StateRAMP is an organization that has developed a cloud cybersecurity and compliance program that provides a state-level equivalent to the Federal Risk and Authorization Management Program (FedRAMP). It is a state-level certification program that allows cloud service providers to be assessed and authorized to operate in a state’s cloud environment. It is designed to be similar to FedRAMP, but tailored to the specific needs of individual states. StateRAMP allows cloud service providers to meet the security requirements of multiple states by obtaining a single certification, rather than having to go through a separate certification process for each state. The goal of StateRAMP is to make it easier for cloud service providers to do business with state governments and to increase the use of cloud services by state agencies.

Unlike FedRAMP, which is managed and administered by a US Federal Agency, StateRAMP is a registered 501(c)(6) nonprofit membership organization comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third party assessment organizations, and government officials. StateRAMP is not endorsed by or affiliated with FedRAMP or the United States Government.

Cloud Service Providers (CSP) interested in getting StateRAMP certified and compliant, must follow the process established by the StateRAMP PMO. In many respects, the process is similar to FedRAMP which include the following keys activities and steps.

  • Have a compliant architecture that meets NIST SP 800-53 control baselines
  • Develop a compliance package with documentation that include policies, procedures and plans
  • Implement a strong continuous monitoring and reporting program and
  • Conduct an independent assessment by a 3PAO organization

In addition to the steps listed above, the Cloud Service Provider (CSP) must obtain a State sponsor to be formally authorized. Similar to the FedRAMP Marketplace, StateRAMP maintains the Authorized Products List (APL). Each listed cloud service can have one of six security statuses are recognized on the Authorized Product List (APL). These status values indicate whether the cloud service in question is progressing towards verified offerings and the level of verification by their sponsor.

About stackArmor

stackArmor’s ThreatAlert(R) ATO Accelerator helps reduce the time and cost of StateRAMP ATOs by 40% by delivering a compliant architecture, complete documentation package and continuous monitoring services using cloud-native automation. Please contact us to schedule a free briefing on how we can assist with your StateRAMP or FedRAMP initiatives.