Announcing StateRAMP's New Rev. 5 Baselines
The updated StateRAMP Security Snapshot criteria and scoring will be in effect beginning January 2024. Providers submitting for or maintaining a status of StateRAMP Ready, Authorized or Provisionally Authorized have until October 1, 2024, to update security packages, including annual Third Party Assessment Organization (3PAO) audits, to comply with the updated Rev. 5 requirements.
2024 Rev. 4 to Rev. 5 Transition Note:
Throughout 2023, the StateRAMP Standards & Technical Committee met to update the baseline requirements to align with NIST 800-53 Rev. 5. The Committee and Board recommended a transition for providers so that those submitting for or maintaining a status of StateRAMP Ready, Provisionally Authorized or Authorized have until October 1, 2024, to update security packages, including annual Third Party Assessment Organization (3PAO) audits, to comply with the updated Rev. 5 requirements. The updated StateRAMP Security Snapshot criteria and scoring will be in effect beginning January 2024.
Security Policies
Baseline Requirements
Ready Requirements
Continuous Monitoring
Sample Policies & Procedures
The following templates are associated with Rev. 4 baseline requirements and will not be accepted after October 1, 2024.
Updated requirements and templates can be found here.
StateRAMP verification relies on independent audits that are conducted by Third Party Assessing Organizations (3PAOs). StateRAMP 3PAOs will use the following templates to report audit findings.
StateRAMP Readiness Assessment Report (RAR) Template
StateRAMP Security Assessment Report (SAR) Template
StateRAMP Security Assessment Plan (SAP) Template
StateRAMP Inventory Workbook Template
Providers will need to complete their StateRAMP System Security Plan (SSP), SSP Attachments and have policies and procedures in order before engaging a Third-Party Assessment Organization (3PAO) for an audit.
System Security Plan (SSP) Template
Plan of Action and Milestones (POAM) Template
Continuous Monthly Executive Summary Template
Vulnerability Deviation Request Form
Significant Change Form Template
StateRAMP SSP Attachments
Configuration Management Plan (CMP) Template
Incident Response Plan (IRP) Template
Information System Continuous Monitoring (ISCM) Plan
StateRAMP has worked with the Program Management Office (PMO) to develop sample policy and procedure templates to serve as a resource for providers.
AC – Access Control Policy Template
AC – Access Control Procedure Template
AT – Awareness & Training Policy Template
AT – Awareness & Training Procedure Template
AU – Audit & Accountability Policy Template
AU – Audit & Accountability Procedure Template
CA – Security Assessment and Authorization Policy Template
CA – Security Assessment and Authorization Procedure Template
CM – Configuration Management Policy Template
CM – Configuration Management Procedure Template
CP – Contingency Planning Policy Template
CP – Contingency Planning Procedure Template
IA – Identification & Authentication Policy Template
IA – Identification & Authentication Procedure Template
IR – Incident Response Policy Template
IR – Incident Response Procedure Template
MA – Maintenance Policy Template
MA – Maintenance Procedure Template
MP – Media Protection Policy Template
MP – Media Protection Procedure Template
PE – Physical & Environmental Policy Template
PE – Physical & Environmental Procedure Template
PL – Planning Policy Template
PL – Planning Procedure Template
PS – Personnel Policy Template
PS – Personnel Procedure Template
RA – Risk Assessment Policy Template
RA – Risk Assessment Procedure Template
SA – System & Services Acquisition Policy Template
SA – System & Services Acquisition Procedure Template
SC – System & Communications Protection Policy Template
SC – System & Communications Protection Procedure Template
SI – System & Information Integrity Policy Template
SI – System & Information Integrity Procedure Template
Get Started With StateRAMP
Our team is available to assist you through this process. Connect with our Membership Engagement Team at info@stateramp.org.
Single Security Snapshot
Progressing Security Snapshot Program
A subscription-based program combining trust-but-verify principles and a mentoring approach to improving cybersecurity maturity, Progressing Security Snapshot includes quarterly assessments and monthly consultative calls with the StateRAMP PMO team.
StateRAMP Ready
StateRAMP Ready is a verified security status attained by meeting the StateRAMP minimum mandatory requirements, demonstrated by a readiness assessment report conducted by a 3PAO.
No contract or government sponsor is required for Ready status. StateRAMP Ready indicates a product is likely well positioned to comply with the full authorization requirements.
StateRAMP Authorized/Provisionally Authorized
StateRAMP Authorized/Provisionally Authorized is a verified security status that indicates the product meets all the required security controls by impact level.
Authorized/Provisionally Authorized Status requires a 3PAO attestation, StateRAMP PMO verification, and acceptance by a government sponsor or the StateRAMP Approvals Committee.
StateRAMP Program Management Office (PMO)
StateRAMP has an agreement with Knowledge Services to serve as the StateRAMP Program Management Office (PMO), given authority to carry out its work through the PMO Charter. The StateRAMP PMO supports service providers as they work to achieve their required/necessary level of StateRAMP authorization.
The fee schedule for the PMO to review security packages and facilitate the StateRAMP Security Snapshot Program is adopted by the StateRAMP Board and is available here. Reduced fees are available to small businesses.
StateRAMP PMO holds monthly office hours for general requirements and process questions. View upcoming staff hours at stateramp.org/events.
Inquiries about the program, membership, and security program may be sent to info@stateramp.org.