StateRAMP Compliance: Process, Requirements, Benefits

Like all organizations, government agencies use cloud solutions. StateRamp provides a ‘verify once, serve many’ model for these agencies to trust their third-party service providers. 

In this article, we’ll learn all about StateRAMP, including who requires it, who its members are, the compliance process, its security statuses, and its benefits and challenges.  

TL;DR Compliance with StateRAMP requirements is mandatory for cloud service providers working with state and local governments. StateRAMP provides comprehensive security standards for data protection, access management, vulnerability and risk management, incidence response, and code security. Becoming authorized includes getting a membership, conducting two reviews with 3PAOs, submitting review forms, and continuously monitoring controls.

What is StateRAMP?

StateRAMP, or State Risk and Authorization Management Program, is a 501(c)6 nonprofit that sets cybersecurity standards for cloud solutions associated with state and local governments in the U.S. 

StateRAMP aims to help government agencies, public education, and special districts protect citizen data, save costs, reduce government burdens, and promote cybersecurity best practices. Its security verification model is based on NIST 800-53 Rev. 4, the same standard used for FedRAMP, the federal equivalent.

Do you need StateRAMP compliance, and why?

Your organization will need StateRAMP compliance if it provides cloud services to state and local governments, public education institutions, or special districts. 

Thus, your services would receive standardized security requirements on handling, or instead processing, sensitive government data such as PII, PHI, and payment card information or PCI.

StateRAMP compliance protects citizen data and simplifies the process of doing business with multiple government entities by verifying your security posture.

How does StateRAMP work: Members and security statuses

StateRAMP follows the NIST 800-53 Rev. 4 controls, requiring CSPs (Cloud service providers) to undergo third-party assessments to achieve “Ready,” “Provisional,” or “Authorized” status.

As per the official website, some participating members under StateRAMP states are:

Security statuses under StateRAMP

StateRAMP updates its website regularly on its authorized products list based on their security statuses. There are three categories under this:

1. Ready: These products meet the Minimum Ready Mandatory Requirements and are preparing for full assessment.
2. Provisionally authorized: This is assigned when a product meets most authorization requirements but relies on an interconnected technology that is not yet StateRAMP or FedRAMP Authorized. The technology must have a current StateRAMP Security Snapshot.
3. Authorized: This is the highest level for products that comply with all required cloud security controls by impact level and maintain continuous monitoring.

Products can also achieve Authorized, Federal JAB status if both StateRAMP and FedRAMP Joint Authorization Board (JAB) are approved. It means that they reflect rigorous compliance and security validation.

Minimum mandatory requirements under StateRAMP security standards

The minimum mandatory requirements help your business ensure strong security practices for CSPs aiming to comply with StateRAMP standards​. 

Here is an overview of the requirements under StateRAMP for achieving Ready status for moderate and high impact levels:

1. Security controls and data protection

StateRAMP requirements prioritize cryptographic and external DNS security. For example, you must implement AES-256 encryption for data protection and ensure TLS (Transport layer security) 1.2 or 1.3 for secure communication. Also, enable DNSSEC support in external DNS solutions.

Furthermore, businesses must secure the separation of customer data and protect audit information from unauthorized access or modification.

2. Access management and authentication

While preparing for StateRAMP, you must enforce logical access control policies to restrict system access to authorized personnel only. Limit invalid login attempts and require multi-factor authentication (MFA) for administrative accounts.

3. Vulnerability and risk management

Use updated vulnerability scanners and promptly address vulnerabilities using the following guidelines: 

• High risks must be resolved within 30 days
• Moderate risks to be resolved within 90 days
• Low risks within 180 days

If your system contains non-essential services, ports, and functions, disable them and scan other systems for proper configuration settings. Then, follow a formal change control process, including security impact assessments for each change.

4. Incidence response and recovery

Incident response management is an important part of a secure cybersecurity program. Consider conducting regular penetration testing against potential breaches and maintaining a comprehensive incident response plan. 

Implement solutions to detect, contain, and eradicate malicious software. Also, don’t forget to focus on business continuity solutions. Ensure regular system data backups, maintain recovery capabilities, and establish backup telecommunication and power systems.

