TX-RAMP for Healthcare: Compliance Requirements, Levels, and How to Get Certified

Overview of TX-RAMP in Healthcare

TX-RAMP is the Texas Risk and Authorization Management Program administered by the Texas Department of Information Resources (DIR). It standardizes how state agencies and public higher education institutions assess, authorize, and continuously monitor cloud services—an essential safeguard when you process electronic protected health information (ePHI) or other sensitive health data. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

For procurements on or after January 1, 2022, Texas state agencies must contract only for cloud services that comply with TX-RAMP. Level 1 certification specifically became mandatory for applicable low-impact services starting January 1, 2024. If you serve public hospitals, medical schools, or state health programs, TX-RAMP is a core element of TX-DIR compliance alongside your HIPAA and Health Information Security obligations. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

TX-RAMP control baselines align with NIST 800-53 Revision 5. That alignment gives healthcare programs a familiar framework for access control, audit logging, incident response, and data protection while enabling Cloud Service Provider Authorization through a state-run process. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

TX-RAMP Certification Levels

The two baselines

• Level 1: For low-impact information resources (limited sensitivity and business impact).
• Level 2: For moderate or high-impact information resources, typically including confidential or regulated data such as ePHI. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

What healthcare typically needs

Because ePHI and other patient identifiers are confidential by definition, most healthcare workloads used by Texas public entities map to Level 2. This level expects broader control coverage and stronger evidence, consistent with health information security best practices and NIST 800-53. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

Provisional and interim options

• Provisional Certification: Lets agencies contract before full certification; it remains effective for 18 months from DIR’s grant date, with limited DIR-managed extensions available if a full review is still in progress. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))
• Agency-Sponsored Interim Certification: A short-term, up-to-60-day bridge some agencies can request in SPECTRIM while the provider pursues Provisional status. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

Reciprocity with FedRAMP and StateRAMP/GovRAMP

• FedRAMP Authorized products inherit the corresponding TX-RAMP level (Low → Level 1; Moderate/High → Level 2). FedRAMP Ready or In Process may receive TX-RAMP Provisional. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))
• StateRAMP/GovRAMP Core, Ready, Provisionally Authorized, or Authorized designations map to TX-RAMP Level 2 under DIR’s acceptance criteria. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

Compliance Requirements for Healthcare

Security Documentation Review and control evidence

You complete the TX-RAMP Security Plan (Control Implementation) Workbook and an assessment questionnaire that documents how you implement NIST 800-53–aligned controls for the in-scope cloud service. DIR reviews this package to determine the authorization decision. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

Plan of Action and Milestones (POA&M)

For any control deficiencies, you must create a POA&M in the DIR-prescribed format and revisit it at least quarterly until closure, reporting completion in your next continuous monitoring submission. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

Core safeguards for health information security

• Access management, MFA, least privilege, and segregation of duties.
• Encryption of data in transit and at rest; key management.
• Audit logging, monitoring, and incident response playbooks.
• Vulnerability assessment and timely remediation with POA&Ms where needed.
• Breach notification workflows that meet Texas and HIPAA obligations, including notifying DIR within 48 hours for TX-RAMP–certified services. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

Steps to Achieve TX-RAMP Certification

1) Define scope and impact

Inventory the specific cloud product used by the Texas public healthcare customer and classify the data and business impact. Most ePHI scenarios will drive a Level 2 path. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

2) Initiate in SPECTRIM

Create or access your vendor account in the SPECTRIM Vendor Portal, then submit the TX-RAMP Request to launch the process. DIR will issue the Acknowledgment and Inventory Questionnaire first; approval may result in Provisional Certification. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

3) Build your assessment package

• Complete the TX-RAMP assessment questionnaire and Security Plan Workbook with precise control narratives and attachments.
• Assemble supporting artifacts (policies, procedures, diagrams, Vulnerability Assessment results) for efficient DIR review.
• Prepare POA&Ms for any control gaps. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

4) Consider Fast Track or reciprocity

If you hold a DIR-accepted third-party report (e.g., certain audits) or a qualifying FedRAMP/StateRAMP status, you can pursue DIR’s Fast Track assessment or reciprocity. Note that as of October 30, 2024, reciprocity is not automatic; you must submit a TX-RAMP request to be added to the certified products list. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

5) Respond promptly to DIR questions

DIR reviews packages in queue and may request clarifications. Once approved, DIR confers Level 1 or Level 2 certification and the service enters Continuous Monitoring. Certifications are valid for three years with required upkeep. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

Continuous Monitoring and Reporting

Vulnerability reporting cadence

• Level 2: Quarterly vulnerability reporting to DIR via the SPECTRIM Vendor Portal.
• Level 1: Annual vulnerability reporting to DIR via SPECTRIM.

