StateRAMP Frequently Asked Questions
Transparency. Standardization. Community.
StateRAMP represents the shared interests of state and local governments, third party assessment organizations, and service providers with IaaS, SaaS, and PaaS solutions. We believe in the values of transparency, standardization, and community. As an advocate for strong but fair cybersecurity standards, StateRAMP works to bring together service providers, policy makers, industry experts, and government officials to drive the future of cybersecurity. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.
StateRAMP is built on the National Institute of Standards and Technology Special Publication 800-53 Rev. 4 framework, modeled in part after FedRAMP, and based on a “complete once, use many” concept that saves time and reduces costs for both service providers and governments. Like FedRAMP, StateRAMP relies on FedRAMP Authorized 3PAOs to conduct assessments.
The StateRAMP Authorized Vendor List is a list of service providers published on the StateRAMP website who have obtained a StateRAMP security status of Active, In-Process, Pending, Ready, Provisional, or Authorized. The StateRAMP Authorized Vendor List gives governments and procurement officials confidence in their service provider’s data security capabilities and provides a central location for sourcing service providers using or offering IaaS, SaaS, and/or PaaS solutions that process, store, and/or transmit government data including PII, PHI, and/or PCI who are StateRAMP verified. StateRAMP-approved 3PAOs are listed on the Assessors page of the StateRAMP website.
StateRAMP is governed by a Board of Directors comprised of a majority of state and local government officials and organized under the Indiana Nonprofit Corporations Act as a domestic nonprofit organization 501(c)6.
StateRAMP simplifies security by providing state and local governments a common method for verification of cloud security.
With StateRAMP, Procurement Officials, Privacy Officers, and Information Security Officers can be confident that government-selected third party providers using or offering IaaS, SaaS, and/or PaaS solutions that processes, stores, and/or transmit government data including PII, PHI, and/or PCI, meet and maintain the government’s published cybersecurity policies.
StateRAMP documentation is maintained on the StateRAMP website documents page. Opportunities for public comment periods will be communicated via a number of methods, including the StateRAMP website and the StateRAMP mailing list which you can subscribe to using the form in the footer.
3PAOs who wish to be listed on the StateRAMP Approved Assessors list must be A2LA-certified and FedRAMP-approved and can submit the registration form located on the Assessors page of the StateRAMP website.
Any SLED (state, local, education, tribal/territorial) government official or employee with responsibility for information security, information technology, privacy, and/or procurement may become a member of StateRAMP. There is no membership fee and individuals may join by emailing email@example.com or completing the government membership application.
Service providers interested in becoming a StateRAMP Member should complete the service provider membership application. Service provider membership is available for organizations offering and/or using IaaS, PaaS, and/or SaaS solutions which process, store, and/or transmit government data.
StateRAMP is a non-profit governed by a majority of state and local government officials, who adopt policies that guide the security verification requirements and process. Committees help inform the policies and provide opportunities for participation from those in both the public and private sectors. Committees include: Nominating, Standards & Technical, Appeals and Corporate Community.
If you are interested in learning more about participation, please contact firstname.lastname@example.org.
We will soon be publishing a Service Provider Get Started Guide. This document will provide an overview of the StateRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the StateRAMP verification process. In the meantime, please feel free to subscribe to our mailing list at the bottom of the page to receive updates from StateRAMP.
To get started, please review the Government Get Started Guide. This document provides an overview of the StateRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the StateRAMP verification process.
StateRAMP Requirements & Process
Technology (NIST) in the Special Publication 800-53 Revision 4. The controls outlined in the NIST SP 800-53 Revision 4 address all major known security risks for information systems and cloud systems.
State and local governments may require service providers to engage with StateRAMP and obtain a StateRAMP security status at any time. Service providers are encouraged to seek a StateRAMP Ready status independent of any RFP publication.
Six security statuses are recognized on the Authorized Vendor List (AVL).
Verified Offerings: Ready, Authorized, and Provisional
To be verified, the provider must meet minimum security requirements and provide an independent audit conducted by a third party assessing organization (3PAO). StateRAMP recognizes three verified statuses, including Ready, Provisional, and Authorized. Ready meets minimum requirements; Provisional exceeds minimum requirements and includes a government sponsor; Authorized satisfies all requirements and includes a government sponsor. View more about the requirements at www.stateramp.org/templates-resources.
Progressing Offerings: Active, In Process, and Pending
StateRAMP recognizes offerings in the process of working toward a verified offering. To be listed in progress, the provider must be engaged with a third party assessing organization (3PAO) for an independent audit. The in progress statuses include: Active, In Process, and Pending. Active is working toward Ready; In Process is working toward Authorized; Pending has submitted a security package to the Program Management Office (PMO) and is awaiting a determination for a verified status.
StateRAMP Ready status and StateRAMP Authorized status are two different statuses service providers can obtain at different stages in the StateRAMP verification process. Service providers with a StateRAMP Ready status must still undergo additional security and system validation while service providers with a StateRAMP Authorized status have completed all security and system validation and the government has accepted the provider’s completed Security Package.
