Texas aims to emulate FedRAMP with ‘TexRAMP’ for cloud vendors
A sweeping new cybersecurity law signed last month by Texas Gov. Greg Abbott will result in the implementation of several new programs at the state’s Department of Information Resources, including a cloud-security certification system modeled on a longstanding federal program.
Under the new law, Texas will create a rubric for verifying that the cloud services that state agencies and higher-education institutions contract with meet certain data-security standards. The program, which state Chief Information Officer Amanda Crawford said is still being fleshed out before it takes effect next January, is modeled after the Federal Risk and Authorization Management Program, or FedRAMP, which grades the security of federal vendors.
Appropriately, DIR’s new approach will be called TexRAMP.
‘Send a strong message’
“Our state leadership saw the need to fill a gap where there were some cloud providers that were provided by vendors who maybe don’t play in the federal space,” Crawford said in a phone interview Thursday. “We want to make sure we could prescribe, by rule, what would be subject to the program and verification.”
While Texas has many IT vendors that also have large federal contracts, not all of its providers operate at that level, but that doesn’t make data security any less crucial, she said. The TexRAMP program, she said, will “send a strong message that security is a priority here in Texas and provide state agencies and higher ed with whatever support we can in being able to provide them with these products.”
Although FedRAMP has been around for a decade, state-level attempts to replicate it have been sporadic, though there have been more efforts in recent months. Earlier this year, a group of state IT officials, including Arizona CIO J.R. Sloan, and industry executives formed a consortium called StateRAMP, which is writing a set of cloud-security guidelines state and local governments can apply to their vendors.
Crawford said a goal of TexRAMP is to ensure that state agencies’ cloud vendors that handle residents’ data are subject to as much scrutiny as the agencies themselves.
“Our plan is to require cloud vendors to meet the same controls we require from state agencies,” she said.
While there’s only a few months before the program goes into effect, Crawford said TexRAMP will accept certifications of other cloud-security standards, including FedRAMP, as well as other states’, if they are approved by DIR.
‘Starting the conversation’
Along with TexRAMP, Texas Senate Bill 475, the bill Abbott signed last month, prodded along several other changes at DIR and agencies around Texas. Among the provisions is that every agency with at least 150 employees will be required to appoint a data management officer.
These officials — who may be existing employees — will be responsible for coordinating with their organizations’ information security and records management officers on implementing data-protection and -privacy standards and conducting reviews of their data programs. Each data manager will also be required to publish at least three data sets on the state’s open-data website annually, Crawford said.
“This is really starting the conversation around that and doing a lot to improve data maturity here in the state,” she said.
‘Texas is a big place’
The new law also sets Texas down a path that several other states, including Michigan and Ohio, have in recruiting volunteers to help respond to cyberattacks like ransomware — not just at the state level, but in local communities, too. Those volunteers, who may be recruited from the state’s tech industry, will undergo background checks and given contracts with DIR, which Crawford said will make them easier to activate when they’re needed.
“It helps to create a shared talent pool when we’re responding to incidents across Texas,” she said. “We’ll have that bench strength, be scalable, reach the great expanses of geography. They’ll be ready to go in the event we have an incident we can send someone out to provide some services,” she said.
Crawford said the volunteer program was inspired by the state’s experience tackling a 2019 ransomware attack that simultaneously hit nearly two dozen communities — many of them small and rural. While she said the response to that incident was well-resourced between DIR, the Texas National Guard, other state agencies, federal responders and the private sector, the state’s size posed challenges.
“Texas is a big place,” she said.
SB 475, which was developed with bipartisan support after recommendations by a DIR-backed cybersecurity council, a public-private group that advises state leaders, includes a few other elements aimed at improving the state’s incident-response footing. It allows for the creation of regional working groups, which will be able to develop mutual aid agreements to be used in the event of a future cyberattack, as well as a pilot program testing a regional security operations center on the campus of a state university.
Between TexRAMP and the volunteer recruitment, Crawford said the new law represents a scaling up of cybersecurity for Texas.
“Cybersecurity has long been a priority here in Texas,” she said. “This demonstrates a commitment the legislature and Gov. Abbot have that it remains a priority and becomes a reality. It’s a big bill and we’re excited to get it in action.”