A Guide to StateRAMP: Benefits, Requirements, and How to Get Authorized
Cloud solutions have become indispensable for nearly every organization — including government agencies. Yet the widespread adoption of cloud service providers brings the added challenge of ensuring cloud technologies are secure.
StateRAMP is designed to help state and local governments and public institutions partner with CSPs that have enacted strong information security and data privacy practices. Below, we’ll explain StateRAMP’s core components, how it compares to FedRAMP, and the StateRAMP verification processes. You’ll also find a StateRAMP compliance checklist and answers to frequently asked questions.
What is StateRAMP?
StateRAMP is a non-profit membership organization. Its purpose is to help state and local governments create a consistent, robust cybersecurity standard for cloud service providers. Service providers must apply to be included in the StateRAMP Authorized Product List, which involves an audit by a third-party assessment organization (3PAO).
While StateRAMP is not meant forthe US government, it does use the National Institute of Standards and Technology (NIST) 800-53 Revision 5 framework to evaluate vendors and their cybersecurity practices. NIST 800-53 is considered the gold standard for federal data security and is designed to be general and applicable to federal agencies, including the Department of Labor. Both FedRAMP and StateRAMP (as well as many other frameworks) are derivatives of the NIST 800-53 framework.
StateRAMP Rev. 5
In 2023, StateRAMP's Standards & Technical Committee updated StateRAMP’s security requirements from NIST 800-53 Rev. 4 to the most recent publication, NIST 800-53 Rev. 5.
All updated baselines, requirements, templates, and the StateRAMP Security Snapshot criteria and scoring were published on the StateRAMP website by December 2023. The updated StateRAMP Security Snapshot criteria and scoring went into effect beginning January 2024, and all providers were expected to be compliant with the updated Rev. 5 requirements by October 2024.
Here are some of the most significant changes to StateRAMP Revision 5:
- StateRAMP Security Snapshot criteria and scoring aligned with NIST 800-53 Rev. 5 and the MITRE ATT&CK framework: The Snapshot Criteria was updated to include the 40 highest scoring MITRE ATT&CK threat controls from the requirements for StateRAMP Ready – Mod Impact, and the scoring was updated from 60 points to a percentage out of 100, weighted by risk score assigned by the MITRE Attack Framework. This helps ensure that the Snapshot emphasizes the best practices that have the greatest impact on improved security defenses.
- Updated control baselines for StateRAMP Authorized: StateRAMP baseline controls for Low and Moderate impact levels were updated to align with NIST 800-53 Rev. 5. Most notably, the Rev. 5 baselines deselect the Privacy Controls Family and add the Supply Chain Risk Management (SCRM) Family. As a result, the number of controls changed. The Low baseline is now composed of 153 controls and the Moderate baseline is composed of 319. Previously, they were composed of 117 and 325 controls respectively.
- Updated Provisional status: A Provisional status may be assigned by a sponsoring state if the provider meets the mandatory minimum requirements and has submitted a security package for Authorization consideration, but their interconnected technologies are not StateRAMP or FedRAMP Authorized. This change reflects the growing risk that supply chains pose and the importance of ensuring that interconnected technologies meet minimum security requirements.
StateRAMP vs FedRAMP
StateRAMP and FedRAMP are similar in many respects. Both are designed to help governments establish baseline cybersecurity standards for cloud service providers. Both use NIST 800-53 requirements as their evaluation criteria, along with NIST impact levels (Low, Moderate, High) to assess controls. And both require continuous monitoring for continued compliance.
However, StateRAMP and FedRAMP differ in a few important ways.
As their names suggest, StateRAMP is designed for state agencies, local governments, and higher education institutions. StateRAMP requirements can vary between different state and local governments due to the unique needs of each jurisdiction. FedRAMP is specifically designed for federal programs and contractors, and the requirements are the same regardless of state or agency.
Another important distinction is that StateRAMP is a non-profit organization. Unlike FedRAMP, it is not directly associated with the US federal government.
The Ultimate Guide to Federal Frameworks
Get an overview of the most common federal frameworks, who they apply to, and what their requirements are.
Which states use StateRAMP?
Any state, local, education, or tribal/territorial government official or IT/information security professional can become a member of the StateRAMP organization by registering online. Many State, Local, and Education (SLED) organizations have adopted StateRAMP, including over two dozen state governments and public education institutions.
Some notable examples are:
- Alabama
- Arizona
- Arkansas
- California
- Colorado
- Connecticut
- Hillsborough County Sheriff's Office, Palm Beach Gardens, and Lake County in Florida
- Georgia
- Indiana
- Kansas
- Maine
- Massachusetts
- Michigan
- Minnesota
- Missouri
- Nebraska
- Nevada
- New Hampshire
- New Jersey Cybersecurity & Communication Cell
- New York
- North Carolina
- North Dakota
- Ohio
- Oklahoma
- Oregon
- Texas
- Vermont
- West Virginia
The image below features some — but not all — state, local, and education organization participating in StateRAMP. Find the full list here.
