Security Assessment Framework
This document describes a general governance and security framework for StateRAMP.
Vulnerability Deviation Request Form
When a service provider identifies a vulnerability that potentially warrants different handling than normally required by StateRAMP, they may submit a deviation request to StateRAMP using this form.
Vulnerability Scan Requirements Guide
This guide describes the requirements for all vulnerability scans provided by service providers to StateRAMP for products with a Ready, Provisional, or Authorized status.
Incident Communications Procedures
This document describes the process for StateRAMP stakeholders to use when reporting information concerning information system security incidents or suspected information system security incidents.
Significant Change Form Template
Service providers are requirements to submit this completed form to StateRAMP and receive StateRAMP approval prior to implementing a significant change to a system with an existing StateRAMP Authorization.
Continuous Monitoring Guide
Continuous monitoring review procedures outline the process to examine each monthly package.
Ready Minimum Mandatory Requirements for Low Impact Levels
To achieve Ready Status for Low Impact levels, a service provider must meet the minimum mandatory requirements outlined in this document. (Rev. 4 – Retired Oct. 1, 2024)
Baseline Controls
This document provides the security control baselines. All of the security controls listed in the table are outlined in NIST 800-53 Rev. 4. (Retired October 1, 2024)
Data Classification Tool
This document helps service providers and governments determine what StateRAMP security category requirements to use to ensure their data is protected.
Continuous Monitoring Escalation Process
This document explains the actions taken when a service provider fails to maintain an adequate continuous monitoring program.