| Title | Summary | Categories | Link |
|---|---|---|---|
| 3PAO Accreditation Process | StateRAMP recognized FedRAMP authorized third party assessment organizations (3PAOs) to conduct independent audits. | Governance | |
| 3PAO Package for Moderate Impact with CJIS Overlay | This package includes required templates and sample policies for every NIST 800-53 control family, along with templates for Rules of Behavior, Incident Response Plan, Configuration Management Plan, Information System Contingency Plan, and Supply Chain Risk Management. | ||
| Appeals Committee Charter | The Appeals Committee serves as the adjudication board for the Program Management Office determinations. | Governance | |
| Baseline Controls | This document provides the security control baselines. All of the security controls listed in the table are outlined in NIST 800-53 Rev. 4. (Retired October 1, 2024) | Baseline Requirements | |
| Center for Digital Government Best Practice Guide for Cloud and As-a-Service Procurements | The Best Practice Guide was created to provide government and industry with consensus-based advice and terms and conditions for cloud solution procurement models. | Government Document | |
| Continuous Monitoring Escalation Process | This document explains the actions taken when a service provider fails to maintain an adequate continuous monitoring program. | Continuous Monitoring | |
| Continuous Monitoring Guide | Continuous monitoring review procedures outline the process to examine each monthly package. | Continuous Monitoring | |
| Data Classification Tool | This document helps service providers and governments determine what StateRAMP security category requirements to use to ensure their data is protected. | Baseline Requirements | |
| FedRAMP JAB Attestation | In an effort to provide recognition to those providers whose products have achieved a FedRAMP Authorization through Joint Authorization Board (JAB) approval, a new Federal JAB status has been created for providers who wish to list their product on the StateRAMP website. | Governance | |
| Get Started With StateRAMP – Government Guide | This guide explains the StateRAMP implementation process for governments. | Government Document | |
| Incident Communications Procedures | This document describes the process for StateRAMP stakeholders to use when reporting information concerning information system security incidents or suspected information system security incidents. | Continuous Monitoring | |
| Low Impact Service Provider Package | This package provides service providers with the documentation, policies, procedures and guidelines required to meet StateRAMP security requirements for systems handling low-impact government data. | ||
| Minimum Mandates for Ready Status at Low Impact | To achieve StateRAMP Ready status at a Low Impact Level, a service provider must meet the minimum mandatory requirements outlined in this document. (Rev. 4 – Expired 10/1/2024) | Program Document | |
| Minimum Mandates for Ready Status at Moderate and High Impact | To achieve StateRAMP Ready status at a Moderate or High Impact Level, a service provider must meet the minimum mandatory requirements outlined in this document. (Rev. 4 – Expired 10/1/2024) | Program Document | |
| Moderate Impact Service Provider Package | This package provides service providers with the comprehensive documentation, policies, procedures, and tools needed to meet StateRAMP security requirements for systems processing, storing, or transmitting moderate-impact government data. | ||
| Procurement Committee Charter | The purpose of this charter is to define the objectives, membership, decision making, meeting schedule, and roles and responsibilities associated with the StateRAMP Procurement Committee. | Governance | |
| Provider Leadership Council Charter | This charter outlines the duties and responsibilities of the StateRAMP Provider Leadership Council. | Governance | |
| Ready Minimum Mandatory Requirements for Low Impact Levels | To achieve Ready Status for Low Impact levels, a service provider must meet the minimum mandatory requirements outlined in this document. (Rev. 5) | Ready Requirements | |
| Ready Minimum Mandatory Requirements for Moderate and High Impact Levels | To achieve Ready Status for Moderate/High Impact levels, a service provider must meet the minimum mandatory requirements outlined in this document. (Rev. 5) | Ready Requirements | |
| Security Assessment Framework | This document describes a general governance and security framework for StateRAMP. | Baseline Requirements |