Templates and Resources
StateRAMP’s security templates are developed based on policies adopted by the Board of Directors and recommended by the Steering Committee and Standards & Technical Committee. Find the templates and resources you need on this page.
Announcing StateRAMP's New Rev. 5 Baselines
In May, the StateRAMP Board of Directors adopted the Standards & Technical Committee’s recommended baseline controls that incorporate NIST 800-53 Rev.5 into StateRAMP’s security requirements.
This document provides the security control baselines. All of the security controls listed in the table are outlined in NIST 800-53 Rev. 4.
This document helps service providers and governments determine what StateRAMP security category requirements to use to ensure their data is protected.
To achieve Ready Status for Low Impact levels, a service provider must meet the minimum mandatory requirements outlined in this document.
To achieve Ready Status for Moderate/High Impact levels, a service provider must meet the minimum mandatory requirements outlined in this document.
This document explains the actions taken when a service provider fails to maintain an adequate continuous monitoring program.
Continuous monitoring review procedures outline the process to examine each monthly package.
This document describes the process for StateRAMP stakeholders to use when reporting information concerning information system security incidents or suspected information system security incidents.
Service providers are requirements to submit this completed form to StateRAMP and receive StateRAMP approval prior to implementing a significant change to a system with an existing StateRAMP Authorization.
When a service provider identifies a vulnerability that potentially warrants different handling than normally required by StateRAMP, they may submit a deviation request to StateRAMP using this form.
This guide describes the requirements for all vulnerability scans provided by service providers to StateRAMP for products with a Ready, Provisional, or Authorized status.
Sample Policies & Procedures
StateRAMP verification relies on independent audits that are conducted by Third Party Assessing Organizations (3PAOs). StateRAMP 3PAOs will use the following templates to report audit findings.
Authorized Product List
The first Authorized Product List (APL) includes a listing of Subscriber Members who are actively pursuing third party verification for their offerings. Follow the steps below to be listed on the Authorized Product List.
Find a StateRAMP 3PAO
Assessors play an important role in conducting independent security audits.
A government sponsor is required for providers wishing to submit a request for authorization.
Submit a Review Request
Do you want your products included on the StateRAMP Authorized Product List? Submit a Security Review Request to begin the process.
Connect with the
StateRAMP is proud to partner with Knowledge Services to serve as the PMO.
Receive StateRAMP Updates
Interested in StateRAMP? Sign up below to receive StateRAMP Updates.