What is StateRAMP?
In 2011, the Federal Risk and Authorization Management Program (FedRAMP) laid the groundwork for a standardized assessment methodology in federal agencies to assess cloud service provider environments. Recognizing the value of this approach beyond federal sectors, the State Risk and Authorization Management Program (StateRAMP) emerged in 2021 for state, local, and education (SLED) agencies. StateRAMP is a 501(c)6 nonprofit entity that aims to bolster cybersecurity practices across SLED agencies.
The StateRAMP initiative aligns with the Federal Information Processing Standards (FIPS) and the National Institute of Standards and Technology (NIST).
StateRAMP operates with two mandates:
- To ensure that service providers offering cloud-based solutions meet a defined cybersecurity standard. This assurance provides state and local governments with confidence in the data security capabilities of their chosen service providers.
- To verify that these service providers maintain a consistent level of cybersecurity throughout their service delivery. This ongoing validation instills trust among state and local governments and procurement officials, reaffirming their confidence in the data security practices of their selected service providers.
StateRAMP Compliance
StateRAMP compliance hinges on adhering to the stringent security requirements outlined in NIST 800-53, supplemented by StateRAMP-specific controls. Cloud service providers (CSPs) eyeing state and local government contracts must exhibit StateRAMP compliance, validated through an Authority to Operate (ATO). Achieving StateRAMP compliance involves a structured process, which we’ll delve into shortly.
Who Participates in StateRAMP?
Collaboration among the following entities is indispensable for StateRAMP to be effective:
- StateRAMP Program Management Office (PMO): Setting the course, the PMO crafts policies and procedures, ensuring uniform security standards adoption across agencies.
- SLED Agencies: These agencies, driven by cybersecurity imperatives, seek cloud solutions meeting predefined security baselines. They endorse CSPs through the ATO issuance process, with 23 states participating in StateRAMP.
- StateRAMP Assessment Organizations: Accredited by the American Association for Laboratory Accreditation (A2LA), these organizations conduct independent assessments that are pivotal in validating CSPs’ compliance.
- StateRAMP Service Providers: CSPs, the backbone of the initiative, provide scalable computing resources to businesses, offering Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) solutions.
Paths to StateRAMP Certification
CSPs embarking on the StateRAMP compliance journey can opt for two paths:
- SLED Agency Sponsorship: CSPs secure an ATO directly when collaborating with an SLED agency willing to sponsor their compliance efforts.
- StateRAMP Approvals Committee Authorization: In cases where no sponsoring agency is available, the StateRAMP Approvals Committee serves as the sponsor, evaluating CSPs’ security postures against StateRAMP requirements.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Authorized Products
StateRAMP’s verification process ensures that products or services meet minimum security requirements and undergo an independent audit by a Third-Party Assessment Organization (3PAO). StateRAMP recognizes three verified statuses: Ready, Provisional, and Authorized.
- Ready Status: Products achieving the Ready status meet the requirements outlined in the Minimum Mandatory Requirements Policy established by StateRAMP. This status signifies that the product has undergone initial assessments and is deemed ready for further evaluation.
- Provisional Status: Provisional status may be granted to a product by a sponsoring government entity or the StateRAMP Approvals Committee. This status is assigned to products that meet the authorization requirements but have one or more interconnected technologies that are not yet StateRAMP or FedRAMP Authorized. The technology must have a current StateRAMP Security Snapshot to attain provisional status, per the StateRAMP Authorization Boundary Guidance.
- Authorized Status: The highest level of authorization, Authorized status, is reserved for products that have demonstrated compliance with all required security controls, categorized by impact level. Products achieving Authorized status have undergone comprehensive assessments and have been deemed secure for use within government environments.
List of StateRAMP States
Government/Organization Name | State | Entity Type |
State of Alabama | Alabama | State |
State of Arizona | Arizona | State |
City of Chandler | Arizona | Local |
State of Arkansas | Arkansas | State |
Arkansas – Administrative Office of the Courts | Arkansas | State |
Spring Hill Public Schools | Arkansas | K-12 |
Genoa Public Schools | Arkansas | K-12 |
Arapahoe County | Colorado | Local |
State of Colorado | Colorado | State |
State of Florida | Florida | State |
Hillsborough County Sheriff’s Office | Florida | Local |
Palm Beach Gardens | Florida | Local |
State of Georgia | Georgia | State |
City of Fishers | Indiana | Local |
Johnson County Park and Recreation District | Kansas | Local |
State of Kansas | Kansas | State |
State of Maine | Maine | State |
State of Massachusetts | Massachusetts | State |
State of Michigan | Michigan | State |
State of Minnesota | Minnesota | State |
State of Missouri | Missouri | State |
State of Nebraska – Judicial Branch | Nebraska | State |
Nebraska Cybersecurity Network for Education | Nebraska | K-12 |
State of Nevada | Nevada | State |
State of New Hampshire | New Hampshire | State |
New Jersey Cybersecurity & Communication Cell | New Jersey | State |
State of New York | New York | State |
New York State Local Government IT Directors’ Assoc. | New York | Local |
State of North Carolina | North Carolina | State |
University of North Carolina System | North Carolina | Higher Education |
State of North Dakota | North Dakota | State |
State of Ohio | Ohio | State |
State of Oklahoma | Oklahoma | State |
State of Oregon | Oregon | State |
Richard Bland College of William and Mary | Virginia | Higher Education |
State of Texas | Texas | State |
Clarendon College | Texas | Higher Education |
Texas A&M AgriLife | Texas | Higher Education |
Sacramento County | California | Local |
FedRAMP vs. StateRAMP
StateRAMP and FedRAMP are both initiatives aimed at bolstering cybersecurity in government agencies, but they target different levels of government and operate with distinct methodologies. FedRAMP, established in 2011, focuses on standardizing security assessments for cloud service providers (CSPs) seeking to offer services to federal agencies. FedRAMP sets rigorous security standards based on NIST guidelines and conducts thorough assessments through accredited Third-Party Assessment Organizations (3PAOs). Its centralized approach enables federal agencies to adopt secure cloud solutions from authorized CSPs.
In contrast, StateRAMP, launched in 2021, caters specifically to state, local, and education (SLED) agencies, addressing the cybersecurity needs of governments beyond the federal level. Operating as a nonprofit organization, StateRAMP tailors its assessment framework to align with federal standards while incorporating StateRAMP-specific security controls. This initiative offers a standardized methodology for evaluating CSPs’ security postures, ensuring compliance with the unique requirements of state and local government agencies. While FedRAMP focuses solely on federal agencies, StateRAMP serves as a vital resource for SLED agencies seeking secure cloud solutions, contributing to improving cybersecurity practices at the state and local levels.
Centraleyes for Government Cybersecurity
As you explore government cybersecurity frameworks, feel free to ask any questions about StateRAMP or other risk and compliance questions. We’re here to provide insights and support as you navigate the complex landscape of government cybersecurity requirements.Â
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days