How to Achieve StateRAMP Ready Status

by

Liz Huston
Liz Huston

Learn more about the minimum mandatory security requirements providers need to achieve for their product to be listed as Ready on the Authorized Vendor List.

StateRAMP Security Statuses

StateRAMP is designed to allow service providers to progress through six security statuses, including: Active, In Process, Pending, Ready, Provisional, and Authorized. To achieve a Ready status, service providers must meet the minimum mandatory requirements outlined in StateRAMP’s Minimum Mandatory Security Requirements document.

To learn more about the StateRAMP security statuses:

StateRAMP developed the baseline requirements for Ready with input from government employees, third party assessment organizations, cloud service providers, and security experts. Our goal is to help mature and grow the service provider community and in doing so, improve the cyber posture of state and local governments. StateRAMP will verify that providers meet the intent of security requirements as appropriate and fit for purpose.

How are the StateRAMP Minimum Mandatory baselines different from FedRAMP?

StateRAMP security standards are built on the same NIST 800-53 Rev. 4 controls used by FedRAMP. The StateRAMP Minimum Mandatory requirements were developed by examining every single security control and assessing the rigidity of the standard and the specific application for state and local governments. Providers who meet the Minimum Mandatory standards for Ready will have established a foundation for security which can continue to be built upon as the provider words towards a full StateRAMP Authorized status. Providers can achieve Ready status without a government sponsor and with confidence they have necessary security precautions to protect government data.

To achieve Ready Status…

A service provider must meet the 25 Minimum Mandatory Requirements which include controls such as single sign on, vulnerability scans, and backup power generation.

To obtain Ready Status, the provider must complete…

  • Required Ready documentation including boundary diagram, inventory worksheet, and roles and permissions matrix
  • At minimum, 50% or 21 of the StateRAMP documents
  • StateRAMP Readiness Assessment Report

Download a copy of the StateRAMP Minimum Mandatory Requirements for Ready https://stateramp.org/wp-content/uploads/2021/09/StateRAMP-Minimum-Mandates-for-Ready-Status.pdf

What is a Readiness Assessment Report?

The StateRAMP Readiness Assessment Report (RAR) identifies clear and objective security capability requirements, while also allowing for the presentation of subjective information. The requirements enable the provider’s third party assessment organization (3PAO) to concisely identify whether a service provider is achieving the most important StateRAMP Moderate baseline requirements. The combination of objective requirements and subjective information enables StateRAMP to render a readiness decision based on a more complete understanding of the service provider’s security capabilities.

The RAR is completed by a service provider’s third party assessment organization. A 3PAO should only submit a RAR to StateRAMP if it determines the service provider’s system is fully ready to pursue, and likely to achieve, a StateRAMP Ready status.

Download a copy of the StateRAMP Readiness Assessment Report https://stateramp.org/wp-content/uploads/2021/05/SR_RAR_TEM_202104.docx

What is a Security Assessment Report?

While a StateRAMP Security Assessment Report (SAR) is not required to achieve Ready status, it is necessary for a product to achieve a StateRAMP Authorized status. The SAR is intended to be used by 3PAOs to record vulnerabilities and risks to service provider systems. Then, government officials may use the completed version to make risk-based decisions.

The full security assessment provides descriptions about the system, assessment methodology, and security assessment results. A SAR also provides information on acceptable non-conforming controls and risks known in interconnected systems.

Download a copy of the StateRAMP Security Assessment Report

https://stateramp.org/wp-content/uploads/2021/05/SR_SAR_TEM_202104.docx 

Why the StateRAMP Minimum Requirements Work

The Steering Committee spent the majority of 2020 combing through NIST 800-53 Rev.4, carefully selecting the most important controls for state and local governments. The controls they selected as minimum requirements are more than enough to secure state and local data. Governments can be confident that providers who have achieved a StateRAMP Ready status have gone through a rigorous evaluation process and can protect the government’s data.

