Cloud solutions have become indispensable for nearly every organization — including government agencies. Yet the widespread adoption of cloud service providers brings the added challenge of ensuring cloud technologies are secure.

StateRAMP is designed to help state and local governments and public institutions partner with CSPs that have enacted strong information security and data privacy practices. Below, we’ll explain StateRAMP’s core components, how it compares to FedRAMP, and the StateRAMP verification processes. You’ll also find a StateRAMP compliance checklist and answers to frequently asked questions.

What is StateRAMP?

StateRAMP is a non-profit membership organization. Its purpose is to help state and local governments create a consistent, robust cybersecurity standard for cloud service providers. Service providers must apply to be included in the StateRAMP Authorized Product List, which involves an audit by a third-party assessment organization (3PAO). 

While StateRAMP is not meant forthe US government, it does use the National Institute of Standards and Technology (NIST) 800-53 Revision 5 framework to evaluate vendors and their cybersecurity practices. NIST 800-53 is considered the gold standard for federal data security and is designed to be general and applicable to federal agencies, including the Department of Labor. Both FedRAMP and StateRAMP (as well as many other frameworks) are derivatives of the NIST 800-53 framework.

StateRAMP Rev. 5

In 2023, StateRAMP's Standards & Technical Committee updated StateRAMP’s security requirements from NIST 800-53 Rev. 4 to the most recent publication, NIST 800-53 Rev. 5. 

All updated baselines, requirements, templates, and the StateRAMP Security Snapshot criteria and scoring were published on the StateRAMP website by December 2023. The updated StateRAMP Security Snapshot criteria and scoring went into effect beginning January 2024, and all providers were expected to be compliant with the updated Rev. 5 requirements by October 2024.

Here are some of the most significant changes to StateRAMP Revision 5:

• StateRAMP Security Snapshot criteria and scoring aligned with NIST 800-53 Rev. 5 and the MITRE ATT&CK framework: The Snapshot Criteria was updated to include the 40 highest scoring MITRE ATT&CK threat controls from the requirements for StateRAMP Ready – Mod Impact, and the scoring was updated from 60 points to a percentage out of 100, weighted by risk score assigned by the MITRE Attack Framework. This helps ensure that the Snapshot emphasizes the best practices that have the greatest impact on improved security defenses.
• Updated control baselines for StateRAMP Authorized: StateRAMP baseline controls for Low and Moderate impact levels were updated to align with NIST 800-53 Rev. 5. Most notably, the Rev. 5 baselines deselect the Privacy Controls Family and add the Supply Chain Risk Management (SCRM) Family. As a result, the number of controls changed. The Low baseline is now composed of 153 controls and the Moderate baseline is composed of 319. Previously, they were composed of 117 and 325 controls respectively. 
• Updated Provisional status: A Provisional status may be assigned by a sponsoring state if the provider meets the mandatory minimum requirements and has submitted a security package for Authorization consideration, but their interconnected technologies are not StateRAMP or FedRAMP Authorized. This change reflects the growing risk that supply chains pose and the importance of ensuring that interconnected technologies meet minimum security requirements.

StateRAMP vs FedRAMP

StateRAMP and FedRAMP are similar in many respects. Both are designed to help governments establish baseline cybersecurity standards for cloud service providers. Both use NIST 800-53 requirements as their evaluation criteria, along with NIST impact levels (Low, Moderate, High) to assess controls. And both require continuous monitoring for continued compliance.

However, StateRAMP and FedRAMP differ in a few important ways.

As their names suggest, StateRAMP is designed for state agencies, local governments, and higher education institutions. StateRAMP requirements can vary between different state and local governments due to the unique needs of each jurisdiction. FedRAMP is specifically designed for federal programs and contractors, and the requirements are the same regardless of state or agency.

Another important distinction is that StateRAMP is a non-profit organization. Unlike FedRAMP, it is not directly associated with the US federal government.

Which states use StateRAMP?

Any state, local, education, or tribal/territorial government official or IT/information security professional can become a member of the StateRAMP organization by registering online. Many State, Local, and Education (SLED) organizations have adopted StateRAMP, including over two dozen state governments and public education institutions.

Some notable examples are:

• Alabama
• Arizona
• Arkansas
• California
• Colorado
• Connecticut
• Hillsborough County Sheriff's Office, Palm Beach Gardens, and Lake County in Florida
• Georgia
• Indiana
• Kansas
• Maine
• Massachusetts
• Michigan
• Minnesota
• Missouri
• Nebraska
• Nevada
• New Hampshire
• New Jersey Cybersecurity & Communication Cell
• New York
• North Carolina
• North Dakota
• Ohio
• Oklahoma
• Oregon
• Texas
• Vermont
• West Virginia

The image below features some — but not all — state, local, and education organization participating in StateRAMP. Find the full list here. 

