Rev. 4 Templates and Resources
StateRAMP’s security templates are developed based on policies adopted by the Board of Directors and recommended by the Standards & Technical Committee. Find the policies, templates and resources you need on this page.
2024 Rev. 4 to Rev. 5 Transition Note:
Throughout 2023, the StateRAMP Standards & Technical Committee met to update the baseline requirements to align with NIST 800-53 Rev. 5. The Committee and Board recommended a transition for providers so that those submitting for or maintaining a status of StateRAMP Ready, Authorized or Provisional have until October 1, 2024, to update security packages, including annual Third Party Assessment Organization (3PAO) audits, to comply with the updated Rev. 5 requirements. The updated StateRAMP Security Snapshot criteria and scoring will be in effect beginning January 2024.
Announcing StateRAMP's New Rev. 5 Baselines
In May, the StateRAMP Board of Directors adopted the Standards & Technical Committee’s recommended baseline controls that incorporate NIST 800-53 Rev.5 into StateRAMP’s security requirements.
This document provides the security control baselines. All of the security controls listed in the table are outlined in NIST 800-53 Rev. 4. (Retired October 1, 2024)
This document describes a general governance and security framework for StateRAMP.
This document helps service providers and governments determine what StateRAMP security category requirements to use to ensure their data is protected.
This document is to provide guidance to service providers and 3PAOs for a penetration test.
This document is to provide service providers guidance for developing the authorization boundary for their cloud offering.
This document outlines criteria and scoring for the StateRAMP Security Snapshot, Rev. 4. Note: this will be updated to Rev. 5 in January 2024.
To achieve Ready Status for Low Impact levels, a service provider must meet the minimum mandatory requirements outlined in this document. (Rev. 4 – Retired Oct. 1, 2024)
To achieve Ready Status for Moderate/High Impact levels, a service provider must meet the minimum mandatory requirements outlined in this document. (Rev. 4 – Retired Oct. 1, 2024)
This document explains the actions taken when a service provider fails to maintain an adequate continuous monitoring program.
Continuous monitoring review procedures outline the process to examine each monthly package.
This document describes the process for StateRAMP stakeholders to use when reporting information concerning information system security incidents or suspected information system security incidents.
This guide describes the requirements for all vulnerability scans provided by service providers to StateRAMP for products with a Ready, Provisional, or Authorized status.
Sample Policies & Procedures
The following templates are associated with Rev. 4 baseline requirements and will not be accepted after October 1, 2024. View updated requirements and templates here.
StateRAMP verification relies on independent audits that are conducted by Third Party Assessing Organizations (3PAOs). StateRAMP 3PAOs will use the following templates to report audit findings.
Authorized Product List
The first Authorized Product List (APL) includes a listing of Subscriber Members who are actively pursuing third party verification for their offerings. Follow the steps below to be listed on the Authorized Product List.
Find a StateRAMP 3PAO
Assessors play an important role in conducting independent security audits.
A government sponsor is required for providers wishing to submit a request for authorization.
Submit a Review Request
Do you want your products included on the StateRAMP Authorized Product List? Submit a Security Review Request to begin the process.
Connect with the
StateRAMP is proud to partner with Knowledge Services to serve as the PMO.
Receive StateRAMP Updates
Interested in StateRAMP? Sign up below to receive StateRAMP Updates.