Provisional status may be assigned by a sponsoring state if the provider meets the mandatory minimum requirements and has submitted a security package for Authorization consideration but is found to meet most but not all security requirements. Providers with a Provisional Status comply with continuous monitoring requirements and submit further documentation in order to obtain Authorization.
Service providers who have successfully registered with StateRAMP and achieved a StateRAMP Ready, Provisional, or Authorized status may use the StateRAMP logo.
Service Providers who have successfully registered with StateRAMP and have obtained any StateRAMP security status may use the corresponding security status badge at any time.
State and local governments can review a list of all service providers registered with StateRAMP and their current security status by visiting the StateRAMP Marketplace (launching Q2 2021).
A government interested in learning more about a specific service provider’s security package may complete an information request form. The service provider must provide authorization for any information to be released.
No, using an infrastructure with a StateRAMP Authorized status does not automatically make the service provider’s system StateRAMP compliant. Each layer (e.g. IaaS, PaaS, and SaaS) must be evaluated on its own for the provider to obtain a StateRAMP Authorized status. However, when the software sits on an infrastructure with a StateRAMP Approved status, it will inherit all security controls from the system with the Authorized status and this can be included and explained in the service provider’s documentation.
A service provider may execute “on the spot” fixes during an assessment conducted by the 3PAO. However, these changes should still be reported in the StateRAMP Security Assessment Report (SR-SAR) and discovered, addressed, and verified by the 3PAO.
Any 3PAO certified by the American Association of Laboratory Accreditation (A2LA) to the requirements of ISO/IEC 17020:2012 Requirements for the Operations of Various Types of Bodies Performing Inspection and accepted by FedRAMP is an accepted StateRAMP 3PAO. More information on becoming an accredited 3PAO may be found on the A2LA website.
Service providers pursing a StateRAMP Ready status are responsible for contracting with and paying for the 3PAO of their choice. The payment of a 3PAO once a service provider has contracted with a State is determined by the State, though typically the service provider pays for the remaining 3PAO assessment.
The A2LA certification ensures 3PAO independence is maintained regardless of who pays for the assessment(s).
Yes. A service provider may partner with any 3PAO or consulting firm to prepare for the StateRAMP assessment.
Only Security Packages and assessment results submitted by an approved StateRAMP 3PAO will be considered when assigning StateRAMP security status.
Partnering with a non-accredited 3PAO prior to the approved 3PAOs assessment does not guarantee the approved 3PAO will validate the service provider’s solution
Service providers must work with a StateRAMP approved 3PAO for annual assessments of its system and to evaluate the impact of some significant changes made by the service provider to its system, platform, and/or service offering.
As part of the StateRAMP requirements, state and local governments are responsible for reviewing and approving the continuous monitoring reports and activities submitted by all service providers monitored by the StateRAMP PMO.
The service provider is responsible for submitting monthly and quarterly reporting to the StateRAMP PMO and partnering with the 3PAO of their choice to submit an annual security assessment. Governments have ultimate responsibility over the ongoing approval of a StateRAMP Authorized status for the providers SaaS, IaaS, or PaaS solution used by the government.
A service provider has 30 days for remediating high POA&M items, 90 days for remediating moderate POA&M items, and 180 days to remediate low POA&M items.
Use the Forgot Password feature on the member account login page to reset your password. If you need additional assistance, please contact email@example.com.
If you didn’t receive a confirmation email with instructions to set up your member account, be sure to check your junk mail in your inbox. If you are still unable to locate your confirmation email, please contact firstname.lastname@example.org and our team will resend your confirmation email.
In order to add additional users to your member account, log in to your StateRAMP member account and select the blue subscriptions tab on the welcome page. Click the link to view subaccounts on the right side of the member information table. Share the URL provided at the bottom of the subaccounts page with other members of your organization. The subaccounts URL will allow additional users to create their own membership account with your organization.
Working With The PMO
Security documents are stored in a FedRAMP Moderate Authorized cloud solution. Access to documentation is restricted to StateRAMP PMO staff, designated service provider team members, and the government Authorizing Official (AO). Any additional requested access must be approved by the service providers.
Access to documentation is restricted to StateRAMP PMO staff, designated service provider team members, and the government Authorizing Official (AO). Any additional requested access must be approved by the service providers.
Continuous Monitoring (ConMon) begins upon status award or will be independently scheduled with the StateRAMP PMO if the provider is already conducting ConMon to maintain their federal designation.
Once a provider submits a PMO Security Review Request, the time to complete the review depends on how quickly the provider can complete the onboarding process, schedule a kick-off call, and provide their security documents to the PMO. After all security documents have been delivered to the PMO, the average time to complete a review only takes a few weeks.
If the product has undergone an Authorization Review, the Authorization Letter will be sent to the government Authorizing Official (AO) for review and signature before being delivered to the provider. If the product has undergone a Ready Review, the Ready Letter will be delivered to the provider. All products will begin Continuous Monitoring once a security status has been assigned.