StateRAMP security statuses

StateRAMP maintains an Authorized Product List (APL) which is updated daily to reflect service providers who satisfy StateRAMP requirements. There are six security statuses included in the APL:

Verified Offerings

These service providers have completed an independent audit by a third-party assessing organization (3PAO) and meet minimum security requirements.

• Ready: Meets minimum security requirements
• Provisional: Exceeds minimum requirements and includes a government sponsor
• Authorized: Satisfies all requirements and includes a government sponsor

Progressing Offerings

These service providers are currently engaged with a third-party assessing organization and are actively working toward a verified offering.

• Active: Working towards a Ready verified status
• In Process: Working towards an Authorized verified status
• Pending: Has submitted a security package to the StateRAMP Program Management Office (PMO) and is awaiting their determined verified status

As noted above, a government sponsor is required to achieve StateRAMP Authorized or Provisional status. Government sponsors can be any SLED government official or employee who:

• Serves in the role of Chief Information Security Officer, or their designee
• Is a StateRAMP Individual Government Member

The role of a government sponsor is to review the PMO’s recommendations and the service organization’s annual continuous monitoring reports. CSPs that don’t have a government sponsor may also use a member of the StateRAMP Approvals Committee to serve as an authorizing official on behalf of the government.

Benefits of StateRAMP for cybersecurity

Since it uses NIST 800-53 as a foundation, StateRAMP compliance involves a comprehensive set of security controls for protecting information systems. Compliance with the standard offers an array of business benefits:

• Fuel Growth: Cloud solutions courting state and local governments, educational institutions, and other customers in the public sector will benefit from the enhanced credibility that comes with StateRAMP compliance and inclusion on the Authorized Products List. Stakeholders, including clients, partners, and investors, can have full confidence in the organization's commitment to cloud security.
• Stronger Security Posture: Implementing NIST 800-53 controls helps organizations protect their information systems from a range of threats, including cyberattacks, insider threats, and physical threats. The rigorous guidelines help reduce the risk of security breaches, data loss, and unauthorized data disclosure. NIST 800-53 is the gold standard among frameworks and comprehensive control sets. 
• Enhanced Data Privacy: The integration of privacy controls ensures that personally identifiable information (PII) is also protected, reducing the risks associated with privacy breaches.
• Improved Incident Response: With a well-defined set of controls and processes, organizations can respond to and recover from incidents more efficiently and effectively.
• Standardized Risk Management: StateRAMP provides an organized, consistent framework for assessing the risks to information systems and for implementing appropriate security controls.
• Informed Decision Making: The guidelines aid in making informed decisions regarding security investments and resource allocations, helping prioritize security needs based on actual risks.
• Cost Savings: While achieving compliance may require an initial investment, it can result in long-term savings by preventing costly breaches and improving operational efficiency.
• Continuous Monitoring and Improvement: StateRAMP requires continuous monitoring, ensuring that security measures evolve with changing threats.
• Compliance Across Frameworks: StateRAMP requirements overlap with several other frameworks, making it an efficient way to achieve compliance with other in-demand standards such as FedRAMP, NIST, SOC 2, ISO 27001, and others. Organizations that use compliance automation software can easily map policies and controls for StateRAMP across multiple frameworks, eliminating duplicate efforts. 

StateRAMP and NIST 800-53 compliance offer a thorough and well-structured approach to information security and data privacy, which has led many government and private-sector organizations to use it as a guide for their own security practices.

How to get StateRAMP authorized

The process of becoming StateRAMP authorized involves several clear-cut steps. Let’s walk through each one to clarify how organizations become StateRAMP compliant. 

1. Become a StateRAMP member

Service providers must become a StateRAMP member before their IaaS, PaaS, or SaaS solutions can be validated by the Program Management Office (PMO), obtain a StateRAMP security status, or be listed on the Authorized Product List (APL).

There are different membership tiers available for service providers, 3PAOs, public organizations, and private education institutions. Select the one that best aligns with your industry type and organization’s goals.

2. Complete a StateRAMP Security Snapshot (Optional)

This pre-assessment evaluates your organization to identify any gaps in your cybersecurity posture and ensure you’re meeting the minimum mandatory requirements for StateRAMP Ready status.

To get started, you have to answer a short survey. Following your submission, you will then schedule an initial intake meeting with the StateRAMP PMO security team, answer any follow-up questions, and receive your product’s security maturity score in approximately three weeks. The Security Snapshot does not require a 3PAO. 

3. Select the appropriate StateRAMP authorization path

Next, providers must determine what StateRAMP Impact Level—Low, Moderate, or High—is required by their existing or prospective state or local government partners. 

If you’re not sure, use StateRAMP’s Data Classification Tool to determine the appropriate security category and the corresponding requirements. Answering this series of questions will help you decide whether to become StateRAMP Ready or StateRAMP Authorized. 

