Build a Solid Foundation for Risk Management
- StateRAMP is based on the current version of the National Institute of Standards and Technology (NIST) publication 800-53, the same publication used to establish FedRAMP.
- StateRAMP’s security verification model allows SLED (State, Local, and Education) organizations to
trust potential vendors’ commitment to providing
secure products. - Public sector members can review the authorized product list and view continuous monitoring of products through a secure portal.
Getting Started with StateRAMP
Download the StateRAMP Adoption Resource Guide
StateRAMP helps the public sector protect its sensitive data, saving taxpayer and vendor dollars, while relieving organizations’ burden of managing cybersecurity risk.
Learn more about the process of adopting StateRAMP standards with “Getting Started with StateRAMP: A Guide for Government.”
Adopting StateRAMP
StateRAMP Adoption is where governments and public sector organizations can begin, whether starting from scratch or expanding your already existing third-party risk program.
We recognize that no two organizations are the same and that no two adoptions will be the same. Regardless of how you chose to adopt, by leveraging StateRAMP you can expect the following results:
- Your policymakers can be assured your providers are meeting best in-class standards throughout contract lifespan.
- You gain insight into your provider’s products before you sign a contract, allowing you to make informed decisions, under tight timelines, for low costs, while keeping competition open to providers of all sizes.
- You can move from an assessor to an oversight role through access to our continuous monitoring portal, reviewing current and past records as required for your day-to-day contract management or for your auditing needs.
- StateRAMP Adoption is so simple you can easily do it yourself, even standing up your program within a few weeks; however, we know sometimes you need an extra set of hands or just have questions. As such, your own dedicated Government Engagement Director stands ready to help you however they can.
Contact the Government Engagement Team to learn more.
Committee Structure
Board and Committee positions are two-year terms, beginning February 1, 2025.
Nominations are open from June 1 – August 1, 2024. The Nominating Committee will review nominations and make recommendations for a slate to the Board. All who have submitted a nomination form will be notified following committee review, no later than November 30, 2024. Nominations not recommended for 2025 will stay on file and active for the Nominating Committee’s reference should a vacancy occur. If you have any questions, please contact our staff at info@stateramp.org.
Formed in April 2020, the StateRAMP Steering Committee is comprised of distinguished government and industry leaders. This committee founded StateRAMP, aiming to unify public and private sector leaders in developing a streamlined approach to risk and authorization management (RAMP).
The Steering Committee’s work led to the formation of StateRAMP as a 501(c)6 nonprofit, in partnership with state government CIOs, CISOs, Chief Privacy Officers, Procurement Officials, and private industry experts who serve state governments. This essential group determines StateRAMP’s priorities and manages our operations.
The Standards and Technical Committee is comprised of at least seven members at all times. Committee members are appointed by the Board, who strive to include representation from all stakeholders, including at least one member of the Board of Directors. The Standards and Technical Committee conducts regular meetings and may call special ad hoc meetings as needed. The Standards and Technical Committee makes recommendations to the Board regarding PMO policies, security standards, best practice, and assessment processes.
The Appeals Committee is comprised of at least five members at all times. Committee members are appointed by the board, who strive to include representation from all stakeholders, including at least one member of the Board of Directors. The Appeals Committee serves as the adjudication board for issues related to the PMO such as a conflict-of-interest claim, disagreements over status determination, or requests for exceptions. They conduct regular meetings and may call special ad hoc meetings as needed. In some cases, the Executive Committee, which includes Board Officers and executive staff, may appoint a subject matter expert to the committee to aid in a claim assessment as needed.
In an effort to ensure all providers have the ability to verify their product and obtain a StateRAMP Authorized status, and in response to community feedback, the StateRAMP Board and Nominating Committee formed the StateRAMP Approvals Committee. The Approvals Committee is comprised of at least five members representing state and local government and higher education and is responsible for serving as the sponsoring government body required for the StateRAMP Authorized security status. Approvals Committee members possess the necessary technical and government policy knowledge and capabilities to review and approve product security packages and ensure government industry verification needs are met.
The Governance and Nominating Committee is appointed by the Board and will strive to represent all stakeholders. The committee will recommend qualified individuals for Board membership and committee membership, including recommendations for officers and the executive director. The committee will also make recommendations on best practices for governance.
We are excited to announce the formation of the Procurement Committee, which will begin its term in 2025. This new committee will play a crucial role in advising on procurement best practices for cloud cybersecurity, ensuring that our members are equipped with the most effective and efficient strategies for securing cloud services.
By leveraging the expertise and insights of this committee, we aim to enhance the procurement processes across the board, driving forward our mission to improve cybersecurity standards and practices. Nominations for this committee are now open, and we look forward to welcoming dedicated professionals who are passionate about advancing cybersecurity procurement.
The Provider Leadership Council’s founding purpose is to provide expertise and advice regarding provider challenges, and to foster conversations with governments that result in efficient and effective cyber practices.
StateRAMP Task Forces
StateRAMP CJIS-Aligned Task Force
The StateRAMP Criminal Justice Information Services (CJIS)-Aligned Task Force is comprised of State and Local Government stakeholders, industry leaders, and FBI CJIS advisors. The mission is to craft an innovative overlay for StateRAMP’s Moderate Impact Level baseline controls, aligning seamlessly with CJIS requirements. While a formal CJIS certification may not exist, our CJIS-focused overlay serves as a beacon, illuminating a product’s likelihood for CJIS conformance.
StateRAMP/NASPO Procurement Task Force
The StateRAMP/NASPO Procurement Task Force convenes government procurement and IT professionals to foster collaboration on best practices in IT procurement. Their mission includes developing standardized templates and resources aimed at helping governments nationwide streamline cloud service acquisition. By leveraging collective expertise, the task force aims to enhance efficiency and effectiveness in government IT procurement processes across the nation.
Frequently Asked Questions
StateRAMP simplifies security by providing state and local governments, education institutions, special districts, and more public sector organizations by providing a common method for independent verification and validation of cloud security providers. With StateRAMP, procurement officials, privacy officers, and information security specialists can be confident in their third-party vendors. Officials can rest assured that providers offering SaaS, PaaS, or IaaS solutions for storing, processing, or transmitting sensitive data—including personally identifiable information, protected health information, or payment card industry data—meet and maintain the government’s strict published cybersecurity policies.
To become a StateRAMP public sector member, visit the Government Membership page. There, you can find detailed information about the benefits of membership and the registration process. Simply follow the instructions to complete your membership application and join our community of cybersecurity professionals dedicated to enhancing security and compliance in the public sector. Or, reach out to our Government Engagement Team at get@stateramp.org for assistance.
To become a StateRAMP private education member, visit the Private Education Membership page. This page provides comprehensive information on the benefits of membership and the steps to join. Follow the detailed instructions to complete your membership application and join our network of educational institutions committed to advancing cybersecurity and compliance. Or, reach out to our Government Engagement Team at get@stateramp.org for assistance.
To include StateRAMP requirements in your next RFP, start by visiting exploring our resources available for government members. You can find templates, guidelines, and support materials designed to help integrate StateRAMP standards into your procurement processes. Additionally, you can contact StateRAMP directly for personalized assistance and to ensure your RFP aligns with the best practices in cybersecurity and compliance.