Definition and purpose

StateRAMP was created to provide a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments.

By providing service organizations with clear standards and guidelines for building, maintaining, and continually improving a strong cybersecurity posture, StateRAMP helps service organizations build trust and secure customers within state and local governments and higher education institutions.

StateRAMP has four primary purposes:

• to help state and local government, public education institutions and special districts protect citizen data
• To save taxpayer and vendor dollars with a "verify once, serve many” model
• to lessen the burdens on Government; and (4) promote education and best practices in
• cybersecurity among those it serves in industry and the government communities.

Governing Body

StateRAMP is a registered 501(c)(6) nonprofit membership organization comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third party assessment organizations, and government officials. This organization is responsible for developing standards for cloud security as well as a common method for verifying the cloud security of vendors who use or offer cloud solutions that process, store, and/or transmit government data.

Last updated

StateRAMP was first chartered in early 2020 by a steering committee of government and industry leaders.

It most recently released a new early-stage security maturity assessment tool for cloud products known as StateRAMP Security Snapshot in December 2022. The intent of the security snapshot criteria is to offer providers a first step toward achieving a verified StateRAMP Security status.

Applies to

StateRAMP is designed for service providers who work with local and state government agencies, and higher education institutions, including IaaS, PaaS, and SaaS solutions.

Controls and requirements

Like FedRAMP, StateRAMP uses the National Institute of Standards and Technology (NIST) 800-53 framework to evaluate vendors and their cybersecurity practices. Both use NIST 800-53 requirements as their evaluation criteria, along with NIST impact levels (Low, Moderate, High) to assess controls. 

Cloud service providers (CSPs) that want to be included in the StateRAMP Authorized Product List must implement controls assigned to their respective security control baseline and undergo an audit by a third-party assessment organization (3PAO). 

Please visit www.stateramp.org/templates-resources for more details into the requirements.

Audit type, frequency, and duration

To obtain a StateRAMP security status, service organizations must undergo independent audits that are conducted by 3PAOs. 

To maintain this status, service organizations must submit monthly and quarterly reporting to the StateRAMP Program Management Office and partner with the 3PAO of their choice to submit an annual security assessment of their systems.