Ready or Authorized Process

Becoming a StateRAMP member allows service providers to leverage their verified IaaS, PaaS, and SaaS solutions across multiple government contracts.

Service Provider Verification Process

Becoming a StateRAMP member allows service providers to leverage their verified IaaS, PaaS, and SaaS solutions across multiple government contracts.

How do I begin with StateRAMP?

Step 1:

Become a Member

Service providers must become a StateRAMP member before their IaaS, PaaS, or SaaS solutions can be validated by the Program Management Office (PMO), obtain a StateRAMP security status, or be listed on the Authorized Product List (APL). Service provider membership is granted at the organizational level and there is no limit to the number of products an organization can validate and list on the APL.

Once the provider has completed the membership process, the organization and organization’s primary point of contact will be added to the StateRAMP Member Directory and they will gain access to the Members-Only portion of the website. Click here to register now.

Step 2:

Complete a StateRAMP Security Snapshot

As a first step toward achieving a verified StateRAMP Security Status, service providers have the option to complete a StateRAMP Security Snapshot. The snapshot serves as a “pre-Ready” measurement and the criteria are designed to provide a gap analysis to validate a product’s current maturity in relation to meeting the Minimum Mandatory Requirements for StateRAMP Ready.

Request a Snapshot

Step 3:

Understand Requirements and Resources Available

Our security team at the Program Management Office is committed to help guide products through the StateRAMP verification process. They have developed resources to advise on the most effective path to becoming StateRAMP Ready or Authorized.

Join StateRAMP staff on the first Wednesday of each month from 2:30-3:00 pm EST for Office Hours! This is an open forum to ask questions to StateRAMP staff.

We encourage you to watch the Getting Started with StateRAMP webinar, which can be found on the Video Library. StateRAMP Executive Director, Leah McGrath, and PMO Director, Noah Brown, explain the verification process in greater detail.

Visit the Templates and Resources page to see security policies and templates.

Step 4:

Identify Impact Level and Desired Status

Before engaging a Third-Party Assessment Organization and submitting any documentation to the StateRAMP Program Management Office for review, a service provider must determine the appropriate security category using the Data Classification Tool. Each category represents a different set of data characteristics and corresponding security requirements ranging from non-private, generally accessible information to protected personally identifiable information (PII) or classified data. 

Determine whether to become StateRAMP Ready or StateRAMP Authorized. You do not need to be Ready before Authorized.

Step 5:

Engage a Third-Party Assessment Organization

Review the list of StateRAMP-Approved Assessors and engage with a 3PAO to complete a Readiness Assessment Report (RAR) or Security Assessment Report (SAR).

Step 6:

Begin Working on Required Documentation

If a service provider is pursuing Ready status, they must have fifty percent of their documentation completed so their 3PAO can complete a StateRAMP Readiness Assessment Report (SR-RAR). 

Once a service provider has engaged with a 3PAO to conduct their StateRAMP Authorization Review, the provider must complete a StateRAMP System Security Plan (SR-SSP), StateRAMP Security Controls Matrix (SR-SCM), the Plan of Actions and Milestones (POA&M), and any other documentation required by the 3PAO so the 3PAO can complete a StateRAMP Security Assessment Plan (SR-SAP) and a Security Assessment Report (SR-SAR).

Step 7:

Submit Security Review Request

Before a service provider can submit their completed documentation to the security team at the StateRAMP PMO, the provider must complete the Security Review Request Form. After submitting the form, the StateRAMP PMO team will reach out to schedule an intake call and begin their security review.

Step 8:

Government Sponsor or Approvals Committee?

To obtain Authorized status, a security package needs approval from the Approvals Committee or a Government Sponsor. They will serve as the authorization officials and confirm the package meets StateRAMP requirements.

Step 9:

Obtain a StateRAMP Verified Status

If the 3PAO attested that the provider meets all required security controls, the StateRAMP PMO verified the findings, a government sponsor or StateRAMP Approvals Committee accepted the provider’s security package, and all outstanding issues and/or inquiries have been resolved, the provider’s security status on the StateRAMP APL will be changed to Authorized. 

A Ready status indicates the product meets StateRAMP’s minimum mandatory requirements and most critical controls.

Step 10:

Continuous Monitoring

Once the provider has obtained a verified status, the provider must begin providing the required documentation for monthly continuous monitoring reporting to maintain their StateRAMP security status, as detailed in the StateRAMP Continuous Monitoring Guide

Get started today.

For more detailed information on the verification process, read the complete Getting Started Guide for your use case. 

Download Ready Getting Started Guide
Download Authorized Getting Started Guide

If you have specific questions about your product’s environment or the verification process, contact the PMO team at pmo@stateramp.org.

Receive StateRAMP Updates

Interested in StateRAMP? Sign up below to receive StateRAMP Updates.