Introducing Authorized Product List 2.0

by Liz Huston

New updates are coming soon to the StateRAMP Authorized Product List (APL). These changes will increase the value of information included on the APL by providing an updated user interface which allows users to easily get information about a product’s position in the StateRAMP pipeline. The most notable changes relate to the introduction of a new Federal JAB status and separate lists for verified and progressing products. Our leadership teams have also approved a 90-day engagement policy to ensure the information on the APL is an accurate representation of products’ path to achieving a Ready or Authorized status.

New User Interface

 

To allow users to quickly and easily decipher where products are in the StateRAMP verification process, products will now be displayed in three distinct lists: Verified Products, Progressing Products, and Federal JAB products.

  • Verified Products: Products with a status of Ready, Provisionally Authorized or Authorized.
  • Progressing Products: Products with a status of Active, In Process, or Pending.
  • Federal JAB Attestations: Products that have achieved a FedRAMP Authorization via the Joint Authorization Board (JAB).

As products achieve certain milestones in the StateRAMP verification process, they will move from the Progressing Products list to the Verified Products list.

Federal JAB Status

 

In an effort to provide recognition to those providers whose products have achieved a FedRAMP Authorization through Joint Authorization Board (JAB) approval, a new Federal JAB status has been created for providers who wish to list their product on the StateRAMP website.

Products with a FedRAMP ATO from the JAB have undergone a rigorous audit and review from both a Third Party Assessment Organization and the FedRAMP JAB. Our team wishes to highlight their efforts and provide an avenue for these products to be included on the StateRAMP website. Those providers with only a FedRAMP JAB award can receive the JAB Attestation badge and can request to include their products on the Federal JAB Attestations list. Providers interested in obtaining a Federal JAB status must still become a member of StateRAMP.

Products that have been awarded both a StateRAMP Authorized and Federal JAB status will be included on the Verified Products list as Authorized, Federal JAB. It is important to recognize the hard work of providers who went through both audits, and we are grateful for their commitment to continuous improvement.

If your product currently has a FedRAMP Authorization issued by the JAB, and you would like to list your product on the StateRAMP website, the application is now open.

90-Day Engagement Policy

StateRAMP Security Status Definitions

When developed the bylaws, charters, and policies to govern StateRAMP in 2020, one of the main objectives was to create an infrastructure that was transparent, standardized, and business friendly. As a result, StateRAMP adopted the use of six  different security statuses to indicate the current security posture and ongoing assessments being completed by providers whose products are pursuing verification through StateRAMP. These statuses include Active, In Process, Pending, Ready, Provisionally Authorized, and Authorized and now also include the Federal JAB status.

When the first iteration of the Authorized Product List was published in 2021, products could be listed with an Active or In Process status for an unlimited amount of time. As soon as a provider had engaged a Third Party Assessment Organization (3PAO) to complete an audit and a Readiness Assessment Report (RAR) or full Security Assessment Report (SAR) for one of their products, that product could be listed on the Authorized Product List as Active or In Process.

To ensure StateRAMP is providing state and local governments, tribal agencies, and public higher education institutions with the resources needed to make informed, risk-based decisions, and to fairly and accurately represent a product’s path to achieve a verified security status, our leadership team has adopted a new, 90-day engagement policy.

Under this new standard, products can only be listed as Active or In Process on the APL for 90 days before the provider needs to have engaged the StateRAMP PMO for a security review. If you have not engaged the PMO for a Ready Review or an Authorization Review within 90 days of listing your product as Active or In Process, your security status will lapse, and your product will be removed from the APL.

Our team understands that there are extenuating circumstances that may cause delays in the process and that completing a 3PAO audit can take some time. If you’re making a good faith effort, and can verify your 3PAO audit is currently underway, you can apply for an extension. These instances will be evaluated on a case-by-case basis.

The changes to the Authorized Product List will go live on Monday June 20, 2022. For questions, contact info@stateramp.org.

Become a member and add your product to the Authorized Product List today!