable state data including anything related to law enforcement, benefits administration, health records, financial data, or critical infrastructure. Level 2 requires an independent assessment by a qualified Third-Party Assessment Organization (3PAO), including a penetration test of the cloud environment. This is the path most enterprise SaaS vendors selling serious state government contracts will need to follow.

TX-RAMP vs FedRAMP: Key Differences

FedRAMP and TX-RAMP are both based on NIST SP 800-53 and share a common control lineage which creates the legitimate question: if you already have FedRAMP authorization, do you need TX-RAMP?

The answer is: sometimes no, but you need DIR's explicit approval to use FedRAMP as a substitute.

What's the same:

• Both use NIST SP 800-53 as the underlying control framework
• Both require independent third-party assessment at their higher authorization levels
• Both require penetration testing as part of the security assessment
• Both have continuous monitoring requirements post-authorization

What's different:

Jurisdiction and authority. FedRAMP is administered by the federal government (GSA/CISA) and covers federal agency use cases. TX-RAMP is administered by Texas DIR and is specific to Texas state government. A FedRAMP authorization doesn't automatically satisfy TX-RAMP — they're separate authorization bodies with separate processes.

Control scope. TX-RAMP Level 2 maps to NIST SP 800-53 Moderate, which aligns with FedRAMP Moderate. However, TX-RAMP includes Texas-specific control enhancements and requirements around data residency, incident reporting to Texas state entities, and compliance with Texas Government Code provisions that FedRAMP doesn't address.

Substitution rules. Texas DIR does allow FedRAMP Moderate authorization to substitute for TX-RAMP Level 2 — but only with explicit DIR approval, and only where the FedRAMP authorization covers the same system components, data types, and operational scope as the TX-RAMP requirement. Partial FedRAMP authorizations or FedRAMP Low authorizations do not automatically satisfy TX-RAMP Level 2.

Timeline and process. FedRAMP is notoriously slow — the full authorization process can take 12–18 months and costs significantly more than TX-RAMP. For vendors whose primary market is Texas state government (not federal agencies), pursuing TX-RAMP Level 2 directly is almost always faster and more cost-effective than pursuing FedRAMP.

Who should pursue FedRAMP first: Vendors already selling or planning to sell to federal agencies. FedRAMP Moderate can then be leveraged for TX-RAMP with DIR approval.

Who should pursue TX-RAMP directly: Vendors whose primary government market is Texas state agencies, with no near-term federal sales pipeline. TX-RAMP Level 2 is faster, cheaper, and purpose-built for the Texas market.

For vendors who also hold SOC 2 or ISO 27001 certification, the overlap with TX-RAMP's control baseline can reduce assessment effort significantly. See our SOC 2 compliance overview and ISO 27001 compliance guide for how these frameworks interact.

TX-RAMP Certification Timeline

Level 1 Timeline: 4–8 weeks

The Level 1 process is relatively streamlined. Organizations complete the TX-RAMP self-attestation questionnaire, compile supporting evidence for each control, and submit to DIR for review. DIR typically completes its review within 2–4 weeks of submission. Total elapsed time from starting the questionnaire to receiving authorization depends almost entirely on how quickly the vendor can compile documentation.

Common delays at Level 1: incomplete system boundary documentation, missing policies for required controls, and incorrect scoping of what's included in the authorization boundary.

Level 2 Timeline: 3–6 months

The Level 2 process has more structured phases and more dependencies:

Month 1 — Preparation: Define system boundary and data flows, complete control implementation documentation (System Security Plan), identify gaps between current control state and NIST SP 800-53 Moderate baseline, and remediate critical gaps before assessment begins. This phase is where most timeline slippage occurs organizations underestimate how much documentation work is required.

Month 2–3 — Assessment: The 3PAO conducts the independent assessment. This includes documentation review, control testing, interviews, and penetration testing of the cloud environment. A complete TX-RAMP Level 2 pentest covers the authorization boundary: web applications, APIs, cloud infrastructure configuration, network segmentation, and authentication systems.

Month 3–4 — Findings and Remediation: The 3PAO delivers assessment findings. Organizations remediate identified gaps and provide evidence of remediation to the assessor. Critical and high findings must typically be remediated before DIR will grant authorization.

Month 4–6 — DIR Review and Authorization: DIR reviews the 3PAO assessment package, asks clarifying questions, and grants authorization or issues a Provisional Authorization to Operate (P-ATO) with conditions. Authorization is typically granted within 4–6 weeks of a complete package submission.

Timeline acceleration factors: Organizations with existing SOC 2 Type II or ISO 27001 certification can often reduce the Level 2 timeline by 4–6 weeks, since much of the control documentation is already in place and many controls overlap.

The Role of Penetration Testing in TX-RAMP

Penetration testing is a required component of TX-RAMP Level 2 authorization it's part of the 3PAO assessment, not an optional add-on. Understanding what the test must cover and how results feed into the authorization package matters for both timeline planning and cost estimation.

