A Guide to StateRAMP: Benefits, Requirements, and How to Get Authorized

  • November 15, 2023

Emily Bonnie

Senior Content Marketing Manager at Secureframe



Nonprofit Organization

Cloud solutions have become indispensable for nearly every organization — including government agencies. Yet the widespread adoption of cloud service providers brings the added challenge of ensuring cloud technologies are secure.

StateRAMP is designed to help state and local governments and public institutions partner with CSPs that have enacted strong information security and data privacy practices. Below, we’ll explain StateRAMP’s core components, how it compares to FedRAMP, and the StateRAMP verification processes. You’ll also find a StateRAMP compliance checklist and answers to frequently asked questions.

What is StateRAMP?

StateRAMP is a non-profit membership organization. Its purpose is to help state and local governments create a consistent, robust cybersecurity standard for cloud service providers. Service providers must apply to be included in the StateRAMP Authorized Product List, which involves an audit by a third-party assessment organization (3PAO). 

While StateRAMP is not affiliated with or endorsed by the US government, it does use the National Institute of Standards and Technology (NIST) 800-53 framework to evaluate vendors and their cybersecurity practices. 

What is NIST 800-53?

The National Institute of Standards and Technology (NIST) Special Publication 800-53 is a security compliance standard created by the US government. It helps organizations of all types properly architect and manage their information security systems and comply with the Federal Information Security Modernization Act (FISMA) of 2014.

NIST 800-53 is mandatory for federal information systems, organizations, and government agencies. Any organization that works with the federal government or carries federal data is required to comply with NIST 800-53 to maintain the relationship.

NIST 800-53 is considered the gold standard for federal data security and is designed to be general and applicable to federal agencies, including the Department of Labor. Both FedRAMP and StateRAMP are derivatives of the NIST 800-53 framework.

NIST 800-53 Revision 5.1 was published in December 2020. StateRAMP's Board of Directors approved transitioning to Rev 5 in May 2023, and StateRAMP is currently working to integrate the changes. All updated templates will be published on the StateRAMP website by January 2024, and providers will be expected to be compliant by October 2024.

StateRAMP vs FedRAMP

StateRAMP and FedRAMP are similar in many respects. Both are designed to help governments establish baseline cybersecurity standards for cloud service providers. Both use NIST 800-53 requirements as their evaluation criteria, along with NIST impact levels (Low, Moderate, High) to assess controls. And both require continuous monitoring for continued compliance.

However, StateRAMP and FedRAMP differ in a few important ways.

As their names suggest, StateRAMP is designed for state agencies, local governments, and higher education institutions. StateRAMP requirements can vary between different state and local governments due to the unique needs of each jurisdiction. FedRAMP is specifically designed for federal programs and contractors, and the requirements are the same regardless of state or agency.

Another important distinction is that StateRAMP is a non-profit organization. Unlike FedRAMP, it is not directly associated with the US federal government.

The Ultimate Guide to Federal Frameworks

Get an overview of the most common federal frameworks, who they apply to, and what their requirements are.

Which states use StateRAMP?

Any state, local, education, or tribal/territorial government official or IT/information security professional can become a member of the StateRAMP organization by registering online. Many State, Local, and Education (SLED) organizations have adopted StateRAMP, including over two dozen state governments and public education institutions. 

StateRAMP security statuses

StateRAMP maintains an Authorized Product List (APL) which is updated daily to reflect service providers who satisfy StateRAMP requirements. There are six security statuses included in the APL:

Verified Offerings

These service providers have completed an independent audit by a third-party assessing organization (3PAO) and meet minimum security requirements.

  • Ready: Meets minimum security requirements
  • Provisional: Exceeds minimum requirements and includes a government sponsor
  • Authorized: Satisfies all requirements and includes a government sponsor

Progressing Offerings

These service providers are currently engaged with a third-party assessing organization and are actively working toward a verified offering.

  • Active: Working towards a Ready verified status
  • In Process: Working towards an Authorized verified status
  • Pending: Has submitted a security package to the StateRAMP Program Management Office (PMO) and is awaiting their determined verified status

As noted above, a government sponsor is required to achieve StateRAMP Authorized or Provisional status. Government sponsors can be any SLED government official or employee who:

  • Serves in the role of Chief Information Security Officer, or their designee
  • Is a StateRAMP Individual Government Member

The role of a government sponsor is to review the PMO’s recommendations and the service organization’s annual continuous monitoring reports. CSPs that don’t have a government sponsor may also use a member of the StateRAMP Approvals Committee to serve as an authorizing official on behalf of the government.

