TX-RAMP v2.0
Texas Risk and Authorization Management Program - Security assessment and certification for cloud computing services used by Texas state agencies
This is a reference tool, not an authoritative source. For official documentation, visit dir.texas.gov.
Framework data extracted from the Texas DIR v2.0 Set Theory Relationship Mapping (STRM) files, licensed under Public Domain . Attribution required per license terms.
223 All
AC — Access Control (33 controls)
AC-1Policy and Procedures
AC-2Account Management
AC-2(3)Account Management | Disable Accounts
AC-2(5)Account Management | Inactivity Logout
AC-2(7)Account Management | Privileged User Accounts
AC-2(9)Account Management | Restrictions on Use of Shared and Group Accounts
AC-2(12)Account Management | Account Monitoring for Atypical Usage
AC-3Access Enforcement
AC-4Information Flow Enforcement
AC-5Separation of Duties
AC-6Least Privilege
AC-6(1)Least Privilege | Authorize Access to Security Functions
AC-6(2)Least Privilege | Non-privileged Access for Nonsecurity Functions
AC-6(5)Least Privilege | Privileged Accounts
AC-6(7)Least Privilege | Review of User Privileges
AC-6(9)Least Privilege | Log Use of Privileged Functions
AC-6(10)Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions
AC-7Unsuccessful Logon Attempts
AC-11Device Lock
AC-12Session Termination
AC-14Permitted Actions Without Identification or Authentication
AC-17Remote Access
AC-17(1)Remote Access | Monitoring and Control
AC-17(2)Remote Access | Protection of Confidentiality and Integrity Using Encryption
AC-17(3)Remote Access | Managed Access Control Points
AC-17(4)Remote Access | Privileged Commands and Access
AC-17(9)Remote Access | Disconnect or Disable Access
AC-18Wireless Access
AC-19Access Control for Mobile Devices
AC-19(5)Access Control for Mobile Devices | Full Device or Container-based Encryption
AC-20Use of External Systems
AC-20(1)Use of External Systems | Limits on Authorized Use
AC-22Publicly Accessible Content
AT — Awareness and Training (6 controls)
AU — Audit and Accountability (11 controls)
AU-1Policy and Procedures
AU-2Event Logging
AU-3Content of Audit Records
AU-3(1)Content of Audit Records | Additional Audit Information
AU-4Audit Log Storage Capacity
AU-5Response to Audit Logging Process Failures
AU-6Audit Record Review, Analysis, and Reporting
AU-8Time Stamps
AU-9Protection of Audit Information
AU-11Audit Record Retention
AU-12Audit Record Generation
CA — Security Assessment and Authorization (9 controls)
CM — Configuration Management (21 controls)
CM-1Policy and Procedures
CM-2Baseline Configuration
CM-2(3)Baseline Configuration | Retention of Previous Configurations
CM-3Configuration Change Control
CM-3(2)Configuration Change Control | Testing, Validation, and Documentation of Changes
CM-3(4)Configuration Change Control | Security and Privacy Representatives
CM-4Impact Analyses
CM-4(2)Impact Analyses | Verification of Controls
CM-5Access Restrictions for Change
CM-5(5)Access Restrictions for Change | Privilege Limitation for Production and Operation
CM-6Configuration Settings
CM-7Least Functionality
CM-7(1)Least Functionality | Periodic Review
CM-7(2)Least Functionality | Prevent Program Execution
CM-7(5)Least Functionality | Authorized Software
CM-8System Component Inventory
CM-8(1)System Component Inventory | Updates During Installation and Removal
CM-9Configuration Management Plan
CM-10Software Usage Restrictions
CM-11User-installed Software
CM-12Information Location
CP — Contingency Planning (11 controls)
CP-1Policy and Procedures
CP-2Contingency Plan
CP-3Contingency Training
CP-4Contingency Plan Testing
CP-6Alternate Storage Site
CP-7Alternate Processing Site
CP-8Telecommunications Services
CP-9System Backup
CP-9(1)System Backup | Testing for Reliability and Integrity
CP-9(8)System Backup | Cryptographic Protection
CP-10System Recovery and Reconstitution
IA — Identification and Authentication (16 controls)
IA-1Policy and Procedures
IA-2Identification and Authentication (organizational Users)
IA-2(1)Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts
IA-2(8)Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant
IA-3Device Identification and Authentication
IA-4Identifier Management
IA-4(4)Identifier Management | Identify User Status
IA-5Authenticator Management
IA-5(1)Authenticator Management | Password-based Authentication
