What is StateRAMP?
StateRAMP was created by over a dozen state CIOs, CISOs, and Privacy Officers as a non-profit, public private partnership organization. It brings state and local governments together to create a common method for verifying the cloud security and managing third party risk of providers using or offering IaaS, SaaS, and/or PaaS solutions that processes, stores, and/or transmit government data including PII, PHI, and/or PCI.
StateRAMP is built on the National Institute of Standards and Technology Special Publication 800-53 Rev. 4 framework, modeled in part after FedRAMP, and based on a “complete once, use many” concept that saves time and reduces costs for both service providers and governments. Like FedRAMP, StateRAMP relies on FedRAMP Authorized 3PAOs to conduct assessments.
What is the StateRAMP Marketplace?
The StateRAMP Marketplace is a list of service providers published on the StateRAMP website who have obtained a StateRAMP security status, StateRAMP-approved 3PAOs, and service providers with FedRAMP Authorization.
The StateRAMP Marketplace gives governments and procurement officials confidence in their service provider’s data security capabilities and provides a central location for sourcing service providers using or offering IaaS, SaaS, and/or PaaS solutions that processes, stores, and/or transmit government data including PII, PHI, and/or PCI who are StateRAMP verified.
How is StateRAMP organized?
StateRAMP is governed by a Board of Directors comprised of a majority of state and local government officials and organized under the Indiana Nonprofit Corporations Act as a domestic nonprofit organization.
How does StateRAMP help make cloud computing more secure for state governments?
StateRAMP simplifies security by providing state and local governments a common method for verification of cloud security.
With StateRAMP, Procurement Officials, Privacy Officers, and Information Security Officers can be confident that government-selected third party providers using or offering IaaS, SaaS, and/or PaaS solutions that processes, stores, and/or transmit government data including PII, PHI, and/or PCI, meet and maintain the government’s published cybersecurity policies.
Where is StateRAMP documentation maintained and how is the StateRAMP community notified of new documents posted for public comment?
StateRAMP documentation is maintained on the StateRAMP website documents page. Opportunities for public comment periods will be communicated via a number of methods, including the StateRAMP website and the StateRAMP mailing list which you can subscribe to using the form in the footer.
How can I sign up for a StateRAMP overview session to learn more?
To learn more about StateRAMP, how to begin the verification process, or how to adopt StateRAMP policies, please contact
How do I register for a StateRAMP account?
Registering for a StateRAMP account is the first step in the StateRAMP process.
To get an account set up, please contact firstname.lastname@example.org.
How can I get involved in StateRAMP?
StateRAMP is a non-profit governed by a majority of state and local government officials, who adopt policies that guide the security verification requirements and process. Committees help inform the policies and provide opportunities for participation from those in both the public and private sectors. Committees include: Nominating, Standards & Technical, Appeals and Corporate Community.
If you are interested in learning more about participation, please contact email@example.com.
My company is interested in obtaining a StateRAMP Ready status for one of our existing cloud products. How do I get started?
We will soon be publishing a Service Provider Get Started Guide. This document will provide an overview of the StateRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the StateRAMP verification process. In the meantime, please feel free to subscribe to our mailing list at the bottom of the page to receive updates from StateRAMP.
My State is interested in including StateRAMP requirements in our next RFP. How do we get started?
To get started, please review the Government Get Started Guide. This document provides an overview of the StateRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the StateRAMP verification process.
Requirements & Process
What is the NIST SP 800-53 Revision 4 and what security risk concerns do the security controls address?
Technology (NIST) in the Special Publication 800-53 Revision 4. The controls outlined in the NIST SP 800-53 Revision 4 address all major known security risks for information systems and cloud systems.
Is StateRAMP mandatory for service providers?
State and local governments may require service providers to engage with StateRAMP and obtain a StateRAMP security status at any time. Service providers are encouraged to seek a StateRAMP Ready status independent of any RFP publication.
What are the different StateRAMP security statuses?
There are six StateRAMP security statuses: Active, Pending Ready, Ready, In Process, Provisional, and Authorized. Each security status indicates a greater level of verified security capabilities, preparedness, government approval, and continuous monitoring activities.
What is the distinction between StateRAMP Ready, StateRAMP Authorized, and StateRAMP Provisional status?
