Back to Blog
testimonial-strategy
tx-ramp
texas-dir
state-government
cloud-authorization
us-public-sector
provisional-status

Testimonials from Customers Who Have Completed a TX-RAMP Certification — Calibrating Quote Specificity Around the Level, Provisional Status, and the Texas-State-Procurement Disclosure Boundary

ProofShow Team··11 min read

A customer's completion of a TX-RAMP (Texas Risk and Authorization Management Program) certification is a distinctive testimonial moment in the Texas-state-government and broader US-state-public-sector vertical because TX-RAMP — operated by the Texas Department of Information Resources (DIR) under the authority of the Texas Government Code Chapter 2054 — produces a cloud-service-certification artifact that follows disclosure norms diverging from FedRAMP, StateRAMP, SOC 2, and the cloud-attestation programs (IRAP, C5, ISMAP). Most testimonial programs treat TX-RAMP as interchangeable with StateRAMP because both are state-level RAMP-pattern programs, but the operational reality is that TX-RAMP certifications are produced under one of two certification levels (TX-RAMP Level 1 for low-impact data and Level 2 for moderate-impact data) against a specific cloud-service scope and a specific certification status (provisional, full, or expired), are published in the Texas DIR's TX-RAMP Cloud Services Catalog under Texas-state disclosure norms, and are referenced by consuming Texas state agencies and Texas higher-education institutions through procurement-eligibility rules that govern downstream testimonial use.

This guide separates the TX-RAMP certification cycle into four phases, explains the testimonial-wall risks in each phase, and provides per-phase playbooks calibrated to the Texas-state procurement mechanics that most TX-RAMP-completing customers operate under. For broader context on compliance-anchored testimonials, see the playbooks on testimonials when a customer completes a FedRAMP authorization, testimonials when a customer completes a StateRAMP authorization, and testimonials when a customer completes a SOC 2 audit.

The four TX-RAMP certification-cycle phases

A typical TX-RAMP certification path runs through cloud-service-scope definition and certification-level determination, third-party-assessor-engagement-or-direct-DIR-submission, DIR-review-and-conditional-or-full-certification, and Cloud-Services-Catalog publication against the consuming Texas-state-agency procurement requirements (which in the Texas-state context routinely reference TX-RAMP certification as a procurement prerequisite). The cycle commonly spans six to twelve months for a first-time TX-RAMP Level 2 certification and three to six months for a Level 1 certification or a Level 2 re-certification on a previously-certified service scope. Customers move through four distinct phases relative to the certification.

Phase 1: Cloud-service-scope definition and certification-level determination (the period before the certification submission has been formally made). The customer is defining the cloud-service scope to be certified, selecting between TX-RAMP Level 1 (for low-impact data such as public information and low-sensitivity operational data) and Level 2 (for moderate-impact data such as student records, agency case files, and law-enforcement records), determining whether to pursue certification through a Texas-DIR-recognized third-party assessment organization or through direct DIR submission, and producing the documentation set that will be presented to DIR. The customer is highly engaged with the vendor's cloud-security posture and control-implementation evidence but cannot yet claim a TX-RAMP certification. Testimonials produced during scope-definition have a control-implementation-and-documentation character — the customer can speak to the vendor's TX-RAMP-control-mapping clarity, system-security-documentation completeness, and pre-submission-support responsiveness.

Phase 2: Third-party-assessor engagement or direct DIR submission (the period between scope definition and DIR's initial review). The customer has engaged a third-party assessor or has prepared a direct DIR submission, has produced the required documentation set (system security plan, security assessment report, plan of action and milestones, configuration management plan, contingency plan, and incident response plan for Level 2), and is preparing for DIR's initial review. The customer is highly engaged operationally and is producing the evidence packages that DIR will review against the TX-RAMP control baseline. Testimonials produced during third-party-assessor-engagement-or-direct-submission have an evidence-package-and-vendor-collaboration character — the customer can speak to vendor responsiveness during the evidence-package compilation, control-evidence presentation discipline, and the clarity of the vendor's TX-RAMP-control implementation documentation, but should not claim a completed TX-RAMP certification before DIR has reviewed the submission and issued a certification decision.

