Verification Process

Becoming a StateRAMP member allows service providers to leverage their verified IaaS, PaaS, and SaaS solutions across multiple government contracts.

Verification Process

Becoming a StateRAMP member allows service providers to leverage their verified IaaS, PaaS, and SaaS solutions across multiple government contracts.

Where do I begin with StateRAMP?

1. Become a member.

Service providers must become a StateRAMP member before their IaaS, PaaS, or SaaS solutions can be validated by the Program Management Office and listed on the Authorized Product List (APL). Service provider membership is granted at the organizational level and there is no limit to the number of products an organization can validate and list on the APL.

Once the provider has completed the registration process, the organization will have access to the members-only section of the StateRAMP website. Click the button below to register now.

2. Understand requirements and resources available.

Attend one of our live Getting Started with StateRAMP webinars or watch a recorded one on our Video Library. StateRAMP Executive Director, Leah McGrath, and PMO Director, Noah Brown, leads the presentation together with the objective of helping you understand your best path to StateRAMP Authorization. Check our events calendar to register for the next one.

Visit the Templates and Resources page to see samples and templates. Be sure to check out the Provider Templates. All these templates are required to be completed as part of your security package.

3. Identify impact level and desired status.

Use the Data Classification Tool to identify Impact Level. There are three StateRAMP security categories: Low, Low +, and Moderate. Each category represents a different set of data characteristics and corresponding security requirements.

Determine whether to pursue StateRAMP Ready or StateRAMP Authorized. You do not need to be Ready before Authorized.

4. Engage a Third-Party Assessment Organization.

Review the list of StateRAMP-approved Third Party Assessment Organizations (3PAOs) and engage with the 3PAO of your choice to complete a Readiness Assessment Report (RAR) or Security Assessment Report (SAR).

5. Begin working on required documentation.

For your 3PAO to complete a RAR, you must begin your StateRAMP System Security Plan (SSP) and have most of your policies and procedures in order. 

For your 3PAO to complete a SAR, your organization’s System Security Plan and provider templates must be completed. 

The Templates & Resources page has an SSP template, as well as sample policies and procedures.

6. Government Sponsor or Approvals Committee

To obtain Authorized status, your package needs approval from the Approvals Committee or a Government Sponsor, which can confirm your security package meets StateRAMP requirements.

7. Security Review Request

Once your 3PAO has completed your Readiness Assessment Report or Security Assessment Report, you may submit a Security Review Request to our PMO Team.

8. Continuous Monitoring

Once a product has achieved a verified status, the product’s security posture is monitored according to continuous monitoring requirements.

Get started today.

For more detailed information on the verification process, view the Getting Started Guide on the Documents page.

Once you’ve engaged a 3PAO, submit a Security Review Request.

If you have specific questions about your product’s environment or the verification process, contact the PMO team at pmo@stateramp.org.

Receive StateRAMP Updates

Interested in StateRAMP? Sign up below to receive StateRAMP Updates.