StateRAMP Ready status and StateRAMP Authorized status are two different statuses service providers can obtain at different stages in the StateRAMP verification process. Service providers with a StateRAMP Ready status must still undergo additional security and system validation while service providers with a StateRAMP Authorized status have completed all security and system validation and the government has accepted the provider’s completed Security Package.
Provisional status may be assigned by a sponsoring state if the provider meets the mandatory minimum requirements and has submitted a security package for Authorization consideration but is found to meet most but not all security requirements. Providers with a Provisional Status comply with continuous monitoring requirements and submit further documentation in order to obtain Authorization.
What are the requirements to use the StateRAMP logo or a security status badge?
Service providers who have successfully registered with StateRAMP and achieved a StateRAMP Ready, Provisional, or Authorized status may use the StateRAMP logo.
Service Providers who have successfully registered with StateRAMP and have obtained any StateRAMP security status may use the corresponding security status badge at any time.
Who can see a service provider's completed security package?
State and local governments can review a list of all service providers registered with StateRAMP and their current security status by visiting the StateRAMP Marketplace.
A government interested in learning more about a specific service provider’s security package may complete an information request form. The service provider must provide authorization for any information to be released.
If a SaaS or PaaS resides on an infrastructure with a StateRAMP Authorized status, does that mean the SaaS or PaaS automatically has a StateRAMP Authorized status?
No, using an infrastructure with a StateRAMP Authorized status does not automatically make the service provider’s system StateRAMP compliant. Each layer (e.g. IaaS, PaaS, and SaaS) must be evaluated on its own for the provider to obtain a StateRAMP Authorized status. However, when the software sits on an infrastructure with a StateRAMP Approved status, it will inherit all security controls from the system with the Authorized status and this can be included and explained in the service provider’s documentation.
During an assessment, are "on the spot" fixes acceptable or will any changes still be included in the security assessment?
A service provider may execute “on the spot” fixes during an assessment conducted by the 3PAO. However, these changes should still be reported in the StateRAMP Security Assessment Report (SR-SAR) and discovered, addressed, and verified by the 3PAO.
How does a company become an accepted StateRAMP 3PAO, how is the independence and quality of a 3PAO validated, and who pays for the 3PAO services?
Any 3PAO certified by the American Association of Laboratory Accreditation (A2LA) to the requirements of ISO/IEC 17020:2012 Requirements for the Operations of Various Types of Bodies Performing Inspection and accepted by FedRAMP is an accepted StateRAMP 3PAO. More information on becoming an accredited 3PAO may be found on the A2LA website.
Service providers pursing a StateRAMP Ready status are responsible for contracting with and paying for the 3PAO of their choice. The payment of a 3PAO once a service provider has contracted with a State is determined by the State, though typically the service provider pays for the remaining 3PAO assessment.
The A2LA certification ensures 3PAO independence is maintained regardless of who pays for the assessment(s).
Can a non-accredited 3PAO provide consulting services for a service provider prior to an accredited 3PAO conducting an official assessment for StateRAMP?
Yes. A service provider may partner with any 3PAO or consulting firm to prepare for the StateRAMP assessment.
Only Security Packages and assessment results submitted by an approved StateRAMP 3PAO will be considered when assigning StateRAMP security status.
Partnering with a non-accredited 3PAO prior to the approved 3PAOs assessment does not guarantee the approved 3PAO will validate the service provider’s solution
What is the role of the 3PAO in continuous monitoring?
Service providers must work with a StateRAMP approved 3PAO for annual assessments of its system and to evaluate the impact of some significant changes made by the service provider to its system, platform, and/or service offering.
Who is responsible for the continuous monitoring and ongoing approval of cloud systems who have been awarded a StateRAMP Authorized status?
As part of the StateRAMP requirements, state and local governments are responsible for reviewing and approving the continuous monitoring reports and activities submitted by all service providers monitored by the StateRAMP PMO.
The service provider is responsible for submitting monthly and quarterly reporting to the StateRAMP PMO and partnering with the 3PAO of their choice to submit an annual security assessment. Governments have ultimate responsibility over the ongoing approval of a StateRAMP Authorized status for the providers SaaS, IaaS, or PaaS solution used by the government.
How long does a service provider have to remediate a POA&M and does this apply to all system levels?
A service provider has 30 days for remediating high POA&M items, 90 days for remediating moderate POA&M items, and 180 days to remediate low POA&M items.