Search
Contact Us

StateRAMP Authorized Security Review Terms & Conditions

Authorized Review Documents

As part of the StateRAMP Authorized Review, the PMO shall review all required documents provided by the Provider. Which documents shall be reviewed depends on whether Authorized Review is based on NIST 800-53 Rev. 4 or NIST 800-53 Rev. 5, as well as whether the package is coming through the FastTrack program.

The list of documents may include, but is not limited to, the list below or any successor documents:

  1. System Security Plan (SSP) 
  2. Boundary Diagram 
  3. Control Matrix (includes Control Implementation Summary-CIS)
  4. Security Policy – Access Control (AC) 
  5. Security Policy – Awareness & Training (AT) 
  6. Security Policy – Audit & Accountability (AU) 
  7. Security Policy – Security Assessment & Authorization (CA) 
  8. Security Policy – Configuration Management (CM) 
  9. Security Policy – Contingency Planning (CP) 
  10. Security Policy – Identification & Authentication (IA) 
  11. Security Policy – Incident Response (IR) 
  12. Security Policy – Maintenance (MA) 
  13. Security Policy – Media Protection (MP) 
  14. Security Policy – Personnel Security (PS) 
  15. Security Policy – Physical & Environmental (PE) 
  16. Security Policy – Planning (PL) 
  17. Security Policy – Risk Assessment (RA) 
  18. Security Policy – Systems & Services Acquisition (SA) 
  19. Security Policy – Systems & Communications Protection (SC) 
  20. Security Policy – Systems & Information Integrity (SI) 
  21. Security Procedure – Access Control (AC) 
  22. Security Procedure – Awareness & Training (AT) 
  23. Security Procedure – Audit & Accountability (AU) 
  24. Security Procedure – Security Assessment & Authorization (CA) 
  25. Security Procedure – Configuration Management (CM) 
  26. Security Procedure – Contingency Planning (CP) 
  27. Security Procedure – Identification & Authentication (IA) 
  28. Security Procedure – Incident Response (IR) 
  29. Security Procedure – Maintenance (MA) 
  30. Security Procedure – Media Protection (MP) 
  31. Security Procedure – Personnel Security (PS) 
  32. Security Procedure – Physical & Environmental (PE) 
  33. Security Procedure – Planning (PL) 
  34. Security Procedure – Risk Assessment (RA) 
  35. Security Procedure – Systems & Services Acquisition (SA) 
  36. Security Procedure – Systems & Communications Protection (SC) 
  37. Security Procedure – Systems & Information Integrity (SI) 
  38. User Guide
  39. Digital Identity Worksheet
  40. Privacy Impact Analysis (Included in SSP)
  41. Rules of Behavior 
  42. Information System Contingency Plan 
  43. Configuration Management Plan 
  44. Incident Response Plan 
  45. Control Implementation Summary (Included in OCM)
  46. FIPS-199
  47. Roles & Permissions Matrix 
  48. Laws and Regulations (Included in OCM)
  49. StateRAMP Inventory Worksheet (Included in OCM)
  50. Continuous Monitoring Plan 
  51. Security Assessment Plan (SAP)
  52. Appendix B – Penetration Testing Plan and Methodology
  53. Appendix C – 3PAO Supplied Deliverables (e.g., Penetration Test
  54. Rules of Engagement and Sampling Methodology)”
  55. Security Assessment Report (SAR)
  56. Appendix A – Risk Exposure Table
  57. Appendix B – Security Test Case Procedures
  58. Appendix C – Infrastructure Scan Results
  59. Appendix D – Database Scan Results
  60. Appendix E – Web Scan Results
  61. Appendix F – Assessment Results
  62. Appendix G – Manual Test Results – Assessment Results
  63. Appendix H – Documentation Review Findings
  64. Appendix I – Auxiliary Documents (e.g., evidence artifacts)
  65. Appendix J – Penetration Test Report
  66. Scan and POA&M associated SAR (if available)
  67. Continuous Monitoring 30 Days (Scan/inventory/POA&M)
  68. Continuous Monitoring 60 Days (Scan/inventory/POA&M)
  69. Continuous Monitoring 90 Days (Scan/inventory/POA&M)

You can find exact details of what must be submitted at: Rev. 4 Templates & Resources or Rev. 5 Templates & Resources.