StateRAMP security statuses
StateRAMP maintains an Authorized Product List (APL) which is updated daily to reflect service providers who satisfy StateRAMP requirements. There are six security statuses included in the APL:
Verified Offerings
These service providers have completed an independent audit by a third-party assessing organization (3PAO) and meet minimum security requirements.
- Ready: Meets minimum security requirements
- Provisional: Exceeds minimum requirements and includes a government sponsor
- Authorized: Satisfies all requirements and includes a government sponsor
Progressing Offerings
These service providers are currently engaged with a third-party assessing organization and are actively working toward a verified offering.
- Active: Working towards a Ready verified status
- In Process: Working towards an Authorized verified status
- Pending: Has submitted a security package to the StateRAMP Program Management Office (PMO) and is awaiting their determined verified status
As noted above, a government sponsor is required to achieve StateRAMP Authorized or Provisional status. Government sponsors can be any SLED government official or employee who:
- Serves in the role of Chief Information Security Officer, or their designee
- Is a StateRAMP Individual Government Member
The role of a government sponsor is to review the PMO’s recommendations and the service organization’s annual continuous monitoring reports. CSPs that don’t have a government sponsor may also use a member of the StateRAMP Approvals Committee to serve as an authorizing official on behalf of the government.
Benefits of StateRAMP for cybersecurity
Since it uses NIST 800-53 as a foundation, StateRAMP compliance involves a comprehensive set of security controls for protecting information systems. Compliance with the standard offers an array of business benefits:
- Fuel Growth: Cloud solutions courting state and local governments, educational institutions, and other customers in the public sector will benefit from the enhanced credibility that comes with StateRAMP compliance and inclusion on the Authorized Products List. Stakeholders, including clients, partners, and investors, can have full confidence in the organization's commitment to cloud security.
- Stronger Security Posture: Implementing NIST 800-53 controls helps organizations protect their information systems from a range of threats, including cyberattacks, insider threats, and physical threats. The rigorous guidelines help reduce the risk of security breaches, data loss, and unauthorized data disclosure. NIST 800-53 is the gold standard among frameworks and comprehensive control sets.
- Enhanced Data Privacy: The integration of privacy controls ensures that personally identifiable information (PII) is also protected, reducing the risks associated with privacy breaches.
- Improved Incident Response: With a well-defined set of controls and processes, organizations can respond to and recover from incidents more efficiently and effectively.
- Standardized Risk Management: StateRAMP provides an organized, consistent framework for assessing the risks to information systems and for implementing appropriate security controls.
- Informed Decision Making: The guidelines aid in making informed decisions regarding security investments and resource allocations, helping prioritize security needs based on actual risks.
- Cost Savings: While achieving compliance may require an initial investment, it can result in long-term savings by preventing costly breaches and improving operational efficiency.
- Continuous Monitoring and Improvement: StateRAMP requires continuous monitoring, ensuring that security measures evolve with changing threats.
- Compliance Across Frameworks: StateRAMP requirements overlap with several other frameworks, making it an efficient way to achieve compliance with other in-demand standards such as FedRAMP, NIST, SOC 2, ISO 27001, and others. Organizations that use compliance automation software can easily map policies and controls for StateRAMP across multiple frameworks, eliminating duplicate efforts.
StateRAMP and NIST 800-53 compliance offer a thorough and well-structured approach to information security and data privacy, which has led many government and private-sector organizations to use it as a guide for their own security practices.
Recommended reading
7 Benefits of Continuous Monitoring & How Automation Can Maximize Impact
StateRAMP Compliance Checklist
1. Define Scope
2. Perform a Risk Assessment
3. Document Existing Policies & Controls
4. Verify or Implement NIST 800-53 Security Controls
5. Evaluate Controls
6. Authorize the System
7. Establish a Continuous Monitoring Program
8. Create an Incident Response Plan
9. Complete Security Awareness Training
10. Review & Update Controls/Documentation
If you’d rather track your StateRAMP compliance with an interactive PDF, click below to download that version of our checklist.
StateRAMP Compliance Checklist
Use this checklist to help guide your organization through the compliance process.
Simplifying and streamlining government compliance with Secureframe
Achieving compliance with rigorous frameworks like StateRAMP requires a significant amount of time and resources. You’ll need to complete a risk assessment and gap analysis, select and implement controls, write policies, train staff, and collect documentation and evidence for your assessor. And once that’s done, you’ll have to implement ongoing assessments and continuous monitoring to maintain compliance.
Compliance automation platforms like Secureframe can significantly cut down on the amount of time and effort it takes to complete these manual tasks, freeing up your team to focus on strategic objectives.
