What Are Core Documents for StateRAMP Authorization?

StateRAMP Documentation Featured

StateRAMP, much like FedRAMP, includes a series of documents that the cloud provider and their 3PAO must complete before they are fully authorized. These documents align with several stages of the assessment process and provide regulating authorities with the proof they need to see that the cloud offering meets requirements. 

Here, we summarize the documents you must complete as part of your StateRAMP assessment process.


What Is StateRAMP?


StateRAMP is a thorough screening process for cloud service providers (CSPs). It checks that they meet certain security criteria before they’re cleared to provide services to state and local governments. Think of it as the counterpart to the FedRAMP, tailored for state and local levels. Achieving StateRAMP authorization involves several critical steps:

  • Standardized Security Framework: StateRAMP sets the bar with a uniform security assessment framework, drawing from top-tier federal guidelines. This includes a thorough process for authorization and ongoing monitoring of cloud products and services.
  • Cloud Service Evaluation: CSPs must pass a detailed evaluation to prove they’re up to par. This checks their alignment with the security controls from NIST Special Publication 800-53, usually carried out by an independent third-party assessment organization (3PAO).
  • Documentation and Approval Process: To get the green light, CSPs must present key documents like their System Security Plan, internal Policies and Procedures, and a Risk Assessment Report.
  • Ongoing Security Vigilance: CSPs aren’t off the hook after getting the thumbs up. They must constantly monitor their security measures to hold onto their StateRAMP status. This means regular updates and reports to stay ahead of any emerging security threats.
  • Advantages for Government and CSPs: StateRAMP gives state and local governments the confidence to use highly secure cloud services. For CSPs, it’s a ticket to new opportunities in the government arena, showcasing their dedication to top-notch security standards.


What Documents Do CSPs Need to Complete for StateRAMP Authorization?

StateRAMP, as a compliance framework, uses several written artifacts to structure assessments. Cloud providers and their 3PAOs will create and complete these documents to show that the organization meets specific requirements. These documents map onto a process that includes preparation, assessment, and ongoing monitoring. 

These documents will typically include the following:

Pre-Assessment Phase

  • System Security Plan (SSP): A detailed description of the cloud service offering, including how the organization implements security controls per NIST standards. It should cover the system boundary, data flow, and operational context.
  • Policies and Procedures: Document internal policies and procedures related to security, privacy, incident response, and operational controls to ensure that the CSP has well-defined guidelines for maintaining security and compliance. Unlike a control listing, this document provides evidence that security is implemented as standard practice throughout the organization. 
  • Risk Assessment Report: An analysis of potential threats and vulnerabilities specific to the CSO. It should include methodologies used for risk assessment.


Assessment/Authorization Phase

  • Security Assessment Plan (SAP): This is a comprehensive blueprint detailing the approach, specific test scenarios, and anticipated results for evaluating the security measures in place. Crafted by the 3PAO, the SAP serves as a roadmap for the assessment, guaranteeing a detailed and uniform examination of the CSO’s security safeguards.
  • Security Assessment Report (SAR): The results of the security assessment are provided by the 3PAO, detailing the effectiveness of each security control and any findings or deficiencies. This document follows explicitly from the SAP and documents the outcome of the security assessment, providing evidence of compliance or areas needing improvement.
  • Plan of Action and Milestones (POA&M): A list of deficiencies found during the assessment, along with proposed corrective actions, timelines, and responsible parties. This is a stop-gap for organizations with some issues in their evaluation and need a plan to remediate before authorization. Sometimes, depending on the plan, the Authorization process can continue while the POA&M is enacted.
  • Rules of Behavior (RoB): Central to a cloud service provider’s security protocol, especially under StateRAMP for state and local government collaborations, the Rules of Behavior document sets clear guidelines. It details the conduct, duties, and practices required of everyone interacting with the CSP’s systems and data, ensuring consistent and secure usage across the board.
  • The Privacy Impact Assessment: This assessment is critical to cloud service providers’ overall security and compliance framework, especially when handling data for state and local governments.


Post-Assessment Phase

  • Continuous Monitoring Strategy: Like many security frameworks, StateRAMP requires a strategy for ongoing monitoring of the security controls, including frequency of assessments, types of monitoring activities, and reporting procedures. This document ensures the CSP maintains its security posture and compliance over time, adapting to new threats and environmental changes.
  • Incident Response Plan: This document lays out the strategies for identifying, addressing, and recovering from security breaches. This plan will include guidelines, roles, responsibilities, and procedures that the organization will rely on in the event of a security incident.
  • Contingency Plans: StateRAMP includes separate types of contingency plans, including the IT Contingency Plan (a comprehensive document that outlines procedures and measures to be taken in the event of a significant disruption to information technology services) and the Information System Contingency Plan (designed to ensure that the CSP can effectively respond to and recover from incidents that impact the availability, integrity, or confidentiality of the information systems and data they manage).

Each document plays a critical role at different stages, from preparing for the assessment to maintaining compliance post-authorization. CSPS needs to understand the requirements and significance of each document to navigate the StateRAMP authorization process successfully.


Stay On Top of StateRAMP Authorization with Continuum GRC

Working to obtain or maintain NIST or FedRAMP compliance? Work with Continuum GRC.

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

Continuum GRC



StateRAMP, System Security Plans, and the Operational Control Matrix - Continuum GRC

[…] is based on the FedRAMP standard, which means that it uses a similar set of documents and requirements to assess and authorize cloud service providers. One of the key documents of both StateRAMP and […]

StateRAMP, System Security Plans, and the Operational Control Matrix -

[…] is based on the FedRAMP standard, which means that it uses a similar set of documents and requirements to assess and authorize cloud service providers. One of the key documents of both StateRAMP and […]