5. Infrastructure management

StateRAMP requires you to maintain an up-to-date inventory of all system components. You also need regular system maintenance to identify potential vulnerabilities and ensure systems function optimally.

Regarding physical security, you need to restrict access to systems only to authorized personnel while actively monitoring and responding to intrusion alarms.

6. Personnel and code security

Conduct exit interviews with all terminated employees to take a proactive approach to personnel security. Any security-related items, such as access cards and keys, must be retrieved to protect sensitive information.

Apart from effective personnel security, StateRAMP also focuses on code security. Here are some suggestions:

• Static analysis: Use automated tools to scan for vulnerabilities in code
• Peer reviews: Conduct code reviews to catch security risks
• Update dependencies: Regularly patch third-party libraries
• Access control: Restrict code repository access to authorized users
• Secure coding: Follow standards like OWASP Top 10 to prevent common vulnerabilities
• Testing: Perform regular penetration tests to find and fix issues
• Version control: Track code changes and assess security impacts

How can CSPs become StateRAMP authorized?

After you’ve completed the minimum requirements listed above, you can move on to the actual process of getting into the authorized products list under StateRAMP. 

We’ve read the CSP StateRAMP Get Started Guide and have compiled actionable and easy-to-understand steps for achieving StateRAMP compliance:

1. Get your StateRAMP membership

Before doing anything, the first step is to become a StateRAMP member. Service providers can get membership for the whole organization with no limit to the number of products listed. 

On the official website, there are four types of membership registrations you can opt for: 

• Basic ($1,500/year): This plan provides a standardized approach to cloud security, guided participation in the StateRAMP Security Snapshot Program, product listing on the Authorized Product List, transferable credentials, access to the complete Member Directory, and one member rate for the Annual Summit.
• Prime ($2,500/year): It includes all Basic benefits, plus two member rates for the Annual Summit, access to RAMPxchange at no additional cost, and bi-annual calls with StateRAMP executive staff.
• Premier ($10,000/year): All Prime benefits, with additional perks such as four member rates for the Annual Summit, social media spotlight or blog panelist feature, invitation to special roundtables with government members, first-right-of-refusal for event sponsorships, special listing on the website, and is limited to 25 active memberships annually.
• Champion (Limited Availability): All Premier benefits, plus six member rates for the Annual Summit, opportunities to be a guest speaker in a bi-annual virtual education series, and monthly one-on-one calls with the StateRAMP Executive Director.

Once done, your organization will get added to the member directory.

2. Choose a security category

Identify the necessary security category for the data being handled using the Data Classification Tool or as specified by government requirements. If you already have a FedRAMP certification, you can leverage it to streamline this process.

3. Complete the initial security assessment (Ready review)

For your ‘Ready review,’ you must engage a StateRAMP-approved 3PAO (Third Party Assessment Organization). Examples include 360 Advanced, Coalfire, ControlCase, etc. You can find the complete list on the StateRAMP website. 

Next, you need to prepare the StateRAMP System Security Plan (SR-SSP) and other documents that your chosen 3PAO requests. Complete and submit the request form on the website and the review fee. Then, you’ll achieve the ‘Pending Ready’ status. 

If your 3PAO confirms readiness, and the StateRAMP PMO (Program Management Office) verifies and resolves any issues, your status will be updated to ‘Active’ on the AVL (Authorized Vendor List).

4. Complete the authorization review

Next is ‘Authorization review’. In this step, you’ll have to select a 3PAO again. It can either be the same one or a different one for the final assessment. 

Prepare additional documents such as the StateRAMP Security Controls Template (SR-SCT) Plan of Action and Milestones (POA&M) and anything else requested by the 3PAO. After that, submit the authorization review request form and pay the fees for your comprehensive review. 

If all your controls are met, you’ll achieve the ‘Authorized’ status in the AVL; if minimum controls are deemed sufficient, you’ll get ‘Provisional’ status.

5. Monitor security activities continuously

The StateRAMP compliance process doesn’t end with getting authorized. To maintain your security status, you’ll need to submit monthly, quarterly, and annual reports. These reports mainly focus on continuous monitoring of your controls. 

