StateRAMP Frequently Asked Questions
Transparency. Standardization. Community.
StateRAMP represents the shared interests of state and local governments, third party assessment organizations, and service providers with IaaS, SaaS, and PaaS solutions. We believe in the values of transparency, standardization, and community. As an advocate for strong but fair cybersecurity standards, StateRAMP works to bring together service providers, policy makers, industry experts, and government officials to drive the future of cybersecurity. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.
StateRAMP is built on the National Institute of Standards and Technology Special Publication 800-53 Rev. 4 framework, modeled in part after FedRAMP, and based on a “complete once, use many” concept that saves time and reduces costs for both service providers and governments. Like FedRAMP, StateRAMP relies on FedRAMP Authorized 3PAOs to conduct assessments.
The StateRAMP Authorized Product List is a list of service providers published on the StateRAMP website who have obtained a StateRAMP security status of Active, In-Process, Pending, Ready, Provisional, or Authorized. The StateRAMP Authorized Product List gives governments and procurement officials confidence in their service provider’s data security capabilities and provides a central location for sourcing service providers using or offering IaaS, SaaS, and/or PaaS solutions that process, store, and/or transmit government data including PII, PHI, and/or PCI who are StateRAMP verified. StateRAMP-approved 3PAOs are listed on the Assessors page of the StateRAMP website.
StateRAMP is governed by a Board of Directors comprised of a majority of state and local government officials and organized under the Indiana Nonprofit Corporations Act as a domestic nonprofit organization 501(c)6.
StateRAMP simplifies security by providing state and local governments a common method for verification of cloud security.
With StateRAMP, Procurement Officials, Privacy Officers, and Information Security Officers can be confident that government-selected third party providers using or offering IaaS, SaaS, and/or PaaS solutions that processes, stores, and/or transmit government data including PII, PHI, and/or PCI, meet and maintain the government’s published cybersecurity policies.
StateRAMP documentation is maintained on the StateRAMP website documents page. Opportunities for public comment periods will be communicated via a number of methods, including the StateRAMP website and the StateRAMP mailing list which you can subscribe to using the form in the footer.
3PAOs who wish to be listed on the StateRAMP Approved Assessors list must be A2LA-certified and FedRAMP-approved and can submit the registration form online.
Any SLED (state, local, education, tribal/territorial) government official or employee with responsibility for information security, information technology, privacy, and/or procurement may become a member of StateRAMP. There is no membership fee for SLED and individuals can join by registering online.
Service providers interested in becoming a StateRAMP Member should complete the service provider membership form. Service provider membership is available for organizations offering and/or using IaaS, PaaS, and/or SaaS solutions that process, store, and/or transmit government data.
StateRAMP is a non-profit governed by a majority of state and local government officials, who adopt policies that guide the security verification requirements and process. Committees help inform the policies and provide opportunities for participation from those in both the public and private sectors. Committees include Nominating, Standards & Technical, Appeals, and Corporate Community.
If you are interested in learning more about participation, please contact firstname.lastname@example.org.
To learn more about how to obtain a StateRAMP Ready Status, visit our Getting Started with StateRAMP Guide for Service Providers. This document provides an overview of the StateRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the StateRAMP verification process. In the meantime, please feel free to subscribe to our mailing list at the bottom of the page to receive updates from StateRAMP.
For sample language, templates, and assistance, contact our Government Engagement Team at email@example.com.
StateRAMP Security Snapshot
The StateRAMP Security Snapshot is a new early-stage security maturity assessment tool for cloud products. The criteria were designed to provide a gap analysis that validates a product’s current maturity in relation to meeting the Minimum Mandatory Requirements for StateRAMP Ready.
Providers can begin the StateRAMP Security Snapshot process by becoming a member of StateRAMP and submitting a StateRAMP Security Snapshot Request. After they submit the form, providers will receive more information from the security team at the Program Management Office regarding payment and how to schedule the Security Snapshot Review call.
Prior to the 1-hour meeting, we encourage you to have read and understood the scoring criteria so you are prepared to provide artifacts for each criterion you meet. The required team members should be available on the Snapshot call to answer any follow-up questions.
The scoring methodology for the StateRAMP Security Snapshot is based on critical NIST 800-53 Rev. 5 requirements.
Once a StateRAMP Security Snapshot review is completed, a letter will be issued to the provider from the StateRAMP PMO with a product’s security maturity score. Scores are not publicly posted and any sharing of score is at the discretion of the provider.
