The first StateRAMP Authorized Vendor List is coming out this summer and we want providers to be prepared!
The Authorized Vendor List is published and maintained on the StateRAMP website and is a list of service providers whose products and solutions have obtained a StateRAMP security status of Active, Ready, In-Process, Provisional, or Authorized.
The StateRAMP Authorized Vendor List gives government and procurement officials confidence in their service provider’s data security capabilities and provides a central location for sourcing StateRAMP verified Infrastructure as a Service (IaaS), Software as a Service (SaaS), and/or Platform as a Service (PaaS) solutions that process, store, and/or transmit government data including PII, PHI, and/or PCI.
Who is eligible for the first Authorized Vendor List?
Service providers who are current StateRAMP members whose product(s) have obtained a StateRAMP security status of Active, Ready, In-process, Provisional, or Authorized will be included in the first Authorized Vendor List.
How do you get a StateRAMP security status?
There are several ways a provider can obtain a security status for their product. Each security status indicates a greater level of verified security capabilities, preparedness, government approval, and continuous monitoring activities.
Once you become a StateRAMP member, the first step is to engage a third party assessment organization (3PAO) to begin completing a Ready Review or Full Security Assessment. Once you’ve started working with a 3PAO, your product(s) can be listed as Active on the Authorized Vendor List.
If you have not yet engaged a state, local, or tribal government agency or public higher education institution (SLED) to act at your sponsoring government, you can still complete a Readiness Assessment and obtain a Ready status.
To obtain an Authorized or Provisional status, a SLED government sponsor is required in addition to the completion of a Full Security Assessment. If you have engaged a SLED sponsor and you’ve begun working with your 3PAO to complete your Full Security Assessment, your product(s) can be listed as In-process on the Authorized Vendor List.
What is a milestone status?
The three milestone statuses include Ready, Authorized, and Provisional. StateRAMP Ready status and StateRAMP Authorized status are two statuses service providers can obtain at different stages in the StateRAMP verification process. Service providers with a StateRAMP Ready status must still undergo additional security and system validation while service providers with a StateRAMP Authorized status have completed all security and system validation. Additionally, StateRAMP Authorized status signals that the government has already accepted the provider’s completed Security Package.
Provisional status may be assigned by a sponsoring state if the provider meets the mandatory minimum requirements and has submitted a security package for Authorization consideration but is found to meet most but not all security requirements. Providers with a Provisional Status comply with continuous monitoring requirements and submit further documentation to obtain Authorization.
How to be included in the first Authorized Vendor List
First, make sure your organization is a StateRAMP member. Once you engage a 3PAO, engage with a sponsoring government, or if your security package has been successfully reviewed by the PMO, submit a Security Status Change Request to update your product’s StateRAMP security status.