What TX-RAMP requires from a penetration test:

TX-RAMP's pentest requirements align with NIST SP 800-53 CA-8 (Penetration Testing) and the broader assessment methodology in NIST SP 800-115. The test must:

• Be performed by an independent third party (the 3PAO or a subcontracted testing firm)
• Cover the full authorization boundary all systems within the TX-RAMP system boundary that process state data
• Include external testing (from the internet toward the authorization boundary) and internal testing (from within the cloud environment)
• Follow a documented methodology
• Produce findings with severity ratings and remediation guidance
• Results must be included in the Security Assessment Report (SAR) submitted to DIR

What's in scope for a TX-RAMP pentest:

• Web applications and APIs exposed within the authorization boundary
• Cloud infrastructure configuration (AWS, Azure, GCP IAM, storage, networking)
• Authentication and access control systems
• Network segmentation between tenant environments
• Management interfaces and administrative consoles
• Any integration points with external systems

How findings affect authorization:

TX-RAMP Level 2 does not require a clean pentest report it requires a complete one with evidence of a credible remediation plan. Critical and high findings will typically need to be remediated before DIR grants full authorization. Medium and low findings can often be accepted as Plan of Action and Milestones (POA&M) items, meaning authorization is granted with documented commitment to remediate within a defined timeframe.

This means the pentest timeline matters enormously. Starting the pentest in month two of the assessment process rather than at the end allows time for remediation and retest before the DIR package is submitted. Organizations that run the pentest last and discover critical findings face either a delayed authorization or a rushed remediation that may introduce new issues.

For context on how TX-RAMP pentest scope compares to other compliance frameworks, see our SOC 2 penetration testing requirements guide.

How SecurityWall Supports TX-RAMP Authorization

SecurityWall supports TX-RAMP Level 2 authorization at the pentest and cloud security assessment stage the technical components of the 3PAO assessment that require offensive security expertise. SecurityWall also fulfill Level 1 requirements as well.

TX-RAMP Penetration Testing

Our penetration testing engagements for TX-RAMP are scoped to the authorization boundary and structured to meet DIR's Security Assessment Report requirements. Every TX-RAMP pentest includes:

• Scope mapping to the TX-RAMP system boundary before testing begins
• External and internal testing covering web applications, APIs, cloud infrastructure, authentication, and network segmentation
• Findings documented with NIST SP 800-53 control references and severity ratings aligned to the TX-RAMP risk framework
• Remediation guidance specific to cloud environments (AWS, Azure, GCP)
• Retest of critical and high findings before the SAR is finalized
• Report formatted for inclusion in the TX-RAMP Security Assessment Report package

Cloud Security Assessment

TX-RAMP Level 2's cloud infrastructure controls are among the most technically demanding components of the authorization. Our cloud security assessment covers: IAM configuration review, storage security (S3, Azure Blob, GCS), network security group and firewall analysis, logging and monitoring coverage, encryption key management, and container/Kubernetes security where applicable.

Pre-Assessment Gap Analysis

Before the formal 3PAO assessment begins, we conduct a technical gap analysis of your current control implementation against the NIST SP 800-53 Moderate baseline. This identifies the specific controls that need implementation or evidence work before assessment so the 3PAO engagement doesn't surface surprises that derail your timeline.

Red Team Scenarios (Optional)

For organizations seeking to go beyond the minimum pentest requirement, our red team operations can simulate a more advanced threat scenario against the TX-RAMP boundary validating not just vulnerability presence but detection and response capabilities. This is not required for TX-RAMP but strengthens the overall security posture evidence presented to DIR.

Existing compliance leverage: If you hold SOC 2 Type II or ISO 27001 certification, we map your existing control evidence to the TX-RAMP control baseline during the gap analysis phase identifying exactly what carries over and what needs to be built. This typically reduces the pre-assessment preparation effort by 30–40%.

At last, TX-RAMP is not a particularly complex certification compared to FedRAMP but it requires careful planning, especially at Level 2. The most common mistakes organizations make: underestimating documentation requirements, running the pentest too late in the timeline, and assuming FedRAMP authorization automatically satisfies TX-RAMP without DIR approval.

The path to authorization is straightforward if you approach it with the right sequence: gap analysis first, control remediation second, pentest third (early enough to allow remediation), 3PAO assessment fourth, and DIR submission fifth. Organizations that try to run these in parallel without sequencing the pentest correctly are the ones that end up with 8-month timelines instead of 4-month ones.

SecurityWall's role is the technical component the pentest, cloud assessment, and gap analysis that form the core of what the 3PAO evaluates and what DIR scrutinizes most closely.

Book a TX-RAMP Consultation

Related reading:

• TX-RAMP Compliance Services
• Penetration Testing Services
• Cloud Security Assessment
• SOC 2 Penetration Testing Requirements
• Red Team Operations
• SOC 2 Compliance
• ISO 27001 Compliance