Clarifying StateRAMP Review and Continuous Monitoring Processes

by Liz Huston

To address recent confusion surrounding the StateRAMP Ready and Authorization review and continuous monitoring processes, we’d like to provide a clear and comprehensive explanation of what is shared and how these processes unfold. StateRAMP has been designed to bring clarity and efficiency to cloud security assessment and compliance, and understanding how it works is essential for both government entities and cloud service providers.

Review Process Overview

During the StateRAMP review process, documents such as the System Security Plan (see full list of documentation here) are required from the cloud service provider. These documents are then uploaded into a FedRAMP-moderate portal, where access is restricted to the StateRAMP Program Management Office (PMO). This controlled environment ensures the confidentiality and security of the documentation.

Government Access

Government entities have the option to request access to these documents. To do so, they must submit a request through a designated form. While the PMO will handle sharing the requests for access, all decisionmaking power as to whether to approve or deny the request lies with the service provider. Upon approval, government entities are granted viewer-access only. If the government entities do not access the portal within a year, they will be automatically removed. To maintain a streamlined and up-to-date process, it is the responsibility of government entities to promptly inform the StateRAMP staff if any individuals need to be removed from the access list. Providers do have an option to only share executive summary with government entities.  

Continuous Monitoring Process

The continuous monitoring process mirrors the review process. Providers are required to upload continuous monitoring scan results, inventory documentation, and Plan of Action and Milestones (POAM) documents. Then, the StateRAMP PMO prepares an executive summary. Government entities, once granted access, have the flexibility to access the entire documentation package or choose to review only the executive summary. This flexibility is designed to accommodate the specific needs of each government entity. What the government entity has access to is based on what was initially requested and approved through the request process. If an event should occur, there will be a proactive notification to governments who have been granted access, as outlined in our Continuous Monitoring Escalation Guide.

Sponsorship

For products under review with Authorization status, a government sponsor or review by the StateRAMP Approvals Committee is required. In either situation, the StateRAMP PMO does the validation and verification that the security package meets the StateRAMP requirements for Authorization. The government sponsor or Approvals Committee is then provisioned access to review the PMO’s Executive Summary and recommendation for status award.  Authorizing officials, in either case, receive access to the entire documentation package and continuous monitoring information. However, it’s crucial to note that their access is limited to the duration of their determination process. Once they have made their decision, the PMO will migrate the documents out of the shared folder and into the archives, marking the completion of the sponsor’s review. 

The same guidance applies to products going through the Fast Track Process as well, only they will submit their templates in FedRAMP formatting. This process is aimed at enhancing the efficiency and transparency of cloud procurement and compliance. It ensures that government entities and cloud service providers have clear guidelines and a standardized framework for evaluating cloud security. By offering clarity in shared access and detailed documentation requirements, StateRAMP strives to streamline and simplify cloud security assessments, making it a valuable resource for modernization and secure cloud adoption.