Baseline Security Controls: https://stateramp.org/wp-content/uploads/2021/03/StateRAMP-Security-Controls-Summary-Adopted-1.pdf    

For more information about continuous monitoring: https://stateramp.org/wp-content/uploads/2021/09/StateRAMP-Continuous-Monitoring-Guide_Adopted.pdf  

Service Provider Overview Webinar: https://youtu.be/sYJIqu2DXHA

StateRAMP Security Statuses

StateRAMP is designed to allow service providers to progress through six security statuses, including: Active, In Process, Pending, Ready, Provisional, and Authorized. To achieve a Ready status, service providers must meet the minimum mandatory requirements outlined in StateRAMP’s Minimum Mandatory Security Requirements document.

Click here to view the security statuses.

To learn more about the StateRAMP security statuses:

StateRAMP developed the baseline requirements for Ready with input from government employees, third party assessment organizations, cloud service providers, and security experts. Our goal is to help mature and grow the service provider community and in doing so, improve the cyber posture of state and local governments. StateRAMP will verify that providers meet the intent of security requirements as appropriate and fit for purpose.

How are the StateRAMP Minimum Mandatory baselines different from FedRAMP?

StateRAMP security standards are built on the same NIST 800-53 Rev. 4 controls used by FedRAMP. The StateRAMP Minimum Mandatory requirements were developed by examining every single security control and assessing the rigidity of the standard and the specific application for state and local governments. Providers who meet the Minimum Mandatory standards for Ready will have established a foundation for security which can continue to be built upon as the provider words towards a full StateRAMP Authorized status. Providers can achieve Ready status without a government sponsor and with confidence they have necessary security precautions to protect government data.

To achieve Ready Status…

A service provider must meet the 25 Minimum Mandatory Requirements which include controls such as single sign on, vulnerability scans, and backup power generation.

To obtain Ready Status, the provider must complete…

  • Required Ready documentation including boundary diagram, inventory worksheet, and roles and permissions matrix
  • At minimum, 50% or 21 of the StateRAMP documents
  • StateRAMP Readiness Assessment Report

Download a copy of the StateRAMP Minimum Mandatory Requirements for Ready https://stateramp.org/wp-content/uploads/2021/09/StateRAMP-Minimum-Mandates-for-Ready-Status.pdf

What is a Readiness Assessment Report?

The StateRAMP Readiness Assessment Report (RAR) identifies clear and objective security capability requirements, while also allowing for the presentation of subjective information. The requirements enable the provider’s third party assessment organization (3PAO) to concisely identify whether a service provider is achieving the most important StateRAMP Moderate baseline requirements. The combination of objective requirements and subjective information enables StateRAMP to render a readiness decision based on a more complete understanding of the service provider’s security capabilities.

The RAR is completed by a service provider’s third party assessment organization. A 3PAO should only submit a RAR to StateRAMP if it determines the service provider’s system is fully ready to pursue, and likely to achieve, a StateRAMP Ready status.

Download a copy of the StateRAMP Readiness Assessment Report https://stateramp.org/wp-content/uploads/2021/05/SR_RAR_TEM_202104.docx

What is a Security Assessment Report?

While a StateRAMP Security Assessment Report (SRA) is not required to achieve Ready status, it is necessary for a product to achieve a StateRAMP Authorized status. The SAR is intended to be used by 3PAOs to record vulnerabilities and risks to service provider systems. Then, government officials may use the completed version to make risk-based decisions.

The full security assessment provides descriptions about the system, assessment methodology, and security assessment results. A SAR also provides information on acceptable non-conforming controls and risks known in interconnected systems.

Download a copy of the StateRAMP Security Assessment Report

https://stateramp.org/wp-content/uploads/2021/05/SR_SAR_TEM_202104.docx 

Why the StateRAMP Minimum Requirements Work

The Steering Committee spent the majority of 2020 combing through NIST 800-53 Rev.4, carefully selecting the most important controls for state and local governments. The controls they selected as minimum requirements are more than enough to secure state and local data. Governments can be confident that providers who have achieved a StateRAMP Ready status have gone through a rigorous evaluation process and can protect the government’s data.

Baseline Security Controls: https://stateramp.org/wp-content/uploads/2021/03/StateRAMP-Security-Controls-Summary-Adopted-1.pdf    

For more information about continuous monitoring: https://stateramp.org/wp-content/uploads/2021/09/StateRAMP-Continuous-Monitoring-Guide_Adopted.pdf  

Service Provider Overview Webinar: https://youtu.be/sYJIqu2DXHA

Share:

Share on facebook
Share on twitter
Share on linkedin