Templates and Resources

StateRAMP’s security templates are developed based on policies adopted by the Board of Directors and recommended by the Steering Committee and Standards & Technical Committee. Find the templates and resources you need on this page.

Announcing StateRAMP's New Rev. 5 Baselines

In May, the StateRAMP Board of Directors adopted the Standards & Technical Committee’s recommended baseline controls that incorporate NIST 800-53 Rev.5 into StateRAMP’s security requirements. 

Security Policies

Baseline Requirements

Baseline Controls

This document provides the security control baselines. All of the security controls listed in the table are outlined in NIST 800-53 Rev. 4.

Data Classification Tool

This document helps service providers and governments determine what StateRAMP security category requirements to use to ensure their data is protected.

StateRAMP Authorization Boundary Guidance
StateRAMP Penetration Test Guidance
StateRAMP Security Snapshot Criteria and Scoring

Ready Requirements

Ready Minimum Mandatory Requirements for Low Impact Levels

To achieve Ready Status for Low Impact levels, a service provider must meet the minimum mandatory requirements outlined in this document.

Ready Minimum Mandatory Requirements for Moderate and High Impact Levels

To achieve Ready Status for Moderate/High Impact levels, a service provider must meet the minimum mandatory requirements outlined in this document.

Continuous Monitoring

Continuous Monitoring Escalation Process

This document explains the actions taken when a service provider fails to maintain an adequate continuous monitoring program.

Continuous Monitoring Guide

Continuous monitoring review procedures outline the process to examine each monthly package.

Incident Communications Procedures

This document describes the process for StateRAMP stakeholders to use when reporting information concerning information system security incidents or suspected information system security incidents.

Significant Change Form Template

Service providers are requirements to submit this completed form to StateRAMP and receive StateRAMP approval prior to implementing a significant change to a system with an existing StateRAMP Authorization.

Vulnerability Deviation Request Form

When a service provider identifies a vulnerability that potentially warrants different handling than normally required by StateRAMP, they may submit a deviation request to StateRAMP using this form.

Vulnerability Scan Requirements Guide

This guide describes the requirements for all vulnerability scans provided by service providers to StateRAMP for products with a Ready, Provisional, or Authorized status.

Sample Policies & Procedures

Authorized Product List

The first Authorized Product List (APL) includes a listing of Subscriber Members who are actively pursuing third party verification for their offerings. Follow the steps below to be listed on the Authorized Product List.

Find a StateRAMP 3PAO

Assessors play an important role in conducting independent security audits.

Government Sponsors

A government sponsor is required for providers wishing to submit a request for authorization.

Submit a Review Request

Do you want your products included on the StateRAMP Authorized Product List? Submit a Security Review Request to begin the process.

Connect with the

StateRAMP is proud to partner with Knowledge Services to serve as the PMO.

Receive StateRAMP Updates

Interested in StateRAMP? Sign up below to receive StateRAMP Updates.