Fast Track

The Fast Track program allows providers to submit to StateRAMP PMO the same security package and 3PAO audit they have prepared for FedRAMP.

Providers do not need to wait for a FedRAMP authorization to submit a package to StateRAMP for a security review. The benefit of Fast Track is the ability to reuse the same audit and documentation for both StateRAMP and the Federal Program.

Fast Track

The Fast Track program allows providers to submit to StateRAMP PMO the same security package and 3PAO audit they have prepared for FedRAMP.

Fast Track Process

The Fast Track process below outlines a quick overview of the typical steps involved. Our dedicated StateRAMP Program Management Office is here to accompany you every step of the way and ensure all your questions are addressed promptly.

Step 1:

Become a Member

To send a product through the Fast Track process, providers must first become a member.

Once the provider has completed the membership process, the organization and organization’s primary point of contact will be added to the StateRAMP Member Directory and they will gain access to the Members-Only portion of the website. Click here to register now.

Step 2:

Engage the StateRAMP PMO

After joining as a StateRAMP member, service providers must complete a Security Review Request Form to engage the StateRAMP PMO. Prior to their first intake call, they can use this form to provide more information about their company and product.

Click here to access the Security Review Request form.

Step 3:

Complete Required Documentation

Service providers should work with their third-party assessment organization (3PAO) to gather and submit the required security documentation, including the provider’s federal-approved security package, 90 days of continuous monitoring (if applicable), and any necessary StateRAMP templates. The security team at the StateRAMP PMO accepts documents in FedRAMP formatting.

Step 4:

PMO Review

The PMO will review the service provider’s complete security package and conduct a call with the provider and 3PAO to make any final adjustments to the submitted documentation.

Step 5:

Continuous Monitoring

Continuous monitoring is required to maintain a product’s security status and listing on StateRAMP’s Authorized Product List. Providers with a federal authorization may submit their product’s monthly reporting to the StateRAMP PMO unless otherwise specified. After the initial assessment is complete, providers remaining in the FedRAMP process may submit their annual 3PAO assessment package using FedRAMP templates.

FAQs:

If the provider has information they cannot share with the PMO or POAM items that are restricted, how will the PMO handle the situation?

The PMO will handle these situations on a case-by-case basis, and will depend on what the provider is not allowed to share. If a federal agency is concerned about federally protected information, it is likely the federal agency would not wish to allow a state agency within the product boundary. On the other hand, state agencies will require complete security information before allowing state data to be put in that space. To mitigate the situation, there will be constant communication between the PMO, service provider, and federal agency to find middle ground to ensure we are giving States what they need to make the appropriate decisions on where to house their data.

How can providers be sure data packages and dashboards are secure?

Documentation uploaded to the secure portal will be separated by CSP, and access is tightly controlled. The only people who will have access to the inside of the tenant will be a designated CSP representative and the StateRAMP PMO. To ensure the necessary level of privacy and security, the StateRAMP Board and Steering Committee have adopted a policy requiring the document repository be a FedRAMP Moderate platform.

Do providers need to be Ready before they are Authorized?

No, a product does not need to be Ready before Authorized.

Can I use my federal agency as my sponsor to achieve StateRAMP Authorization status?

For an offering to be listed as StateRAMP Authorized on StateRAMP Authorized Product List (APL), providers can either select their own government sponsor or leverage the StateRAMP Approvals Committee.

Eligible government sponsors include any government official or employee who serves in the role of Chief Information Officer, or their designee, who represents state, local, tribal, or territorial government or public higher education institutions.

The other option for providers is to utilize the StateRAMP Approvals Committee. The StateRAMP Approvals Committee is comprised of five government officials who collectively serve as the Government Sponsor. The committee meets monthly to review security packages and recommendations from the security team at the Program Management Office and approves Authorizations. If the Approvals Committee is selected, no government sponsor is required.

What is the cost to go through the Fast Track process?

The fees are the same as going through the standard process. Please find the full fee schedule here.

Get started today.

Ready to get started with Fast Track? Submit the Security Review Request form to begin. Then, the StateRAMP Program Management Office will reach out with more information on how to schedule your kick-off call.

Read our blog to learn more about the StateRAMP Fast Track process.

*Attention Texas Vendors:

In 2021, Texas passed a law requiring all vendors who use a cloud solution to serve Texas to become TX-RAMP authorized. By administrative rule, TX-RAMP recognizes StateRAMP with automatic reciprocity. StateRAMP provides an efficient, reusable certification that applies in Texas and across our rapidly expanding list of participating governments.

StateRAMP provides a weekly sync with TX-RAMP, so StateRAMP Authorized Products appear on the TX-RAMP list with ease.

Receive StateRAMP Updates

Interested in StateRAMP? Sign up below to receive StateRAMP Updates.