Announcing StateRAMP's New Rev. 5 Baselines
The updated StateRAMP Security Snapshot criteria and scoring will be in effect beginning January 2024. Providers submitting for or maintaining a status of StateRAMP Ready, Authorized or Provisionally Authorized have until October 1, 2024, to update security packages, including annual Third Party Assessment Organization (3PAO) audits, to comply with the updated Rev. 5 requirements.
StateRAMP Standards
StateRAMP has selected the NIST 800-53, Rev. 5 framework as the foundation for all applicable standards. This is in part due to the best practice demonstrated by FedRAMP and given that many security frameworks used by state and local governments are generally tied to the NIST 800-53 framework. This framework is applied in the assessment of service provider’s specific products that serve state and local governments and additional public sector organizations.
The following outlines StateRAMP policies that establish StateRAMP security standards and requirements. These polices are adopted and reviewed annually by the StateRAMP Standards and Technical Committee and Board of Directors.
- Security Assessment Framework
- Baseline Controls Matrix and Guidance
- Security Snapshot Criteria and Scoring
- Data Classification Tool
- Ready Minimum Mandatory Requirements for Low Impact Level
- Ready Minimum Mandatory Requirements for Moderate and High Impact Levels
- Baseline Controls by Impact Level for Authorization
- Authorization Boundary Guidance
- Penetration Test Guidance
- Continuous Monitoring Guide
- Vulnerability Scan Requirements Guide
- Incident Communications Procedures
- Continuous Monitoring Escalation Process Guide
Criteria & Guidance for StateRAMP Security Snapshot
The 2024 StateRAMP Security Snapshot includes updated controls aligned with Rev. 5 and updated scoring that is weighted in accordance with the MITRE ATT&CK Framework control protection values. The Security Snapshot does not require a 3PAO, and includes an abridged audit conducted virtually by the StateRAMP PMO. The following resources provide test case examples and artifact guidance for those preparing for a Snapshot assessment.
Download the Security Snapshot Test Case Criteria and Artifact Guidance (.zip)
Get Started With StateRAMP Security Snapshot
The StateRAMP Security Snapshot provides an analysis based on the 40 most impactful StateRAMP Ready controls to preliminarily see your products maturity in line with
NIST 800-53 Rev. 5. Click the button below to learn more about the Security Snapshot and see available options.
Criteria & Guidance for StateRAMP Security Snapshot
The 2024 StateRAMP Security Snapshot includes updated controls aligned with Rev. 5 and updated scoring that is weighted in accordance with the MITRE ATT&CK Framework control protection values. The Security Snapshot does not require a 3PAO, and includes an abridged audit conducted virtually by the StateRAMP PMO. The following resources provide test case examples and artifact guidance for those preparing for a Snapshot assessment.
Download the Security Snapshot Test Case Criteria and Artifact Guidance (.zip)
Templates for Ready, Provisionally Authorized, and Authorized Statuses
StateRAMP statuses of Ready, Provisionally Authorized, and Authorized rely on independent audits that are conducted by Third Party Assessing Organizations (3PAOs).
Following the conclusion of the 3PAO audit for Ready or Authorized, the provider and 3PAO must assemble a final package and submit the package for security review to the StateRAMP PMO.
Assessors must provide a package that includes:
- Assessor Matrix
*Incorporated into the new Assessor Matrix is the StateRAMP Readiness Assessment Review (RAR), StateRAMP Security Assessment Review (SAR), test case procedures, risk exposure template, and system overview. - Security Assessment Plan
Service Providers must provide a security package that includes:
- Operational Controls Matrix
*Formerly known as the System Security Plan - Continuous Monitoring Matrix
*Now combined with a Plan of Action & Milestones
Products that achieve a StateRAMP Ready, Provisionally Authorized or Authorized status are listed on the StateRAMP Authorized Product List.
Download compiled Packages with Templates and Sample Policies for Service Providers and Assessors below.
Provider packages include all required templates and sample policies and procedures for every NIST 800-53 control family, in addition to templates for Rules of Behavior, Incident Response Plan, Configuration Management Plan, Information System Contingency Plan, and Supply Chain Risk Management.
Service Provider Package for Low Impact (Last Published: Jan 8, 2024)
Service Provider Package for Moderate Impact (Last Published: Jan 10, 2024)
3PAO Package for Low Impact (Last Published: Jan 8, 2024)
3PAO Package for Moderate Impact (Last Published: Jan 8, 2024)
Get Started With StateRAMP
Our team is available to assist you through this process. Connect with our Membership Engagement Team at info@stateramp.org.
Single Security Snapshot
Progressing Security Snapshot Program
A subscription-based program combining trust-but-verify principles and a mentoring approach to improving cybersecurity maturity, Progressing Security Snapshot includes quarterly assessments and monthly consultative calls with the StateRAMP PMO team.
StateRAMP Ready
StateRAMP Ready is a verified security status attained by meeting the StateRAMP minimum mandatory requirements, demonstrated by a readiness assessment report conducted by a 3PAO.
No contract or government sponsor is required for Ready status. StateRAMP Ready indicates a product is likely well positioned to comply with the full authorization requirements.
StateRAMP Authorized/Provisionally Authorized
StateRAMP Authorized/Provisionally Authorized is a verified security status that indicates the product meets all the required security controls by impact level.
Authorized/Provisionally Authorized Status requires a 3PAO attestation, StateRAMP PMO verification, and acceptance by a government sponsor or the StateRAMP Approvals Committee.
StateRAMP Program Management Office (PMO)
StateRAMP has an agreement with Knowledge Services to serve as the StateRAMP Program Management Office (PMO), given authority to carry out its work through the PMO Charter. The StateRAMP PMO supports service providers as they work to achieve their required/necessary level of StateRAMP authorization.
The fee schedule for the PMO to review security packages and facilitate the StateRAMP Security Snapshot Program is adopted by the StateRAMP Board and is available here. Reduced fees are available to small businesses.
StateRAMP PMO holds monthly office hours for general requirements and process questions. View upcoming staff hours at stateramp.org/events.
Inquiries about the program, membership, and security program may be sent to info@stateramp.org.