A Deep Dive into StateRAMP Security Statuses

by

Liz Huston
Liz Huston

StateRAMP simplifies cloud security for Government Entities and their Third Party Cloud Suppliers and publishes an Authorized Product List (APL) at www.stateramp.org, updated daily.

The APL includes cloud offerings that are working toward and have achieved a StateRAMP Authorization to verify compliance with NIST 800-53 standards.

To be listed, products must meet security requirements set forth by our Governing Committees and Board, have an independent audit and comply with monthly and annual continuous monitoring requirements.  We cover the process more fully in our monthly Getting Started Webinars, and we also share recent recordings of these sessions at www.stateramp.org/video-library.

  • Interested in TX-RAMP? StateRAMP Authorized Products are automatically recognized by TX-RAMP, with our weekly automated sync. That means StateRAMP Authorized Products appear on the TX-RAMP list with ease.
  • For Products with a FedRAMP Authorization, StateRAMP provides a Fast Track option, so that no new audit is necessary.

Our Team is always available to answer questions at info@stateramp.org.

What is included on our Authorized Product List? 

Six security statuses are recognized on the Authorized Product List. The statuses are separated into two lists based on whether they are progressing or verified offerings. Continue reading to dive deeper into what each status means.

Verified Offerings & Continuous Monitoring

StateRAMP recognizes three verified statuses, including Ready, Provisional, and Authorized.

Once a product has achieved a verified status, the product’s security posture is monitored according to the continuous monitoring requirements, which can be found on www.stateramp.org/templates-resources.

Continuous monitoring includes monthly reporting from the provider to the Security Team at our Program Management Office (PMO) and an annual independent audit.

This Continuous Monitoring helps ensure that cloud products utilized by government maintain a strong cyber compliance. Participating StateRAMP Governments may be granted access to view continuous monitoring reporting with provider approval.

Authorized

Authorized is the highest verification level. An Authorized status shows the product has a proven and complete security package that includes a System Security Plan (SSP) and Boundary Diagram, for example, along with all required documentation and policies and procedures. The provider has also completed and submitted an independent audit called a Security Assessment Report (SAR) that is conducted by one of our StateRAMP Third Party Assessing Organizations (3PAOs). The audit evaluates compliance with the NIST 800-53 required controls, in addition to penetration testing and other reviews. A SAR Template for the Audit report can be found on our resources page.  The final step in attaining an Authorized Status is the approval by the Approvals Committee or a Government Sponsor, who affirm the security package meets the requirements for Government.

Provisional

A Provisional status may be assigned by a sponsoring government if the provider has submitted a security package for Authorization consideration, but is found to meet most, but not all security requirements. Providers with a Provisional status comply with continuous monitoring requirements and an additional assessment may be required to obtain Authorization.

Ready

A Ready status indicates that the product meets StateRAMP’s Minimum Mandatory Requirements and most critical controls. The Ready requirements are published here and vary by Impact Level for Low or Moderate/High.  The security package for Ready includes a Readiness Assessment Report (RAR) submitted by a StateRAMP 3PAO, attesting to the minimum mandates. The required Ready documentation, including boundary diagram, inventory worksheet, roles and permissions matrix, must be included in the security package provided to our Security Team with our StateRAMP Program Management Office (PMO).

Progressing Offerings

StateRAMP recognizes cloud service offerings in the process of working toward a verified offering. To have a product be listed as in progress, the Service Provider must be engaged with a Third-Party Assessment Organization (3PAO) to conduct an independent audit. The progressing statuses include Active, In Process, and Pending.

Active

An Active status signals that a provider is working towards Ready. To be Active, the Service Provider has engaged with a 3PAO for a Readiness Assessment Report (RAR).

In Process

An In Process status shows a service provider is working toward Authorized. This status may be assigned before a product passes the minimum requirements for Ready, if the Service Provider has engaged with a 3PAO for a Security Assessment Report (SAR).

Pending

A “Pending” status is used to describe a Service Provider who has submitted a product’s security package to the StateRAMP PMO and is awaiting a determination for a verified status. Their 3PAO audit is completed, and they have completed their initial intake call with the StateRAMP PMO team.

To begin working with our Security Team at the Program Management Office (PMO), become a member and submit a Security Review Request form today!

If you have any questions about the verification process, please contact us at info@stateramp.org.

If you have specific questions about your product’s environment, please contact our security team at the Program Management Office at pmo@stateramp.org.

Share: