Templates & Resources

StateRAMP’s security templates are developed based on policies adopted by the Board of Directors and recommended by the Standards & Technical Committee.

Announcing StateRAMP's New Rev. 5 Baselines​

The updated StateRAMP Security Snapshot criteria and scoring will be in effect beginning January 2024. Providers submitting for or maintaining a status of StateRAMP Ready, Authorized or Provisionally Authorized have until October 1, 2024, to update security packages, including annual Third Party Assessment Organization (3PAO) audits, to comply with the updated Rev. 5 requirements.

Download the Rev. 5 Office Hours Presentation (pdf)

2024 Rev. 4 to Rev. 5 Transition Note: 

Throughout 2023, the StateRAMP Standards & Technical Committee met to update the baseline requirements to align with NIST 800-53 Rev. 5. The Committee and Board recommended a transition for providers so that those submitting for or maintaining a status of StateRAMP Ready, Provisionally Authorized or Authorized have until October 1, 2024, to update security packages, including annual Third Party Assessment Organization (3PAO) audits, to comply with the updated Rev. 5 requirements. The updated StateRAMP Security Snapshot criteria and scoring will be in effect beginning January 2024. 

Security Policies​

Baseline Requirements

pdf
Security Assessment Framework

This document describes a general governance and security framework for StateRAMP.

pdf
StateRAMP Authorization Boundary Guidance

This document is to provide service providers guidance for developing the authorization boundary for their cloud offering.

pdf
Baseline Controls

This document provides the security control baselines. All of the security controls listed in the table are outlined in NIST 800-53 Rev. 4. (Retired October 1, 2024)

pdf
Data Classification Tool

This document helps service providers and governments determine what StateRAMP security category requirements to use to ensure their data is protected.

pdf
StateRAMP Penetration Test Guidance

This document is to provide guidance to service providers and 3PAOs for a penetration test.

pdf
StateRAMP Security Snapshot Criteria and Scoring

This document outlines criteria and scoring for the StateRAMP Security Snapshot, Rev. 4. Note: this will be updated to Rev. 5 in January 2024.

Ready Requirements

pdf
Ready Minimum Mandatory Requirements for Low Impact Levels

To achieve Ready Status for Low Impact levels, a service provider must meet the minimum mandatory requirements outlined in this document. (Rev. 4 – Retired Oct. 1, 2024)

pdf
Ready Minimum Mandatory Requirements for Moderate and High Impact Levels

To achieve Ready Status for Moderate/High Impact levels, a service provider must meet the minimum mandatory requirements outlined in this document. (Rev. 4 – Retired Oct. 1, 2024)

Continuous Monitoring

pdf
Continuous Monitoring Escalation Process

This document explains the actions taken when a service provider fails to maintain an adequate continuous monitoring program.

pdf
Continuous Monitoring Guide

Continuous monitoring review procedures outline the process to examine each monthly package.

pdf
Incident Communications Procedures

This document describes the process for StateRAMP stakeholders to use when reporting information concerning information system security incidents or suspected information system security incidents.

pdf
Vulnerability Scan Requirements Guide

This guide describes the requirements for all vulnerability scans provided by service providers to StateRAMP for products with a Ready, Provisionally Authorized, or Authorized status.

Sample Policies & Procedures

The following templates are associated with Rev. 4 baseline requirements and will not be accepted after October 1, 2024.

Updated requirements and templates can be found here.

Get Started With StateRAMP​​

Our team is available to assist you through this process. Connect with our Membership Engagement Team at info@stateramp.org.

Single Security Snapshot

An early stage security maturity assessment tool for cloud products, the Security Snapshot helps providers begin their cybersecurity journey and take the first step toward achieving a verified StateRAMP security status.

Progressing Security Snapshot Program

A subscription-based program combining trust-but-verify principles and a mentoring approach to improving cybersecurity maturity, Progressing Security Snapshot includes quarterly assessments and monthly consultative calls with the StateRAMP PMO team.

StateRAMP Ready

StateRAMP Ready is a verified security status attained by meeting the StateRAMP minimum mandatory requirements, demonstrated by a readiness assessment report conducted by a 3PAO.

No contract or government sponsor is required for Ready status. StateRAMP Ready indicates a product is likely well positioned to comply with the full authorization requirements.

StateRAMP Authorized/Provisionally Authorized

StateRAMP Authorized/Provisionally Authorized is a verified security status that indicates the product meets all the required security controls by impact level. 

Authorized/Provisionally Authorized Status requires a 3PAO attestation, StateRAMP PMO verification, and acceptance by a government sponsor or the StateRAMP Approvals Committee.

StateRAMP Program Management Office (PMO)​

StateRAMP has an agreement with Knowledge Services to serve as the StateRAMP Program Management Office (PMO), given authority to carry out its work through the PMO Charter. The StateRAMP PMO supports service providers as they work to achieve their required/necessary level of StateRAMP authorization.

The fee schedule for the PMO to review security packages and facilitate the StateRAMP Security Snapshot Program is adopted by the StateRAMP Board and is available here. Reduced fees are available to small businesses.

StateRAMP PMO holds monthly office hours for general requirements and process questions. View upcoming staff hours at stateramp.org/events.

Inquiries about the program, membership, and security program may be sent to info@stateramp.org.