Benefits of StateRAMP for cybersecurity

Since it uses NIST 800-53 as a foundation, StateRAMP compliance involves a comprehensive set of security controls for protecting information systems. Compliance with the standard offers an array of business benefits:

  • Fuel Growth: Cloud solutions courting state and local governments, educational institutions, and other customers in the public sector will benefit from the enhanced credibility that comes with StateRAMP compliance and inclusion on the Authorized Products List. Stakeholders, including clients, partners, and investors, can have full confidence in the organization's commitment to cloud security.
  • Stronger Security Posture: Implementing NIST 800-53 controls helps organizations protect their information systems from a range of threats, including cyberattacks, insider threats, and physical threats. The rigorous guidelines help reduce the risk of security breaches, data loss, and unauthorized data disclosure. NIST 800-53 is the gold standard among frameworks and comprehensive control sets. 
  • Enhanced Data Privacy: The integration of privacy controls ensures that personally identifiable information (PII) is also protected, reducing the risks associated with privacy breaches.
  • Improved Incident Response: With a well-defined set of controls and processes, organizations can respond to and recover from incidents more efficiently and effectively.
  • Standardized Risk Management: StateRAMP provides an organized, consistent framework for assessing the risks to information systems and for implementing appropriate security controls.
  • Informed Decision Making: The guidelines aid in making informed decisions regarding security investments and resource allocations, helping prioritize security needs based on actual risks.
  • Cost Savings: While achieving compliance may require an initial investment, it can result in long-term savings by preventing costly breaches and improving operational efficiency.
  • Continuous Monitoring and Improvement: StateRAMP requires continuous monitoring, ensuring that security measures evolve with changing threats.
  • Compliance Across Frameworks: StateRAMP requirements overlap with several other frameworks, making it an efficient way to achieve compliance with other in-demand standards such as FedRAMP, NIST, SOC 2, ISO 27001, and others. Organizations that use compliance automation software can easily map policies and controls for StateRAMP across multiple frameworks, eliminating duplicate efforts. 

StateRAMP and NIST 800-53 compliance offer a thorough and well-structured approach to information security and data privacy, which has led many government and private-sector organizations to use it as a guide for their own security practices.

How to get StateRAMP authorized

The process of becoming StateRAMP authorized involves several clear-cut steps. Let’s walk through each one to clarify how organizations become StateRAMP compliant. 

1. Become a StateRAMP member: Service providers must become a StateRAMP member before their IaaS, PaaS, or SaaS solutions can be validated by the Program Management Office (PMO), obtain a StateRAMP security status, or be listed on the Authorized Product List (APL).

2. Complete a StateRAMP Security Snapshot (Optional): This pre-assessment evaluates your organization to identify any gaps in your cybersecurity posture and ensure you’re fully compliant with StateRAMP requirements.

3. Select the appropriate StateRAMP authorization path: Use StateRAMP’s Data Classification Tool to determine the appropriate security category and the corresponding requirements. This will help you decide whether to become StateRAMP Ready or StateRAMP Authorized. 

4. Partner with a Third-Party Assessment Organization. First, choose from the list of StateRAMP Approved Assessors. Then work with the 3PAO to complete a Readiness Assessment Report (RAR) or Security Assessment Report (SAR) and evaluate your compliance posture.

5. Compile Documentation: Documentation requirements differ based on the relevant verification status. If you’re pursuing Ready status, you must have 50% of your documentation completed before the 3PAO can complete the Readiness Assessment Report (RAR). 

If you’re preparing for your StateRAMP Authorization Review, you’ll need the following completed documentation: 

  • System Security Plan (SR-SSP)
  • Security Controls Matrix (SR-SCM)
  • Plan of Actions and Milestones (POA&M)
  • Any other documents requested by the 3PAO to complete the SR-SAP and SR-SAR

6. Submit a Security Review Request: Once you submit all of your security documentation to the StateRAMP PMO, the average time to complete a review is a few weeks. 

7. Find a Government Sponsor or Approvals Committee: This step is only required for organizations pursuing StateRAMP Authorized status.

8. Obtain StateRAMP Verified Status: After evaluation, your organization will receive its Verified status and be added to the Approved Vendor List.