Below are a few reasons organizations choose Secureframe as their partner for achieving and maintaining compliance with government and federal frameworks like NIST 800-53, NIST 800-171, TX-RAMP 3.0, and CMMC, which can which could significantly simplify and speed up time-to-compliance with StateRAMP.
Government and federal compliance expertise
Our dedicated, world-class compliance team includes former FISMA, FedRAMP, and CMMC auditors who have the expertise and experience to support you at every step.
Integrations with federal cloud products
Secureframe integrates with your existing tech stack, including AWS GovCloud, to automate infrastructure monitoring and evidence collection.
Prebuilt and custom policies and templates
Secureframe provides templated policies, procedures, and SSPs and additional templates including Separations of Duties Matrix, POA&M documents, Impact Assessments, and readiness checklists. These are customizable so organizations quickly build out their policy library and compile required documentation.
Trusted 3PAO partner network
Secureframe has strong relationships with respected auditing firms that are certified Third Party Assessment Organizations (3PAOs) and can support audits such as CMMC and CJIS, including Schellman and Prescient Security.
Cross-mapping across frameworks
NIST 800-53 has many overlapping requirements with StateRAMP, NIST 800-171, FedRAMP, TX-RAMP, CJIS, and other government frameworks. Instead of starting from scratch, our platform can help map what you’ve already done for one framework to others so you’re never duplicating efforts.
Continuous monitoring
By monitoring your tech stack 24/7 to alert you of non-conformities, Secureframe makes it easier to maintain continuous compliance. You can specify test intervals and notifications for required regular tasks to maintain compliance. You can also use our Risk Register and Risk Management capabilities to support your continuous monitoring efforts and POA&M maintenance.
To learn more about how Secureframe can help you comply with government and federal frameworks, schedule a demo with a product expert.
Use trust to accelerate growth
Request a demoFAQs
What is the difference between StateRAMP and FedRAMP?
StateRAMP and FedRAMP are both security standards designed to help government organizations mitigate cyber threats. However, StateRAMP is a nonprofit membership organization that works to help state and local governments find cloud computing providers that have strong cybersecurity practices. FedRAMP is more catered to cloud service providers working with the government.
Organizations that already have federal authorization (ATO, P-ATO, or Ready FedRAMP status) can apply for StateRAMP Fast Track to expedite the verification process.
What is StateRAMP certification?
Organizations may apply to be included on the StateRAMP Authorized Product List. There are six possible levels, or security statuses. Verified offerings are for service providers who have completed an independent audit and meet minimum security requirements for NIST 800-53:
- Ready: Meets minimum security requirements
- Provisional: Exceeds minimum requirements and includes a government sponsor
- Authorized: Satisfies all requirements and includes a government sponsor
Progressing offerings are organizations that are currently working with a 3PAO towards a verified offering:
- Active: Working towards a Ready verified status
- In Process: Working towards an Authorized verified status
- Pending: Has submitted a security package to the StateRAMP Program Management Office (PMO) and is awaiting their determined verified status
Organizations that currently have FedRAMP authorization can apply to the StateRAMP Fast Track program, which eliminates the need for an external audit.
Who does StateRAMP apply to?
StateRAMP is designed for service providers who work with local and state government agencies, and higher education institutions, including IaaS, PaaS, and SaaS solutions. Organizations can apply for StateRAMP membership at stateramp.org.
Why is StateRAMP important?
In addition to helping service organizations build trust and secure customers within state and local governments and higher education institutions, StateRAMP provides organizations with clear standards and guidelines for building, maintaining, and continually improving a strong cybersecurity posture.
What is the StateRAMP Security Snapshot?
StateRAMP Security Snapshot is new tooling developed by StateRAMP to help service providers assess their current security posture and readiness for a 3PAO assessment. The Security Snapshot also provides a gap analysis against StateRAMP Minimum Mandatory Requirements.
Can StateRAMP compliance be used for TX-RAMP certification?
Yes, organizations can achieve TX-RAMP Level 1 certification by achieving StateRAMP Ready Status and TX-RAMP Level 2 certification by achieving StateRAMP Authorized Status.
Does StateRAMP require continuous monitoring?
Yes, StateRAMP requires continuous monitoring of CSPs to ensure ongoing compliance with security standards. CSPs must provide regular updates and undergo periodic assessments to maintain their StateRAMP status.
What is the cost of getting StateRAMP certification?
The cost of obtaining StateRAMP certification varies depending on several factors, including the size of the CSP, the level of security certification sought, and the fees charged by the 3PAO. Costs typically cover the assessment, remediation (if necessary), and continuous monitoring.
Where can I find more information about StateRAMP?
More information about StateRAMP, including detailed guidelines, membership information, and resources, can be found on the official StateRAMP website.