StateRAMP Frequently Asked Questions
Transparency. Standardization. Community.
StateRAMP is built on the National Institute of Standards and Technology Special Publication 800-53 Rev. 4 framework, modeled in part after FedRAMP, and based on a “complete once, use many” concept that saves time and reduces costs for both service providers and governments. Like FedRAMP, StateRAMP relies on FedRAMP Authorized 3PAOs to conduct assessments.
The StateRAMP Marketplace is a list of service providers published on the StateRAMP website who have obtained a StateRAMP security status, StateRAMP-approved 3PAOs, and service providers with FedRAMP Authorization.
The StateRAMP Marketplace gives governments and procurement officials confidence in their service provider’s data security capabilities and provides a central location for sourcing service providers using or offering IaaS, SaaS, and/or PaaS solutions that processes, stores, and/or transmit government data including PII, PHI, and/or PCI who are StateRAMP verified.
StateRAMP is governed by a Board of Directors comprised of a majority of state and local government officials and organized under the Indiana Nonprofit Corporations Act as a domestic nonprofit organization.
StateRAMP simplifies security by providing state and local governments a common method for verification of cloud security.
With StateRAMP, Procurement Officials, Privacy Officers, and Information Security Officers can be confident that government-selected third party providers using or offering IaaS, SaaS, and/or PaaS solutions that processes, stores, and/or transmit government data including PII, PHI, and/or PCI, meet and maintain the government’s published cybersecurity policies.
StateRAMP documentation is maintained on the StateRAMP website documents page. Opportunities for public comment periods will be communicated via a number of methods, including the StateRAMP website and the StateRAMP mailing list which you can subscribe to using the form in the footer.
Registering for a StateRAMP account is the first step in the StateRAMP process.
To get an account set up, please contact email@example.com.
StateRAMP is a non-profit governed by a majority of state and local government officials, who adopt policies that guide the security verification requirements and process. Committees help inform the policies and provide opportunities for participation from those in both the public and private sectors. Committees include: Nominating, Standards & Technical, Appeals and Corporate Community.
If you are interested in learning more about participation, please contact firstname.lastname@example.org.
We will soon be publishing a Service Provider Get Started Guide. This document will provide an overview of the StateRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the StateRAMP verification process. In the meantime, please feel free to subscribe to our mailing list at the bottom of the page to receive updates from StateRAMP.
To get started, please review the Government Get Started Guide. This document provides an overview of the StateRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the StateRAMP verification process.
StateRAMP Requirements & Process
Technology (NIST) in the Special Publication 800-53 Revision 4. The controls outlined in the NIST SP 800-53 Revision 4 address all major known security risks for information systems and cloud systems.
State and local governments may require service providers to engage with StateRAMP and obtain a StateRAMP security status at any time. Service providers are encouraged to seek a StateRAMP Ready status independent of any RFP publication.
There are six StateRAMP security statuses: Active, Pending Ready, Ready, In Process, Provisional, and Authorized. Each security status indicates a greater level of verified security capabilities, preparedness, government approval, and continuous monitoring activities.
StateRAMP Ready status and StateRAMP Authorized status are two different statuses service providers can obtain at different stages in the StateRAMP verification process. Service providers with a StateRAMP Ready status must still undergo additional security and system validation while service providers with a StateRAMP Authorized status have completed all security and system validation and the government has accepted the provider’s completed Security Package.
Provisional status may be assigned by a sponsoring state if the provider meets the mandatory minimum requirements and has submitted a security package for Authorization consideration but is found to meet most but not all security requirements. Providers with a Provisional Status comply with continuous monitoring requirements and submit further documentation in order to obtain Authorization.
Service providers who have successfully registered with StateRAMP and achieved a StateRAMP Ready, Provisional, or Authorized status may use the StateRAMP logo.
Service Providers who have successfully registered with StateRAMP and have obtained any StateRAMP security status may use the corresponding security status badge at any time.
State and local governments can review a list of all service providers registered with StateRAMP and their current security status by visiting the StateRAMP Marketplace (launching Q2 2021).
A government interested in learning more about a specific service provider’s security package may complete an information request form. The service provider must provide authorization for any information to be released.
No, using an infrastructure with a StateRAMP Authorized status does not automatically make the service provider’s system StateRAMP compliant. Each layer (e.g. IaaS, PaaS, and SaaS) must be evaluated on its own for the provider to obtain a StateRAMP Authorized status. However, when the software sits on an infrastructure with a StateRAMP Approved status, it will inherit all security controls from the system with the Authorized status and this can be included and explained in the service provider’s documentation.
A service provider may execute “on the spot” fixes during an assessment conducted by the 3PAO. However, these changes should still be reported in the StateRAMP Security Assessment Report (SR-SAR) and discovered, addressed, and verified by the 3PAO.
Any 3PAO certified by the American Association of Laboratory Accreditation (A2LA) to the requirements of ISO/IEC 17020:2012 Requirements for the Operations of Various Types of Bodies Performing Inspection and accepted by FedRAMP is an accepted StateRAMP 3PAO. More information on becoming an accredited 3PAO may be found on the A2LA website.
Service providers pursing a StateRAMP Ready status are responsible for contracting with and paying for the 3PAO of their choice. The payment of a 3PAO once a service provider has contracted with a State is determined by the State, though typically the service provider pays for the remaining 3PAO assessment.
The A2LA certification ensures 3PAO independence is maintained regardless of who pays for the assessment(s).
Yes. A service provider may partner with any 3PAO or consulting firm to prepare for the StateRAMP assessment.
Only Security Packages and assessment results submitted by an approved StateRAMP 3PAO will be considered when assigning StateRAMP security status.
Partnering with a non-accredited 3PAO prior to the approved 3PAOs assessment does not guarantee the approved 3PAO will validate the service provider’s solution
Service providers must work with a StateRAMP approved 3PAO for annual assessments of its system and to evaluate the impact of some significant changes made by the service provider to its system, platform, and/or service offering.
As part of the StateRAMP requirements, state and local governments are responsible for reviewing and approving the continuous monitoring reports and activities submitted by all service providers monitored by the StateRAMP PMO.
The service provider is responsible for submitting monthly and quarterly reporting to the StateRAMP PMO and partnering with the 3PAO of their choice to submit an annual security assessment. Governments have ultimate responsibility over the ongoing approval of a StateRAMP Authorized status for the providers SaaS, IaaS, or PaaS solution used by the government.
A service provider has 30 days for remediating high POA&M items, 90 days for remediating moderate POA&M items, and 180 days to remediate low POA&M items.