Rev. 4 Templates and Resources

StateRAMP’s security templates are developed based on policies adopted by the Board of Directors and recommended by the Standards & Technical Committee. Find the policies, templates and resources you need on this page.

2024 Rev. 4 to Rev. 5 Transition Note: 

Throughout 2023, the StateRAMP Standards & Technical Committee met to update the baseline requirements to align with NIST 800-53 Rev. 5. The Committee and Board recommended a transition for providers so that those submitting for or maintaining a status of StateRAMP Ready, Authorized or Provisional have until October 1, 2024, to update security packages, including annual Third Party Assessment Organization (3PAO) audits, to comply with the updated Rev. 5 requirements. The updated StateRAMP Security Snapshot criteria and scoring will be in effect beginning January 2024. 

Announcing StateRAMP's New Rev. 5 Baselines

In May, the StateRAMP Board of Directors adopted the Standards & Technical Committee’s recommended baseline controls that incorporate NIST 800-53 Rev.5 into StateRAMP’s security requirements. 

Security Policies

Baseline Requirements

Baseline Controls

This document provides the security control baselines. All of the security controls listed in the table are outlined in NIST 800-53 Rev. 4. (Retired October 1, 2024)

Security Assessment Framework

This document describes a general governance and security framework for StateRAMP.

Data Classification Tool

This document helps service providers and governments determine what StateRAMP security category requirements to use to ensure their data is protected.

StateRAMP Penetration Test Guidance

This document is to provide guidance to service providers and 3PAOs for a penetration test.

StateRAMP Authorization Boundary Guidance

This document is to provide service providers guidance for developing the authorization boundary for their cloud offering.

StateRAMP Security Snapshot Criteria and Scoring

This document outlines criteria and scoring for the StateRAMP Security Snapshot, Rev. 4. Note: this will be updated to Rev. 5 in January 2024.

Ready Requirements

Ready Minimum Mandatory Requirements for Low Impact Levels

To achieve Ready Status for Low Impact levels, a service provider must meet the minimum mandatory requirements outlined in this document. (Rev. 4 – Retired Oct. 1, 2024)

Ready Minimum Mandatory Requirements for Moderate and High Impact Levels

To achieve Ready Status for Moderate/High Impact levels, a service provider must meet the minimum mandatory requirements outlined in this document. (Rev. 4 – Retired Oct. 1, 2024)

Continuous Monitoring

Continuous Monitoring Escalation Process

This document explains the actions taken when a service provider fails to maintain an adequate continuous monitoring program.

Continuous Monitoring Guide

Continuous monitoring review procedures outline the process to examine each monthly package.

Incident Communications Procedures

This document describes the process for StateRAMP stakeholders to use when reporting information concerning information system security incidents or suspected information system security incidents.

Vulnerability Scan Requirements Guide

This guide describes the requirements for all vulnerability scans provided by service providers to StateRAMP for products with a Ready, Provisional, or Authorized status.

Sample Policies & Procedures

The following templates are associated with Rev. 4 baseline requirements and will not be accepted after October 1, 2024. View updated requirements and templates here.

Authorized Product List

The first Authorized Product List (APL) includes a listing of Subscriber Members who are actively pursuing third party verification for their offerings. Follow the steps below to be listed on the Authorized Product List.

Find a StateRAMP 3PAO

Assessors play an important role in conducting independent security audits.

Government Sponsors

A government sponsor is required for providers wishing to submit a request for authorization.

Submit a Review Request

Do you want your products included on the StateRAMP Authorized Product List? Submit a Security Review Request to begin the process.

Connect with the

StateRAMP is proud to partner with Knowledge Services to serve as the PMO.

Receive StateRAMP Updates

Interested in StateRAMP? Sign up below to receive StateRAMP Updates.