At the national level, the emerging StateRAMP organization aims to set a cybersecurity baseline for technology companies that do business with state agencies, especially those offering cloud-related products and services.
In Texas, meanwhile, a parallel track is emerging to address cybersecurity in those companies that are only looking to do business with the Lone Star State. In the previous legislative session, Senate Bill 475 directed state technology leaders to set up a risk and authorization management program for cloud computing products. That program, known as TX-RAMP, went into effect in January 2022.
Modeled after FedRAMP and StateRAMP, TX-RAMP offers “a way to ensure cloud computing services purchased by state agencies have security controls in place, according to the National Institute of Standards and Technology security controls catalog,” says Texas CISO Nancy Rainosek.
“You have to have good access controls, such as password policies. If you have servers, you have to have good physical controls so that not just anyone can get into the data center,” she says. These and a host of other controls must be in place to earn certification.
Certifications Mark an Era of Greater Responsibilities for States
While such certification creates a new requirement for vendors, some in the vendor community agree the time is right for states to raise the cyber bar.
“States have realized how important they are in delivering citizen services, and that became even more self-evident throughout the pandemic,” says Kevin Tunks, chief architect and national technical adviser at Red Hat. “If you are going to modernize, you need to have some security and privacy standards you are looking to meet in order to make the innovation happen faster and more equitably.”
In Texas, Rainosek saw firsthand the need for better safeguards on the vendor side. “We’ve had some security issues in Texas that have happened as a result of a vendor not having necessary controls in place,” she says.
TX-RAMP provides “a standardized approach for security assessment, authorization and continuous monitoring of cloud computing services that process the data of a state agency,” says the Texas Department of Information Resources. To address the need (and meet the legislative requirement), Rainosek’s team first needed to create a rule in the Texas Administrative Code, which took several months. Then it took a staged approach to standing up the program.
“Starting in January 2022, we required Level 2 certifications for cloud services that host confidential data or high-impact systems,” Rainosek says. “Level 1, which is for public or nonconfidential data or low-impact systems, will come under the program beginning Jan. 1, 2023.”
More than 1,200 products already have TX-RAMP certification, and Rainosek says that number could reach 3,000 to 4,000.
Click the banner below to explore ways to improve your cybersecurity strategy.
TX-RAMP vs. StateRAMP: What’s the Difference?
Texas isn’t alone in creating a state-specific version of the controls embedded in the emerging StateRAMP standard. For instance, Arizona has AzRAMP. Each program has the goal of “continuous monitoring of cloud computing services.”
Those who make the grade for StateRAMP are automatically approved under TX-RAMP. Rainosek says Texas isn’t looking to compete with the membership organization but rather to add a complementary option.
“We have some vendors that have state data in their cloud environments that may not do business across the country. We also have smaller shops that don’t have the funding to go through the StateRAMP process,” she says. For them, the state certification may be a tempting alternative.
EXPLORE: The increasing role of StateRAMP across the country.
There are potential pros and cons to this approach for both state CISOs and vendors. On the upside, Tunks says, a standard of any sort “sets a level of expectation and avoids everybody going off and doing their own thing, unintentionally creating a lot of fragmentation and driving up unnecessary costs.”
However, CISOs also need to be wary of putting up added hurdles. “The worry here is about creating an environment that is unintentionally anti-competitive,” Tunks says. “Do companies on the private side see this as yet another compliance regime that they have to invest in? The worry is that individual companies might decide not to go for opportunities in that state.”
Rainosek sees it in the opposite light. “If anything, this opens the door for the smaller vendors that might not want to go through the StateRAMP process,” she says. “The goal is not to eliminate vendors. It is to raise their controls.”
Continuous Monitoring Helps Ensure Data Protection
From the CISO’s point of view, Rainosek sees a number of benefits to carrying a state-specific credential. States, of course, have tremendous obligations to protect citizens’ personal data. Those data protection responsibilities go hand in hand with supplying citizen services.
TX-RAMP gives state IT leaders greater visibility into how vendors are managing their environments where state data is held, she says, along with the ability to review vendors’ policies, standards and documentation to ensure they have strong controls in place.
DISCOVER: How agencies are using managed services to increase visibility.
Rather than rely on self-attestation by vendors or on third-party reviews, this approach “gives us additional assurances because we’re actually reviewing their policies and their standards and what they’re actually doing,” she says. The continuous monitoring of these cloud solutions assures authorities they can support data protection.
It also gives Rainosek’s office greater control over the disparate technologies that make up the state IT ecosystem.
“In a large agency, some departments may just stand up a website and use their internal program funds, and it doesn’t always get communicated to IT or to the security office,” she says. “This increases the visibility for the security officers so they know what’s going on at the agencies. It prevents the risks that come with shadow IT because it’s a requirement.”
Keep this page bookmarked to keep up with all of StateTech's Cybersecurity Awareness Month coverage, including featured articles on incident response plans.