9. Establish Continuous Monitoring Practices. Work with your 3PAO to define the appropriate continuous monitoring approach. Each month you’ll need to: 

  • Complete your plans of actions and milestones (POAM) document
  • Update your vulnerability scans and inventory worksheet
  • Submit a monthly report to the StateRAMP PMO for review

StateRAMP Compliance Checklist

1. Define Scope


2. Perform a Risk Assessment


3. Document Existing Policies & Controls


4. Verify or Implement NIST 800-53 Security Controls


5. Evaluate Controls


6. Authorize the System


7. Establish a Continuous Monitoring Program


8. Create an Incident Response Plan


9. Complete Security Awareness Training


10. Review & Update Controls/Documentation


Automating StateRAMP compliance

Because it’s a rigorous standard, achieving StateRAMP compliance requires a significant amount of time and resources. You’ll need to complete a risk assessment and gap analysis, select and implement controls, write policies, train staff, and collect documentation and evidence for your 3PAO. And once that’s done, you’ll have to implement ongoing assessments and continuous monitoring to maintain compliance. 

Compliance automation platforms like Secureframe can significantly cut down on the amount of time and effort it takes to complete these manual tasks, freeing up your team to focus on strategic objectives.

Here are a few reasons organizations choose Secureframe as their partner for achieving and maintaining compliance with government and federal frameworks: 

Government and federal compliance expertise

Our dedicated, world-class compliance team includes former FISMA, FedRAMP, and CMMC auditors who have the expertise and experience to support you at every step. 

Integrations with federal cloud products

Secureframe integrates with your existing tech stack, including AWS GovCloud, to automate infrastructure monitoring and evidence collection.

Trusted 3PAO partner network

Secureframe has strong relationships with respected auditing firms that are certified Third Party Assessment Organizations (3PAOs) and can support StateRAMP and other federal audits such as FedRAMP, CMMC, and CJIS. 

Cross-mapping across frameworks

NIST 800-53 has many overlapping requirements with StateRAMP, NIST 800-171, FedRAMP, CJIS, and other federal frameworks. Instead of starting from scratch, our platform can help map what you’ve already done for StateRAMP to other frameworks so you’re never duplicating efforts. 

Continuous monitoring

By monitoring your tech stack 24/7 to alert you of non-conformities, Secureframe makes it easier to maintain continuous compliance. You can specify test intervals and notifications for required regular tasks to maintain StateRAMP compliance. You can also use our Risk Register and Risk Management capabilities to support your continuous monitoring efforts and POA&M maintenance. 

To learn more about how Secureframe can help you comply with StateRAMP, FedRAMP, and other federal frameworks, schedule a demo with a product expert.

Use trust to accelerate growth



What is the difference between StateRAMP and FedRAMP?

StateRAMP and FedRAMP are both security standards designed to help government organizations mitigate cyber threats. However, StateRAMP is a nonprofit membership organization that works to help state and local governments find cloud computing providers that have strong cybersecurity practices. FedRAMP is more catered to cloud service providers working with the government. 

Organizations that already have federal authorization (ATO, P-ATO, or Ready FedRAMP status) can apply for StateRAMP Fast Track to expedite the verification process. 

What is StateRAMP certification?

Organizations may apply to be included on the StateRAMP Authorized Product List. There are six possible levels, or security statuses. Verified offerings are for service providers who have completed an independent audit and meet minimum security requirements for NIST 800-53:

  • Ready: Meets minimum security requirements
  • Provisional: Exceeds minimum requirements and includes a government sponsor
  • Authorized: Satisfies all requirements and includes a government sponsor

Progressing offerings are organizations that are currently working with a 3PAO towards a verified offering:

  • Active: Working towards a Ready verified status
  • In Process: Working towards an Authorized verified status
  • Pending: Has submitted a security package to the StateRAMP Program Management Office (PMO) and is awaiting their determined verified status

Organizations that currently have FedRAMP authorization can apply to the StateRAMP Fast Track program, which eliminates the need for an external audit.

Who does StateRAMP apply to?

StateRAMP is designed for service providers who work with local and state government agencies, and higher education institutions, including IaaS, PaaS, and SaaS solutions. Organizations can apply for StateRAMP membership at stateramp.org.

Why is StateRAMP important?

In addition to helping service organizations build trust and secure customers within state and local governments and higher education institutions, StateRAMP provides organizations with clear standards and guidelines for building, maintaining, and continually improving a strong cybersecurity posture. 

What is the StateRAMP Security Snapshot?

StateRAMP Security Snapshot is new tooling developed by StateRAMP to help service providers assess their current security posture and readiness for a 3PAO assessment. The Security Snapshot also provides a gap analysis against StateRAMP Minimum Mandatory Requirements. 

SOC 1®, SOC 2® and SOC 3® are registered trademarks of the American Institute of Certified Public Accountants in the United States. The AICPA® Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.