Skip survey header

TX-RAMP Assessment Request

Please use this form to request a TX-RAMP Assessment.

Important Notes:

• Assessment requests should be submitted by the cloud service provider/manufacturer of the service. Cloud resellers should work with the cloud service provider/manufacturer to coordinate the assessment process as necessary.  DIR will not accept assessment responses for a target cloud service from an organization other than the cloud service provider/manufacturer. 

• Cloud services with existing verified status/authorizations through FedRAMP and StateRAMP do NOT need to complete this form.  DIR will leverage the StateRAMP Authorized Vendors List and FedRAMP Marketplace to directly certify the applicable cloud services under TX-RAMP at the corresponding impact level.

• This form should be submitted for each independent cloud service seeking certification. 

• Organizations may submit an initial request for Provisional Certification and a subsequent request for a TX-RAMP Level 1 or Level 2 Certification as needed.

•​​​​ Agency sponsored requests for provisional certification must be submitted by an agency through the SPECTRIM portal. 
 
Please contact TX-RAMP@dir.texas.gov for questions or to update an existing point of contact. Additional information may be found on the TX-RAMP webpage.
1. Primary Contact Information *This question is required.
3. Secondary Contact Information
4. Does your organization have a current DIR Contract? *This question is required.
5. Is your company currently bidding on a contract to provide cloud computing services to a Texas state agency, public institution of higher education, or public junior college? *This question is required.
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Please use the specific product/service name as listed on the company's website.
Please link to the direct informational URL of the cloud service/product that you would like to be considered for assessment. Do not include custom links based on customers or generic links relating to the company.
Provide a brief synopsis of the cloud computing service.  This is the information that will be displayed on the listing of certified services.  Please do not include customer-specific information. 
For SaaS Providers, the cloud service provider/manufacturer is not the underlying IaaS/PaaS provider. The manufacturer in this context is the entity responsible for the security of the product being offered overall, regardless of if the service is delivered through the use of multiple cloud providers.
10. Are you leveraging an underlying third party IaaS/PaaS provider to deliver the cloud service? *This question is required.
11. Cloud Service Model *This question is required.
Infrastructure as a Service (IaaS): The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

Platform as a Service (PaaS): The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

Software as a Service (SaaS): The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings.

 
12. Cloud Deployment Model *This question is required.Public Cloud: The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

Hybrid Cloud: The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

Community Cloud: The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

Private Cloud: The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

 
13. Request Priority *This question is required.
Very LowLowModerateHighCritical
14. Which TX-RAMP Certification Assessment Level are you requesting?  If you'd like to request both provisional and level 1 or 2 at this time then select provisional here and the corresponding level for the other assessment below. *This question is required.
•Level 1 is for public/nonconfidential information or low impact systems.
 
•Level 2 is for confidential/regulated data in moderate or high impact systems.

•Provisional Certification Status is for any level, and may be obtained by submitting appropriate third-party audit/assessment report documentation for review.
15. If you would like to submit third-party assessment artifacts directly for provisional status consideration, please attach the relevant documentation here. Otherwise, we will launch a questionnaire around the requested assessment initiation date to the primary contact provided to upload documentation through the SPECTRIM Vendor Portal.

NOTE: SELF-REPORTED ARTIFACTS (E.G. HECVAT) AND NDA-RESTRICTED/CLICKWRAPPED ARTIFACTS ARE NOT ACCEPTED FORMS FOR CONSIDERATION. THE DOCUMENTATION MUST INCLUDE AN INDEPENDENT THIRD-PARTY REPORT OF AN ASSESSMENT, INCLUDING THE EVALUATION OF THE SECURITY POSTURE OF THE SERVICE TO BE EVALUATED.
Note: this is the date requested for the assessment questionnaire to be launched to the respondent. This is not a guaranteed date for beginning the assessment, but helps identify the providers ability to readily provide information and documentation required by the assessment. This question requires a valid date format of MM/DD/YYYY.
calendar
16. Would you also like to request a Level 1 or Level 2 TX-RAMP Assessment at this time? *This question is required.A Level 1 or Level 2 assessment may be requested at a later date by completing this form or by contacting tx-ramp@dir.texas.gov. 
16. Which TX-RAMP Level would you like to request an assessment for? *This question is required.Note:  the customer agency ultimately determines the minimum certification level required for a product based upon the potential business impact of the product and the confidentiality of the agency data. Systems deemed low-impact information resources per 1 TAC § 202.1 require Level 1 certification as the minimum level.  Moderate or high impact information resources that process, store, or transmit confidential information require Level 2 certification as the minimum level.  If you are unsure as to the level required, you should consult your client agencies. 
This question requires a valid date format of MM/DD/YYYY.
calendar
The due date is required to be populated prior to launching the assessment questionnaire.  You may submit a questionnaire early, but unsubmitted questionnaires are automatically deleted 180 days after the due date.  Please select a reasonable due date to ensure the questionnaire is not deleted.   This question requires a valid date format of MM/DD/YYYY.
calendar
16. Approximately, how many Texas state agencies, public institutions of higher education, and public community colleges are currently contracting for the cloud service? *This question is required.