4. Find a Government Sponsor or use the StateRAMP Approvals Committee

Organizations pursuing StateRAMP Authorized status must have an authorizing government official approve their security package. That means, the organization must secure government sponsorship on their own or leverage the StateRAMP Approvals Committee. This committee can serve as the organization’s appointed sponsor and confirm their security package meets all StateRAMP requirements.

*This step is not required for organizations pursuing StateRAMP Ready status.

5. Engage a Third-Party Assessment Organization

First, choose from the list of StateRAMP Approved Assessors. These certified independent assessors or third party assessment organizations, known as 3PAOs, are responsible for performing initial and periodic assessments of your products and solutions to ensure you meet the StateRAMP security standards required by state and local governments.

The 3PAO you select will complete a Security Assessment Plan (SAP), Readiness Assessment Report (RAR), and/or Security Assessment Report (SAR) and evaluate your compliance posture.

6. Compile documentation

Documentation requirements differ based on the relevant verification status. If you’re pursuing Ready status, you must have 50% of your documentation completed before the 3PAO can complete the Readiness Assessment Report (RAR). 

If you’re preparing for your StateRAMP Authorization Review, you’ll need the following completed documentation: 

• System Security Plan (SR-SSP)
• Security Assessment Plan (SR-SAP)
• Readiness Assessment Report (RAR) (SR-RAR) [only for Ready Status]
• Security Assessment Report (SAR) (SR-SAR) [only for Authorized Status] 
• Security Controls Matrix (SR-SCM)
• Plan of Actions and Milestones (POA&M)
• Any other documents requested by the 3PAO to complete the SR-SAP and SR-SAR

7. Submit a Security Review Request

Once you compile all required documentation, you must complete the StateRAMP Security Review Request Form. You can then submit your completed documentation and payment of a StateRAMP Authorized review fee to the StateRAMP PMO team. After those are received, the team will update your status on the Authorized Product List (APL) to Pending.

On average, it takes a few weeks to complete a review. 

8. Obtain StateRAMP Authorized Verified Status

After evaluation, your organization will receive its Authorized status and be added to the Approved Vendor List.

Note that this status depends on whether:

• The 3PAO attests to your readiness
• The StateRAMP PMO has verified that your product meets all of the mandatory requirements and critical controls
• Any outstanding issues or inquiries have been resolved

9. Establish Continuous Monitoring Practices

Work with your 3PAO to define the appropriate continuous monitoring approach. Each month you’ll need to: 

• Complete your plans of actions and milestones (POAM) document
• Update your vulnerability scans and inventory worksheet
• Submit a monthly report to the StateRAMP PMO for review

Simplifying and streamlining government compliance with Secureframe

Achieving compliance with rigorous frameworks like StateRAMP requires a significant amount of time and resources. You’ll need to complete a risk assessment and gap analysis, select and implement controls, write policies, train staff, and collect documentation and evidence for your assessor. And once that’s done, you’ll have to implement ongoing assessments and continuous monitoring to maintain compliance. 

Compliance automation platforms like Secureframe can significantly cut down on the amount of time and effort it takes to complete these manual tasks, freeing up your team to focus on strategic objectives.

Below are a few reasons organizations choose Secureframe as their partner for achieving and maintaining compliance with government and federal frameworks like NIST 800-53, NIST 800-171, TX-RAMP 3.0, and CMMC, which can which could significantly simplify and speed up time-to-compliance with StateRAMP.

Government and federal compliance expertise

Our dedicated, world-class compliance team includes former FISMA, FedRAMP, and CMMC auditors who have the expertise and experience to support you at every step. 

Integrations with federal cloud products

Secureframe integrates with your existing tech stack, including AWS GovCloud, to automate infrastructure monitoring and evidence collection.

Prebuilt and custom policies and templates

Secureframe provides templated policies, procedures, and SSPs and additional templates including Separations of Duties Matrix, POA&M documents, Impact Assessments, and readiness checklists. These are customizable so organizations quickly build out their policy library and compile required documentation. 

Trusted 3PAO partner network

Secureframe has strong relationships with respected auditing firms that are certified Third Party Assessment Organizations (3PAOs) and can support audits such as CMMC and CJIS, including Schellman and Prescient Security. 

Cross-mapping across frameworks

NIST 800-53 has many overlapping requirements with StateRAMP, NIST 800-171, FedRAMP, TX-RAMP, CJIS, and other government frameworks. Instead of starting from scratch, our platform can help map what you’ve already done for one framework to others so you’re never duplicating efforts. 

Continuous monitoring

By monitoring your tech stack 24/7 to alert you of non-conformities, Secureframe makes it easier to maintain continuous compliance. You can specify test intervals and notifications for required regular tasks to maintain compliance. You can also use our Risk Register and Risk Management capabilities to support your continuous monitoring efforts and POA&M maintenance. 

To learn more about how Secureframe can help you comply with government and federal frameworks, schedule a demo with a product expert.