The Process


  1. State requires 3PAO verification of CSPs
  2. StateRAMP monitors, maintains and publishes a registry of accredited 3PAO organizations approved for use by StateRAMP
  3. CSP vendors select an accepted accredited 3PAO to obtain cyber security certification
  4. Once the CSP vendor becomes 3PAO certified, the 3PAO provides StateRAMP verification certificate


  1. StateRAMP collects from CSP vendor’s 3PAO validation of the approved monthly continuous monitoring results
  2. StateRAMP stores on its FedRAMP hosted platform all 3PAO certifications of compliance 
  3. StateRAMP publishes on its site all approved CSP vendor applications (PaaS, IaaS & SaaS)
  4. StateRAMP notifies State Agency of CSP vendor certificate of compliance


  1. StateRAMP ensures participating State Agency CSP vendor contracts and terms are accurately documented
  2. StateRAMP immediately notifies affected governments of CSP vendor non-compliance risks and expired and failed 3PAO audits
  3. StateRAMP works with the 3PAO, CSP vendor and State Agencies throughout the remediation process to resolve non-compliance issues
  4. StateRAMP organization monitors CSP vendor certification requirements
  5. StateRAMP organization ensures quarterly & monthly reporting results are current
  6. StateRAMP provides State and CSP vendor(s) pre-notification of approaching expirations