IA-5(2)Authenticator Management | Public Key-based Authentication
IA-5(6)Authenticator Management | Protection of Authenticators
IA-5(7)Authenticator Management | No Embedded Unencrypted Static Authenticators
IA-6Authentication Feedback
IA-7Cryptographic Module Authentication
IA-8Identification and Authentication (non-organizational Users)
IA-11Re-authentication
IR — Incident Response (10 controls)
IR-1Policy and Procedures
IR-2Incident Response Training
IR-3Incident Response Testing
IR-3(2)Incident Response Testing | Coordination with Related Plans
IR-4Incident Handling
IR-5Incident Monitoring
IR-6Incident Reporting
IR-7Incident Response Assistance
IR-8Incident Response Plan
IR-9Information Spillage Response
MA — Maintenance (9 controls)
MP — Media Protection (7 controls)
PE — Physical and Environmental Security (17 controls)
PE-1Policy and Procedures
PE-2Physical Access Authorizations
PE-3Physical Access Control
PE-4Access Control for Transmission
PE-5Access Control for Output Devices
PE-6Monitoring Physical Access
PE-6(1)Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment
PE-8Visitor Access Records
PE-9Power Equipment and Cabling
PE-10Emergency Shutoff
PE-11Emergency Power
PE-12Emergency Lighting
PE-13Fire Protection
PE-14Environmental Controls
PE-15Water Damage Protection
PE-16Delivery and Removal
PE-17Alternate Work Site
PL — Planning (5 controls)
PS — Personnel Security (8 controls)
RA — Risk Assessment (8 controls)
RA-1Policy and Procedures
RA-2Security Categorization
RA-3Risk Assessment
RA-5Vulnerability Monitoring and Scanning
RA-5(2)Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned
RA-5(3)Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage
RA-5(5)Vulnerability Monitoring and Scanning | Privileged Access
RA-7Risk Response
SA — System and Services Acquisition (16 controls)
SA-1Policy and Procedures
SA-3System Development Life Cycle
SA-4Acquisition Process
SA-4(1)Acquisition Process | Functional Properties of Controls
SA-4(2)Acquisition Process | Design and Implementation Information for Controls
SA-4(9)Acquisition Process | Functions, Ports, Protocols, and Services in Use
SA-5System Documentation
SA-8Security and Privacy Engineering Principles
SA-9External System Services
SA-9(2)External System Services | Identification of Functions, Ports, Protocols, and Services
SA-9(5)External System Services | Processing, Storage, and Service Location
SA-10Developer Configuration Management
SA-10(1)Developer Configuration Management | Software and Firmware Integrity Verification
SA-11Developer Testing and Evaluation
SA-15Development Process, Standards, and Tools
SA-22Unsupported System Components
SC — System and Communications Protection (23 controls)
SC-1Policy and Procedures
SC-2Separation of System and User Functionality
SC-4Information in Shared System Resources
SC-5Denial-of-service Protection
SC-7Boundary Protection
SC-7(3)Boundary Protection | Access Points
SC-7(4)Boundary Protection | External Telecommunications Services
SC-7(5)Boundary Protection | Deny by Default — Allow by Exception
SC-8Transmission Confidentiality and Integrity
SC-8(1)Transmission Confidentiality and Integrity | Cryptographic Protection
SC-10Network Disconnect
SC-12Cryptographic Key Establishment and Management
SC-13Cryptographic Protection
SC-15Collaborative Computing Devices and Applications
SC-17Public Key Infrastructure Certificates
SC-18Mobile Code
SC-20Secure Name/address Resolution Service (authoritative Source)
SC-21Secure Name/address Resolution Service (recursive or Caching Resolver)
SC-22Architecture and Provisioning for Name/address Resolution Service
SC-23Session Authenticity
SC-28Protection of Information at Rest
SC-28(1)Protection of Information at Rest | Cryptographic Protection
SC-39Process Isolation
SI — System and Information Integrity (13 controls)
SI-1Policy and Procedures
SI-2Flaw Remediation
SI-3Malicious Code Protection
SI-4System Monitoring
SI-4(4)System Monitoring | Inbound and Outbound Communications Traffic
SI-5Security Alerts, Advisories, and Directives
SI-7Software, Firmware, and Information Integrity
SI-7(1)Software, Firmware, and Information Integrity | Integrity Checks
SI-7(7)Software, Firmware, and Information Integrity | Integration of Detection and Response
SI-10Information Input Validation
SI-11Error Handling
SI-12Information Management and Retention
SI-16Memory Protection