What Is the StateRAMP Security Assessment Framework?

stateramp featured

StateRAMP is now nearly two years old, and the small project is quickly becoming a mainstay in the security industry. State and local governments are looking for a solid cybersecurity framework that they can use to vet and certify cloud providers that they may work with. 

In this article, we’ll talk about the basics of StateRAMP, specifically the Security Assessment Framework, and the processes and documents required therein.


What Is StateRAMP?

In the interest of national security and the well-being of American businesses, citizens, and government agencies, Congress and associated security agencies have built a web of cybersecurity frameworks and guidelines. These regulatory frameworks ensure that the organizations that adopt them can have a firmer footing against hacks and state-sponsored cyber terrorism. 

While it’s feasible to implement national security frameworks that all agencies must follow, it’s not quite as easy at the state level, where local governments have independent requirements–independence that can significantly impact the adoption of helpful security measures.

The StateRAMP program intends to rectify this. StateRAMP was founded in early 2020 as a private-sector project to take government cybersecurity regulations around cloud computing and translate them to the state level. 

StateRAMP draws both its security model and its namesake from the Federal Risk and Authorization Management Program (FedRAMP), the federal regulation applying security requirements to Cloud Service Providers (CSP) offering products to federal agencies. FedRAMP draws from NIST Special Publication 800-53, among other documents, to derive a tiered approach to security based on the sensitivity of government agencies and the data they manage.

Likewise, StateRAMP draws more broadly from NIST SP 800-53 and FedRAMP to define its security framework. Some of the commonalities include:

  • Impact Levels: FedRAMP uses impact levels to denote the sensitivity of the data management by the CSP and, thus, the types of security controls they must implement. At the federal level, impact levels are tiered as Low, Moderate, and High. StateRAMP uses Impact Levels as well. These levels map to FedRAMP as StateRAMP Low (FedRAMP Low), StateRAMP Moderate (FedRAMP Low with some Moderate controls), and StateRAMP High (FedRAMP Moderate). 
  • Third-Party Assessment: Both FedRAMP and StateRAMP require an outside, third-party assessor to certify that an organization meets the requirements of the regulations. For StateRAMP, an accepted FedRAMP 3PAO is considered an accepted StateRAMP 3PAO. Authorized Providers and Products: FedRAMP provides a directory known as the FedRAMP Marketplace so that agencies can quickly determine if a company is authorized or not. Likewise, StateRAMP has the Authorized Product List, a directory of technologies and solutions that have undergone StateRAMP Authorization

As of 2022, several states have adopted StateRAMP requirements, including Texas, California, and New York. Likewise, major technology companies like BlackBerry, Box, Zoom, and Avaya have already completed their StateRAMP Authorization.


What Is the StateRAMP Security Assessment Framework?


The StateRAMP security model is based on NIST 800-53, a core document for national cybersecurity and an inventory of critical security controls used in regulations like FISMA, FedRAMP, and others. The framework also draws from a collection of NIST standards, including the NIST Risk Management Framework.

More specifically, the process is broken down into four steps:



At this stage, the state or local government agency, and the provider, identify the demands of the cloud service needed–namely, the type of data being stored, and the subsequent security required. 

Some of the components of this step include:

  • Determining Impact Level: The government agency and the provider will consult NIST SP 800-60 to determine the appropriate impact level. Additionally, the CSP may integrate additional controls from other frameworks, depending on the data type and/or industry. Organizations can consult the StateRAMP Data Classification Tool and Security Base Control Templates to determine their appropriate control level. 
  • Implementing Security Controls: Depending on the impact level, the provider must implement the proper cybersecurity controls. They may report these in the StateRAMP reporting templates if the controls are already implemented. Suppose the provider does not, or cannot, implement a specific control. In that case, they must justify that lack of implementation for approval by the StateRAMP Project Management Office (PMO).
  • System Security Plan (SSP): The provider must provide an SSP that documents all systems and controls meeting the requirements of their impact level.



As the name suggests, this stage involves the assessment of the provider. StateRAMP, like FedRAMP, doesn’t allow self-certification or reporting; CSPs and agencies must rely on 3PAOs for their audit. 

The crucial parts of this stage include:

  • 3PAOs: A CSP seeking StateRAMP Authorization must use an authorized FedRAMP 3PAO. This organization will complete a Readiness Assessment Report (RAR) to determine if the CSP is ready for their assessment (and, upon completion, the provider will be listed as StateRAMP Ready). 
  • Security Assessment Plan (SAP): Once the CSP is ready for assessment, the 3PAO creates an SAP defining how they will conduct their assessment. This test plan will outline the methodology and techniques used to conduct their evaluation.
  • Security Assessment Report (SAR): Upon completion of the assessment, the 3PAO will complete a SAR to determine the provider’s overall risk posture and compliance. 



Once the assessment has been completed, it is up to the StateRAMP PMO to authorize the provider. 

  • Plan of Action and Milestones (POA&M): After the provider receives the SAR, they will take any areas of concern (those that need to be remediated or brought up to standard) and create a POA&M). This report includes an acknowledgment of the issue, the plan of action to correct the issue, and the timeline for this correction. This timeline will extend into the continuous monitoring phase.
  • Submission: The provider, now armed with the assessment and their plan of action, will put together their package of documents to submit to the PMO for Authorization. These include those completed by the 3PAO (the RAR, the SAP, and the SAR) and those completed by the provider (the SSP and the POA&M). 
  • Review: The StateRAMP PMO and the Approvals Committee review the provider’s package and decide whether to award Authorization. At this point, if the provider is approved, then they are listed on the Authorized Product List. 

Note: Once the provider is approved, their status can be revoked if they fail to meet their requirements. The StateRAMP PMO or the authorizing agency (the partner agency working with the provider) may consult with an Appeals Committee to consider revocation. Once Authorization is revoked, the CSP is removed from the Authorized Product List.



Like FedRAMP Authorized CSPs, StateRAMP providers must continuously monitor their systems to ensure they still meet StateRAMP requirements. This includes:

  • Updates: The CSP will provide reports as a monthly monitoring plan, including a monthly executive summary and an update on the POA&M (if relevant). Additionally, the CSP will deliver the results of an annual review of ⅓ of their security controls conducted by the 3PAO annually.
  • Significant Changes: If the CSP makes any “significant changes” made by the CSP to security controls or infrastructure, they must report them to the PMO and any authorizing body within 30 days. 
  • Incident Response: Providers should have incident response plans as part of their SSP. In significant security incidents affecting StateRAMP components, the StateRAMP PMO may request a review of Authorization to determine continued fitness. 


Get Ready for StateRAMP Authorization with Continuum GRC

StateRAMP is quickly becoming a popular framework for CSPs that want to work in the evolving state and local government tech marketplace. Likewise, these government agencies are increasingly looking for providers that can help them modernize their services. 

Continuum GRC is a cloud-based platform that provides a risk- and compliance-based approach to assessments. Our tools are FedRAMP and StateRAMP authorized, and we have decades of experience in the government cybersecurity industry. 

Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

  • FedRAMP
  • StateRAMP
  • NIST 800-53
  • DFARS NIST 800-171
  • CMMC
  • SOC 1, SOC 2, SOC 3
  • PCI DSS 4.0
  • IRS 1075
  • ISO 27000 Series
  • ISO 9000 Series

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

Continuum GRC