You must also pay a continuous monitoring fee, either in whole or in part, every quarter beginning. 

What is the difference between StateRAMP and FedRAMP?

StateRAMP and FedRAMP (Federal Risk and Authorization Management Program) are frameworks designed to ensure (CSPs) meet rigorous security standards for handling government data, but they serve different government levels.

FedRAMP standardizes security assessments for CSPs working with federal agencies based on NIST 800-53 controls, whereas StateRAMP is tailored for state and local governments. 

What are the benefits of getting StateRAMP authorization?

The key benefits of getting StateRAMP authorization include:

1. Increased market access: StateRAMP authorization opens doors to more contracts and partnerships with state and local governments for cloud service providers.

2. Aligns with other federal standards: StateRAMP’s alignment with NIST 800-53 makes compatibility easier with federal security frameworks like FedRAMP. It becomes advantageous for CSPs aiming to serve both state and federal clients.

3. Provides ongoing support: StateRAMP provides continuous monitoring and support, helping CSPs maintain their security status and swiftly address emerging issues.

4. Builds trust and credibility: StateRAMP authorization is committed to high-security standards. It enhances the CSP’s reputation and builds trust with government clients. 

Challenges faced while preparing for StateRAMP

StateRAMP is a rigorous authorization process requiring lots of documentation and to and fro communications with 3PAOs. It involves several key challenges that organizations must navigate: 

1. Time-consuming: Conducting a thorough gap analysis between current security practices and StateRAMP’s required controls can be time-consuming. The process includes two types of reviews, which adds to the time constraint. 

2. High on costs: Preparing for and achieving StateRAMP certification can be expensive, especially when factoring in the cost of audits, consulting services, staff time, and potential technology upgrades.

3. Multiple documentation & evidence gathering: This includes preparing security policies, procedures, and logs, as well as demonstrating compliance with controls through audits, assessments, and other proofs.

4. Ongoing maintenance: The monthly, quarterly, and annual monitoring reports can be challenging, particularly as security landscapes evolve.

Integrating StateRAMP compliance with existing systems

Many organizations struggle to integrate StateRAMP requirements into their risk management and compliance systems. Aligning StateRAMP with other certifications or frameworks (such as SOC 2, ISO 27001, or FedRAMP) can introduce complex workflows. 

A smarter solution to this would be to adopt a standard controls framework. Compliance automation solutions (such as Sprinto) usually enable this to reduce redundant work around control mapping. 

Sprinto identifies overlapping controls across different certifications and provides a more straightforward path for audit readiness. Automation reduces the manual effort in tracking control adherence, evidence submission, and audit preparation.

By leveraging such solutions, CSPs can accelerate the certification process and maintain ongoing compliance with minimal overhead. 

Frequently asked questions

1. How much does achieving StateRAMP compliance cost?

The cost of achieving StateRAMP compliance can start from around $76,500; maintaining it may cost you around $6,500 or more. This excludes potential system upgrades, employee training, and other indirect expenses. It depends on your organization’s size, system complexity, and the desired security status.

2. Is StateRAMP worth it?

If you’re a cloud service provider looking to sell to government entities, especially at the state level, StateRAMP compliance is highly beneficial. While the upfront cost and resource investment can be substantial, the long-term advantages make it worthwhile for many providers.

3. What are 3PAOs?

3PAOs (Third-Party Assessment Organizations) are accredited independent organizations that conduct assessments to verify an organization’s compliance with StateRAMP security requirements. 

4. Do all cloud service providers in the US need StateRAMP?

No, not all cloud service providers in the US are required to achieve StateRAMP compliance. However, if the provider plans to work with government agencies that require a secure, standardized framework, StateRAMP compliance is typically mandatory. 

5. What is the difference between SOC 2 and StateRAMP?

SOC 2 focuses on managing customer data based on five Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy), typically for SaaS companies. In contrast, StateRAMP ensures cloud services meet specific security standards for state and local governments, mirroring the federal FedRAMP framework but tailored for state-level requirements.