(a) In this section, “cloud computing service” has the meaning assigned by § 2157.007.
(b) The department shall establish a state risk and authorization management program to provide a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency. The program must allow a vendor to demonstrate compliance by submitting documentation that shows the vendor’s compliance with a risk and authorization management program of:
(1) the federal government; or
(2) another state that the department approves.

Ask a legal question, get an answer ASAP!
Click here to chat with a lawyer about your rights.

Terms Used In Texas Government Code 2054.0593


(c) The department by rule shall prescribe:
(1) the categories and characteristics of cloud computing services subject to the state risk and authorization management program; and
(2) the requirements for certification through the program of vendors that provide cloud computing services.
(d) A state agency shall require each vendor contracting with the agency to provide cloud computing services for the agency to comply with the requirements of the state risk and authorization management program. The department shall evaluate vendors to determine whether a vendor qualifies for a certification issued by the department reflecting compliance with program requirements.
(e) A state agency may not enter or renew a contract with a vendor to purchase cloud computing services for the agency that are subject to the state risk and authorization management program unless the vendor demonstrates compliance with program requirements.
(f) A state agency shall require a vendor contracting with the agency to provide cloud computing services for the agency that are subject to the state risk and authorization management program to maintain program compliance and certification throughout the term of the contract.