What is StateRAMP?

In 2011, the Federal Risk and Authorization Management Program (FedRAMP) laid the groundwork for a standardized assessment methodology in federal agencies to assess cloud service provider environments. Recognizing the value of this approach beyond federal sectors, the State Risk and Authorization Management Program (StateRAMP) emerged in 2021 for state, local, and education (SLED) agencies. StateRAMP is a 501(c)6 nonprofit entity that aims to bolster cybersecurity practices across SLED agencies.

The StateRAMP initiative aligns with the Federal Information Processing Standards (FIPS) and the National Institute of Standards and Technology (NIST).


StateRAMP operates with two mandates:

  1. To ensure that service providers offering cloud-based solutions meet a defined cybersecurity standard. This assurance provides state and local governments with confidence in the data security capabilities of their chosen service providers.
  1. To verify that these service providers maintain a consistent level of cybersecurity throughout their service delivery. This ongoing validation instills trust among state and local governments and procurement officials, reaffirming their confidence in the data security practices of their selected service providers.

StateRAMP Compliance

StateRAMP compliance hinges on adhering to the stringent security requirements outlined in NIST 800-53, supplemented by StateRAMP-specific controls. Cloud service providers (CSPs) eyeing state and local government contracts must exhibit StateRAMP compliance, validated through an Authority to Operate (ATO). Achieving StateRAMP compliance involves a structured process, which we’ll delve into shortly.

Who Participates in StateRAMP?

Collaboration among the following entities is indispensable for StateRAMP to be effective:

  1. StateRAMP Program Management Office (PMO): Setting the course, the PMO crafts policies and procedures, ensuring uniform security standards adoption across agencies.
  2. SLED Agencies: These agencies, driven by cybersecurity imperatives, seek cloud solutions meeting predefined security baselines. They endorse CSPs through the ATO issuance process, with 23 states participating in StateRAMP.
  3. StateRAMP Assessment Organizations: Accredited by the American Association for Laboratory Accreditation (A2LA), these organizations conduct independent assessments that are pivotal in validating CSPs’ compliance.
  4. StateRAMP Service Providers: CSPs, the backbone of the initiative, provide scalable computing resources to businesses, offering Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) solutions.

Paths to StateRAMP Certification

CSPs embarking on the StateRAMP compliance journey can opt for two paths:

  1. SLED Agency Sponsorship: CSPs secure an ATO directly when collaborating with an SLED agency willing to sponsor their compliance efforts.
  2. StateRAMP Approvals Committee Authorization: In cases where no sponsoring agency is available, the StateRAMP Approvals Committee serves as the sponsor, evaluating CSPs’ security postures against StateRAMP requirements.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Learn more about StateRAMP

Authorized Products

StateRAMP’s verification process ensures that products or services meet minimum security requirements and undergo an independent audit by a Third-Party Assessment Organization (3PAO). StateRAMP recognizes three verified statuses: Ready, Provisional, and Authorized.

  • Ready Status: Products achieving the Ready status meet the requirements outlined in the Minimum Mandatory Requirements Policy established by StateRAMP. This status signifies that the product has undergone initial assessments and is deemed ready for further evaluation.
  • Provisional Status: Provisional status may be granted to a product by a sponsoring government entity or the StateRAMP Approvals Committee. This status is assigned to products that meet the authorization requirements but have one or more interconnected technologies that are not yet StateRAMP or FedRAMP Authorized. The technology must have a current StateRAMP Security Snapshot to attain provisional status, per the StateRAMP Authorization Boundary Guidance.
  • Authorized Status: The highest level of authorization, Authorized status, is reserved for products that have demonstrated compliance with all required security controls, categorized by impact level. Products achieving Authorized status have undergone comprehensive assessments and have been deemed secure for use within government environments.

List of StateRAMP States

Government/Organization NameStateEntity Type
State of AlabamaAlabamaState
State of ArizonaArizonaState
City of ChandlerArizonaLocal
State of ArkansasArkansasState
Arkansas – Administrative Office of the CourtsArkansasState
Spring Hill Public SchoolsArkansasK-12
Genoa Public SchoolsArkansasK-12
Arapahoe CountyColoradoLocal
State of ColoradoColoradoState
State of FloridaFloridaState
Hillsborough County Sheriff’s OfficeFloridaLocal
Palm Beach GardensFloridaLocal
State of GeorgiaGeorgiaState
City of FishersIndianaLocal
Johnson County Park and Recreation DistrictKansasLocal
State of KansasKansasState
State of MaineMaineState
State of MassachusettsMassachusettsState
State of MichiganMichiganState
State of MinnesotaMinnesotaState
State of MissouriMissouriState
State of Nebraska – Judicial BranchNebraskaState
Nebraska Cybersecurity Network for EducationNebraskaK-12
State of NevadaNevadaState
State of New HampshireNew HampshireState
New Jersey Cybersecurity & Communication CellNew JerseyState
State of New YorkNew YorkState
New York State Local Government IT Directors’ Assoc.New YorkLocal
State of North CarolinaNorth CarolinaState
University of North Carolina SystemNorth CarolinaHigher Education
State of North DakotaNorth DakotaState
State of OhioOhioState
State of OklahomaOklahomaState
State of OregonOregonState
Richard Bland College of William and MaryVirginiaHigher Education
State of TexasTexasState
Clarendon CollegeTexasHigher Education
Texas A&M AgriLifeTexasHigher Education
Sacramento CountyCaliforniaLocal

FedRAMP vs. StateRAMP

StateRAMP and FedRAMP are both initiatives aimed at bolstering cybersecurity in government agencies, but they target different levels of government and operate with distinct methodologies. FedRAMP, established in 2011, focuses on standardizing security assessments for cloud service providers (CSPs) seeking to offer services to federal agencies. FedRAMP sets rigorous security standards based on NIST guidelines and conducts thorough assessments through accredited Third-Party Assessment Organizations (3PAOs). Its centralized approach enables federal agencies to adopt secure cloud solutions from authorized CSPs.

In contrast, StateRAMP, launched in 2021, caters specifically to state, local, and education (SLED) agencies, addressing the cybersecurity needs of governments beyond the federal level. Operating as a nonprofit organization, StateRAMP tailors its assessment framework to align with federal standards while incorporating StateRAMP-specific security controls. This initiative offers a standardized methodology for evaluating CSPs’ security postures, ensuring compliance with the unique requirements of state and local government agencies. While FedRAMP focuses solely on federal agencies, StateRAMP serves as a vital resource for SLED agencies seeking secure cloud solutions, contributing to improving cybersecurity practices at the state and local levels.

Centraleyes for Government Cybersecurity

As you explore government cybersecurity frameworks, feel free to ask any questions about StateRAMP or other risk and compliance questions. We’re here to provide insights and support as you navigate the complex landscape of government cybersecurity requirements

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Want to talk to Centraleyes about StateRAMP?

Related Content

Authorization to Operate (ATO)

Authorization to Operate (ATO)

What is an ATO? An ATO is a hallmark of approval that endorses an information system…
Segregation of Duties

Segregation of Duties

What is the Segregation of Duties? Segregation of duties (SoD) is like a game of checks…
PCI Penetration Testing

PCI Penetration Testing

The March 31, 2024, deadline for PCI 4.0 has already passed, and organizations must be updated…
Skip to content