Phase 3: DIR review and conditional or full certification (the period after submission and through certification decision, typically two to four months for Level 2). DIR has received the submission, has performed its initial review and any follow-up requests for additional evidence, and has issued one of three possible outcomes — provisional certification (granted when the submission meets the baseline requirements but DIR identifies areas requiring continued monitoring), full certification (granted when the submission fully meets the baseline requirements), or denial with remediation requirements. Once DIR issues provisional or full certification, the customer's cloud service is published in the TX-RAMP Cloud Services Catalog with the service name, certification level, certification status (provisional or full), and certification expiry date. Testimonials produced during the certification-decision phase have a certification-progression character — the customer can speak to the vendor's collaboration through the submission, review, and certification window, and can reference the achieved TX-RAMP certification once DIR has issued the certification decision.

Phase 4: Steady-state operation and continuous-monitoring-and-renewal cycle. The TX-RAMP certification is active for one year (Level 1) or two years (Level 2) subject to the continuous-monitoring requirement, and the customer operates against the certified scope while preparing for the next renewal. The continuous-monitoring cycle requires the customer to maintain the certified control posture and to submit monthly or quarterly continuous-monitoring reports to DIR, with the certification remaining in the Cloud Services Catalog subject to the continuous-monitoring outcome and any incident reporting. Testimonials produced in steady-state operation have an operational-stability-and-texas-state-procurement-eligibility character — the customer can speak to how the vendor's control posture supports the customer's continued TX-RAMP-certified status, Texas-state-agency procurement cycles that depend on the TX-RAMP certification, and the cadence of continuous-monitoring submissions. These are the highest-trust testimonials in the cycle because they are produced with the benefit of the full operational record between the certification issuance and the testimonial date, and because the customer has experienced the actual procurement-eligibility benefits of the certification.

The seven quote-request timing risks

The TX-RAMP certification cycle creates seven distinct timing risks that depress otherwise well-crafted testimonials. Each risk corresponds to a specific moment in the cycle where the customer's claim must be calibrated against what the customer has actually achieved and what the Texas DIR disclosure framework permits.

Timing risk 1: Pre-submission enthusiasm. A customer who has decided to pursue TX-RAMP certification but has not yet submitted may speak as if the certification is imminent. Quotes produced in this window often use language like "we are pursuing TX-RAMP" or "we will have TX-RAMP shortly" that overstates the customer's actual position. The fix is to bound the quote with explicit pre-submission framing — "we are preparing our TX-RAMP submission with our third-party assessor" — that signals the customer's actual stage and that does not invite the reader to infer a certification that does not yet exist.

Timing risk 2: Submission-completion overclaim. A customer who has submitted the TX-RAMP package to DIR but has not yet received a certification decision may speak as if the submission is the certification. Quotes produced in this window often conflate the submission artifact with the certification itself. The fix is to use explicit submission language ("we submitted our TX-RAMP Level 2 package to DIR in [month/year] and are awaiting the certification decision") that distinguishes the submission artifact from the certification decision.

Timing risk 3: Level misrepresentation. A customer who has achieved Level 1 certification may speak as if the certification is "TX-RAMP" without naming the level. Quotes produced in this window blur the distinction between Level 1 (low-impact-data services) and Level 2 (moderate-impact-data services). The fix is to require the certification level in the quote ("we achieved TX-RAMP Level 2 for our moderate-impact-data scope") because the level is what the consuming Texas state agencies distinguish during their procurement review.

Timing risk 4: Provisional-vs-full status conflation. A customer who has received provisional certification may speak as if the certification is full. Provisional certifications are a Texas-specific construct that recognizes a service meets the baseline requirements but requires continued monitoring on identified areas; full certifications carry no such continued-monitoring overlay. The fix is to name the certification status explicitly ("we achieved TX-RAMP Level 2 provisional certification" or "we achieved TX-RAMP Level 2 full certification") because the status carries operational implications that consuming agencies factor into procurement decisions.

Timing risk 5: Cloud-Services-Catalog reference precision. A customer may quote the TX-RAMP certification without referencing the Cloud Services Catalog listing. Texas state agencies validate certifications through the Cloud Services Catalog rather than through customer claims; quotes that do not reference the Catalog listing invite agency follow-up to verify the customer's claim. The fix is to encourage the quote to reference the Cloud Services Catalog listing where appropriate ("our TX-RAMP Level 2 certification is listed in the Cloud Services Catalog under [service name]"), which both lends operational specificity to the quote and aligns it with the procurement-verification path.