Reports use CVSS severity from the NIST NVD and must include counts, remediation status, and planned/mitigating controls for High and Critical items. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

Other required notifications

• Breach of system security: Notify DIR within 48 hours and follow Texas Business & Commerce Code 521.053. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))
• Significant changes: Report changes that could materially affect security posture for potential certification updates. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))
• POA&M upkeep: Revisit at least quarterly and report closures in the next monitoring cycle. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

If your TX-RAMP status is based on FedRAMP or StateRAMP/GovRAMP acceptance, DIR does not require duplicative monitoring artifacts; however, agencies should include contractual obligations to maintain an acceptable status and provide notice if that status changes. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

Recertification

Level 1 and Level 2 certifications remain valid for three years, assuming continuous compliance. DIR sends recertification reminders 12 and 6 months before expiration; providers may start recertification up to 12 months prior. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

Verifying Provider Certification

To verify a provider, consult DIR’s official TX-RAMP Certified Cloud Products list, which is updated weekly; it shows Provisional, Level 1, and Level 2 statuses and the last update date. You can also request a copy of the provider’s TX-RAMP certificate or confirm status through SPECTRIM if you are an eligible Texas entity. ([dir.texas.gov](https://dir.texas.gov/resource-library-item/tx-ramp-certified-cloud-products?utm_source=openai))

If a product claims FedRAMP or StateRAMP/GovRAMP status, remember reciprocity is no longer automatic—providers must file a TX-RAMP request to appear on the Texas certified list. Always verify the product by name and version. ([dir.texas.gov](https://dir.texas.gov/information-security/tx-ramp-request?utm_source=openai))

Resources and Guidance for Healthcare Organizations

• TX-RAMP Program Manual (current version), TX-RAMP Security Plan (Control Implementation) Workbook, and TX-RAMP Certified Cloud Products list.
• NIST 800-53 Revision 5 control families; NIST SP 800-37 and 800-137 for risk management and Continuous Monitoring Reporting.
• Agency procurement, vendor risk, and information security teams should collaborate to embed TX-DIR compliance language, breach reporting, and continuous monitoring deliverables in contracts.
• Leverage Security Documentation Review checklists and pre-assessment gap analyses to accelerate Cloud Service Provider Authorization.

Conclusion

For Texas public-sector healthcare, TX-RAMP operationalizes NIST 800-53 controls and continuous monitoring so you can confidently handle ePHI in the cloud. Most healthcare use cases require Level 2, supported by thorough documentation, vulnerability assessment, and ongoing reporting. Start early in SPECTRIM, consider reciprocity or Fast Track where eligible, and verify status on the DIR list to keep projects moving securely and compliantly. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

FAQs

What is the difference between TX-RAMP Level 1 and Level 2?

Level 1 applies to low-impact information resources, while Level 2 covers moderate or high-impact systems that process confidential or regulated data. In healthcare settings handling ePHI, Level 2 is typically required. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

How often is TX-RAMP certification valid?

TX-RAMP Level 1 and Level 2 certifications are valid for three years, provided you maintain continuous monitoring and meet reporting and notification requirements. DIR issues reminders 12 and 6 months before expiration, and you may initiate recertification up to 12 months in advance. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

What are the key compliance requirements for healthcare under TX-RAMP?

Key requirements include completing the Security Plan and assessment questionnaire, aligning controls with NIST 800-53, maintaining POA&Ms for control gaps, performing vulnerability assessment and reporting on the required cadence, and notifying DIR within 48 hours of any breach of system security. Contract terms should reinforce TX-DIR compliance and health information security obligations. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))

How does continuous monitoring work in TX-RAMP?

After certification, providers submit vulnerability reports to DIR via SPECTRIM—quarterly for Level 2 and annually for Level 1—using CVSS severity, remediation status, and mitigating controls for High/Critical findings. Providers also report significant changes and sustain POA&Ms; if certified through FedRAMP or StateRAMP/GovRAMP, DIR may rely on those programs’ monitoring, though agencies often require proof of ongoing status in contracts. ([dir.texas.gov](https://dir.texas.gov/sites/default/files/2025-05/TX-RAMP%20Program%20Manual%203.1.pdf))