The StateRAMP Security Snapshot may be utilized throughout the procurement process, as governments can utilize the Snapshot to determine the risk associated with products being considered for procurement. Governments can also use the Security Snapshot to assess progress toward StateRAMP Authorization for products once contracted.
We will give our best effort to deliver Snapshot scores within 3 weeks of payment. If you have any time constraints due to solicitations, please note them on the StateRAMP Security Snapshot request form and our security team at the Program Management Office will try their best to honor them.
The StateRAMP Security Snapshot reviews provide a moment in time representation of a product’s security maturity. StateRAMP recommends a valid Snapshot is not older than 12 months.
StateRAMP Requirements & Process
Technology (NIST) in the Special Publication 800-53 Revision 4. The controls outlined in the NIST SP 800-53 Revision 4 address all major known security risks for information systems and cloud systems.
State and local governments may require service providers to engage with StateRAMP and obtain a StateRAMP security status at any time. Service providers are encouraged to seek a StateRAMP Ready status independent of any RFP publication.
Six security statuses are recognized on the Authorized Product List (APL).
Verified Offerings: Ready, Authorized, and Provisional
To be verified, the provider must meet minimum security requirements and provide an independent audit conducted by a third party assessing organization (3PAO). StateRAMP recognizes three verified statuses, including Ready, Provisional, and Authorized. Ready meets minimum requirements; Provisional exceeds minimum requirements and includes a government sponsor; Authorized satisfies all requirements and includes a government sponsor. View more about the requirements at www.stateramp.org/templates-resources.
Progressing Offerings: Active, In Process, and Pending
StateRAMP recognizes offerings in the process of working toward a verified offering. To be listed in progress, the provider must be engaged with a third party assessing organization (3PAO) for an independent audit. The in progress statuses include: Active, In Process, and Pending. Active is working toward Ready; In Process is working toward Authorized; Pending has submitted a security package to the Program Management Office (PMO) and is awaiting a determination for a verified status.
StateRAMP Ready status and StateRAMP Authorized status are two different statuses service providers can obtain at different stages in the StateRAMP verification process. Service providers with a StateRAMP Ready status must still undergo additional security and system validation while service providers with a StateRAMP Authorized status have completed all security and system validation and the government has accepted the provider’s completed Security Package.
Provisional status may be assigned by a sponsoring state if the provider meets the mandatory minimum requirements and has submitted a security package for Authorization consideration but is found to meet most but not all security requirements. Providers with a Provisional Status comply with continuous monitoring requirements and submit further documentation in order to obtain Authorization.
Service providers who have successfully registered with StateRAMP and achieved a StateRAMP Ready, Provisional, or Authorized status may use the StateRAMP logo.
Service Providers who have successfully registered with StateRAMP and have obtained any StateRAMP security status may use the corresponding security status badge at any time.
State and local governments can review a list of all service providers registered with StateRAMP and their current security status by visiting the Authorized Product List. Governments may contact our Government Engagement Team at firstname.lastname@example.org to learn more about how to gain access to a service provider’s continuous monitoring and reporting, which is always provisioned by providers.
No, using an infrastructure with a StateRAMP Authorized status does not automatically make the service provider’s system StateRAMP compliant. Each layer (e.g. IaaS, PaaS, and SaaS) must be evaluated on its own for the provider to obtain a StateRAMP Authorized status. However, when the software sits on an infrastructure with a StateRAMP Approved status, it will inherit all security controls from the system with the Authorized status and this can be included and explained in the service provider’s documentation.
A service provider may execute “on the spot” fixes during an assessment conducted by the 3PAO. However, these changes should still be reported in the StateRAMP Security Assessment Report (SR-SAR) and discovered, addressed, and verified by the 3PAO.
Any 3PAO certified by the American Association of Laboratory Accreditation (A2LA) to the requirements of ISO/IEC 17020:2012 Requirements for the Operations of Various Types of Bodies Performing Inspection and accepted by FedRAMP is an accepted StateRAMP 3PAO. More information on becoming an accredited 3PAO may be found on the A2LA website.
Service providers pursing a StateRAMP Ready status are responsible for contracting with and paying for the 3PAO of their choice. The payment of a 3PAO once a service provider has contracted with a State is determined by the State, though typically the service provider pays for the remaining 3PAO assessment.
The A2LA certification ensures 3PAO independence is maintained regardless of who pays for the assessment(s).
Yes. A service provider may partner with any 3PAO or consulting firm to prepare for the StateRAMP assessment.
Only Security Packages and assessment results submitted by an approved StateRAMP 3PAO will be considered when assigning StateRAMP security status.