Timing risk 6: Continuous-monitoring posture omission. A customer who has been certified for a year or more may speak about the certification without referencing the continuous-monitoring discipline that maintains the certification. Quotes produced in this window can give consuming agencies the impression that the certification is a point-in-time artifact rather than an ongoing operational discipline. The fix is to encourage the quote to reference the continuous-monitoring cycle where the testimonial is being used to signal operational stability rather than point-in-time achievement.

Timing risk 7: Certification-expiry staleness. A customer who achieved a TX-RAMP certification more than fifteen months ago, but has not yet completed renewal, may produce a quote that references the certification without acknowledging that it is approaching expiry. Quotes produced in this window invite the consuming reader to assume the certification is current when it may be within months of expiring. The fix is to require an expiry-aware framing in any quote that references the certification within twelve months of the certification's expiry date.

The per-phase testimonial playbook

The four phases support four distinct testimonial types, each with its own quote-construction discipline.

Phase-1 playbook: Control-implementation collaboration testimonials. Quote the customer's experience with the vendor's TX-RAMP-control-mapping clarity, system-security-documentation completeness, and pre-submission support. The quote should not claim TX-RAMP certification and should not name the certification level beyond identifying which level the customer is pursuing. Lead with the customer's operational engagement and the vendor's documentation discipline. A representative pattern: "As we scope our TX-RAMP Level 2 submission, [vendor]'s TX-RAMP control mapping has accelerated our pre-submission preparation by [specific time saving], and our information-security team has reduced its system-security-plan documentation burden by [specific percent]."

Phase-2 playbook: Submission-collaboration testimonials. Quote the customer's experience with vendor responsiveness during the evidence-package compilation, control-evidence presentation, and the clarity of the vendor's TX-RAMP-control implementation documentation. The quote should reference the in-flight submission without claiming the certification, and should name the certification level being pursued. A representative pattern: "Through our TX-RAMP Level 2 submission preparation, [vendor]'s control-evidence packages have let us respond to DIR's evidence requests within [specific turnaround], and our coordination overhead with our third-party assessor has dropped substantially."

Phase-3 playbook: Certification-progression testimonials. Quote the customer's experience with the vendor's collaboration through the submission, review, and certification window. The quote may reference the achieved certification once DIR has issued the certification decision. The quote should name the certification level, the certification status (provisional or full), and the certification-issuance date. A representative pattern: "Achieving our TX-RAMP Level 2 full certification in [month/year] was supported by [vendor]'s rapid response to DIR's follow-up requests, which closed all evidence gaps within [specific time] of DIR's review."

Phase-4 playbook: Steady-state operational testimonials. Quote the customer's experience with the vendor's role in supporting the customer's continued TX-RAMP-certified status, Texas-state-agency procurement cycles, and the cadence of continuous-monitoring submissions. These quotes are the highest-trust testimonials because they reflect the full operational record. A representative pattern: "Eighteen months after our TX-RAMP Level 2 certification, [vendor]'s control posture continues to support our Texas-state-agency procurement eligibility with [number] customers, and our continuous-monitoring cadence has stabilized at [frequency] without findings."

How to source TX-RAMP-anchored testimonials operationally

The Texas DIR Cloud Services Catalog is publicly accessible, which makes TX-RAMP-anchored testimonial sourcing operationally easier than testimonials anchored on programs with restricted-disclosure frameworks. The most reliable sourcing approach is to identify customers whose Texas-state-agency relationships are publicly known (typically Texas higher-education institutions, Texas-DIR-listed cloud-service consumers, or Texas-public-school-district technology relationships), to approach those customers with a quote request that is bounded to the customer's own experience with the vendor's collaboration, and to allow the customer to review the quote before publication. The quote-request process should acknowledge that the customer's procurement-relationship details may themselves be subject to Texas Public Information Act considerations and should be sensitive to the customer's institutional disclosure norms.

For broader testimonial-anchoring practice, see the playbooks on testimonials from government and public-sector clients, testimonials from procurement-led deals, and testimonials when a customer completes a NIST CSF implementation.

The Texas-state-government testimonial wall — when correctly calibrated to the TX-RAMP certification mechanics — reaches a buying audience that is both procurement-disciplined and operationally specific, because the audience itself operates under the same TX-RAMP framework and recognizes the operational specificity that the framework demands. A correctly calibrated TX-RAMP testimonial signals to the consuming Texas state agency that the vendor's customers operate at the same level of procurement discipline, which is the trust signal the agency is screening for at the cloud-service-procurement stage.

Ready to get started?

Start collecting and showcasing testimonials in under 5 minutes.

Start Free