Sec. 2054.0593. CLOUD COMPUTING STATE RISK AND AUTHORIZATION MANAGEMENT PROGRAM. (a) In this section, "cloud computing service" has the meaning assigned by Section 2157.007.
(b) The department shall establish a state risk and authorization management program to provide a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency. The program must allow a vendor to demonstrate compliance by submitting documentation that shows the vendor's compliance with a risk and authorization management program of:
(1) the federal government; or
(2) another state that the department approves.
(c) The department by rule shall prescribe:
(1) the categories and characteristics of cloud computing services subject to the state risk and authorization management program; and
(2) the requirements for certification through the program of vendors that provide cloud computing services.
(d) A state agency shall require each vendor contracting with the agency to provide cloud computing services for the agency to comply with the requirements of the state risk and authorization management program. The department shall evaluate vendors to determine whether a vendor qualifies for a certification issued by the department reflecting compliance with program requirements.
(e) A state agency may not enter or renew a contract with a vendor to purchase cloud computing services for the agency that are subject to the state risk and authorization management program unless the vendor demonstrates compliance with program requirements.
(f) A state agency shall require a vendor contracting with the agency to provide cloud computing services for the agency that are subject to the state risk and authorization management program to maintain program compliance and certification throughout the term of the contract.
Added by Acts 2021, 87th Leg., R.S., Ch. 567 (S.B. 475), Sec. 2, eff. June 14, 2021.
Structure Texas Statutes
Subtitle B - Information and Planning
Chapter 2054 - Information Resources
Subchapter C. General Powers and Duties of Department
Section 2054.051. General Duties of Department
Section 2054.052. General Powers of Department
Section 2054.053. Legislative Budget Instructions; Appropriation Requests
Section 2054.054. Client Omnibus Registry and Exchange Data Bases
Section 2054.0541. Statewide Health Care Data Collection System
Section 2054.055. Performance Report
Section 2054.056. Computer Services
Section 2054.0565. Use of Contracts by Other Entities
Section 2054.058. Consideration of Vendor Incentives
Section 2054.059. Cybersecurity
Section 2054.0591. Cybersecurity Report
Section 2054.0592. Cybersecurity Emergency Funding
Section 2054.0593. Cloud Computing State Risk and Authorization Management Program
Section 2054.0594. Information Sharing and Analysis Organization
Section 2054.060. Digital Signature
Section 2054.061. Use of Consultants and Outside Staff
Section 2054.062. Information Resources Technologies Consolidation
Section 2054.063. Electronic Reporting to State Agencies
Section 2054.064. Board Approval of Contracts
Section 2054.065. Review of Certain Contract Solicitations
Section 2054.066. Department Review
Section 2054.067. Posting of Certain Documents Relating to Contract Solicitations
Section 2054.068. Information Technology Infrastructure Report
Section 2054.069. Prioritized Cybersecurity and Legacy System Projects Report
Section 2054.0691. Digital Transformation Guide
Section 2054.070. Central Repository for Publicly Accessible Electronic Data