Partnering with a non-accredited 3PAO prior to the approved 3PAOs assessment does not guarantee the approved 3PAO will validate the service provider’s solution
Service providers must work with a StateRAMP approved 3PAO for annual assessments of its system and to evaluate the impact of some significant changes made by the service provider to its system, platform, and/or service offering.
As part of the StateRAMP requirements, state and local governments are responsible for reviewing and approving the continuous monitoring reports and activities submitted by all service providers monitored by the StateRAMP PMO.
The service provider is responsible for submitting monthly and quarterly reporting to the StateRAMP PMO and partnering with the 3PAO of their choice to submit an annual security assessment. Governments have ultimate responsibility over the ongoing approval of a StateRAMP Authorized status for the providers SaaS, IaaS, or PaaS solution used by the government.
A service provider has 30 days for remediating high POA&M items, 90 days for remediating moderate POA&M items, and 180 days to remediate low POA&M items.
No! If a service provider is unable to secure a government sponsor, they can leverage the StateRAMP Approvals Committee. Committee members serve as authorizing officials on behalf of government
Eligible sponsors include any government official or employee who serves in the role of Chief Information Officer, or their designee, who represents state, local, tribal, or territorial government or public higher education institutions. Interested sponsors must first become a StateRAMP Individual Government Member.
StateRAMP recently announced a new early-stage maturity assessment tool for cloud products. The StateRAMP Security Snapshot was approved by the StateRAMP Standards and Technical Committee and adopted by the Board as a “pre-Ready” measurement and gap analysis to provide insights for providers and the governments they serve.
The intent of the security snapshot criteria is to offer providers a first step toward achieving a verified StateRAMP Security status. The criteria are designed to provide a gap analysis, that goes beyond self- attestation to validate a product’s current maturity in relation to meeting the Minimum Mandatory Requirements for StateRAMP Ready, including controls and select additional requirements that would have a significant impact on the state of the system. A letter is provided with the StateRAMP Security Snapshot Score. Scores are not posted on the Authorized Product List.
There is not a data or system geographical requirement for StateRAMP or FedRAMP low or moderate standards. There are requirements in High classifications around foreign nationals and contractors. It is generally recommended that companies that wish to do business with US-based government entities have that data and systems in the US. Many governments and individual agencies have restrictions beyond what StateRAMP requires, and once that data is classified within other compliance rules, such as with HIPAA, there are further restrictions. Many state governments require data to reside in the US and even systems maintenance to be performed by individuals residing in the US. If you have further questions, please email email@example.com.
Use the Forgot Password feature on the member account login page to reset your password. If you need additional assistance, please contact firstname.lastname@example.org.
If you didn’t receive a confirmation email with instructions to set up your member account, be sure to check your junk mail in your inbox. If you are still unable to locate your confirmation email, please contact email@example.com and our team will resend your confirmation email.
In order to add additional users to your member account, log in to your StateRAMP member account and select the blue subscriptions tab on the welcome page. Click the link to view subaccounts on the right side of the member information table. Share the URL provided at the bottom of the subaccounts page with other members of your organization. The subaccounts URL will allow additional users to create their own membership account with your organization.
Working With The PMO
Security documents are stored in a FedRAMP Moderate Authorized cloud solution. Access to documentation is restricted to StateRAMP PMO staff, designated service provider team members, and the government Authorizing Official (AO). Any additional requested access must be approved by the service providers.
Access to documentation is restricted to StateRAMP PMO staff, designated service provider team members, and the government Authorizing Official (AO). Any additional requested access must be approved by the service providers.
Continuous Monitoring (ConMon) begins upon status award or will be independently scheduled with the StateRAMP PMO if the provider is already conducting ConMon to maintain their federal designation.
Once a provider submits a PMO Security Review Request, the time to complete the review depends on how quickly the provider can complete the onboarding process, schedule a kick-off call, and provide their security documents to the PMO. After all security documents have been delivered to the PMO, the average time to complete a review only takes a few weeks.
If the product has undergone an Authorization Review, the Authorization Letter will be sent to the government Authorizing Official (AO) for review and signature before being delivered to the provider. If the product has undergone a Ready Review, the Ready Letter will be delivered to the provider. All products will begin Continuous Monitoring once a security status has been assigned.
Learn More With StateRAMP Presentations
Catch up on recordings of our latest webinars or register to attend one of the upcoming live events.
Receive StateRAMP Updates
Interested in StateRAMP? Sign up below to receive StateRAMP Updates.