TX-RAMP requirements and compliance can be very expensive to meet. It may involve several third parties to review, test and certify the hosted software not only once, but every year. Luckily, not all software is subject to the thousands of dollars in expense to meet the regulations of TX-RAMP.
It is important to point out there are different levels of compliance requirements depending on the purpose and content of a hosted software. The more sensitive the data, the more stringent the requirements are. Some systems are also designated as ‘out-of-scope’ because the data is not sensitive, is public domain or does not present a threat if exposed. While common sense security is always needed to avoid unnecessary exposure and interruption, Out-of-Scope would mean the software does not have to meet most or all of the requirements.
Check In Systems products are designed to improve the organization and efficiency of handling customers as they arrive. Queuing systems help move customers from walk-in to the department or customer service desk without the need for a greeter. Just like most people have experienced with the DMV, Check In Systems provides queuing systems for different business sectors.
Check In Systems has been serving government entities, for over 20 years, across the country with many in the state of Texas. When the state implemented the TX-RAMP program, Check In Systems immediately filed a provisional status, allowing state agencies to contract for cloud services for up to 18 months without full certification. During this time, it is expected that companies will complete full certification by going through rigorous testing and documentation.
While going through the process, Check In Systems came to the conclusion that their software services fall into the low-risk category and meet the out-of-scope classification. According to the TX-RAMP manual, cloud computing services are out of scope of TX-RAMP certification provided the service is determined to be a low impact information resource that does not process or store confidential state-controlled data other than as needed for login capability or that processes or stores a negligible quantity and/or quality of confidential data. The manual further states what classifies as confidential state-controlled data. Of that list, Check In Systems only one field used by Check In Systems may qualify as confidential and even that field is an option for the agency to ask.
One specific quote from the TX-RAMP Manual states;
Cloud computing services are out of scope of TX-RAMP certification provided the service is determined to be a low impact information resource that does not process or store confidential state-controlled data other than as needed for login capability or that processes or stores a negligible quantity and/or quality of confidential data. A state agency is responsible for determining whether the quantity and/or quality of confidential data is negligible
In conclusion, although the state agencies using the Check In Systems software are responsible for determining quantity and/or quality of confidential data, Check In Systems has determined that according to the TX-RAMP manuals, the software is considered low impact and out-of-scope for compliance needs.
References:
Texas Risk and Authorization Management Program (TX-RAMP) Program Manual Version 3.0
Section 7 - Cloud Services Not Subject to TX-RAMP Certification
7.1 Non-substantive Use of Confidential State-controlled Data
Certain cloud computing services are out of scope of TX-RAMP certification due to the unique
circumstances of the service.
7.2 Common Categories of Cloud Services Not Subject to TX-RAMP Certification
Section 9. Minimum Baseline Determination
Of the listed confidential information components, only one is possible on our system, the Date of Birth. This function can be turned off.