Home » FedRAMP Makes Way for the New StateRAMP Review Process

Publication date: June 16, 2022

FedRAMP Makes Way for the New StateRAMP Review Process

StateRAMP is an IT security review process modeled after its Federal counterpart, FedRAMP. It is tailored to retrofit state and local municipalities to increase the standards of cloud security framework at the local and state government level.

Share this content

Written by Angela Polania

Angela Polania, CPA, CISM, CISA, CRISC, HITRUST, CMMC RP. Angela is the Managing Principal at Elevate and board member, and treasurer at the CIO Council of South Florida.

Move over FedRAMP and make room for the State Risk and Authorization Management Program (StateRAMP). Who does StateRAMP Review Process apply to? If your firm is a provider with FedRAMP, it would make sense to consider StateRAMP, especially if your organization plans to engage with or provide proposals to your local or state municipality, it is advisable to register as a StateRAMP member to reduce the internal reporting for multiple engagements.

StateRAMP is an IT security review process modeled after its Federal counterpart, FedRAMP. It is tailored to retrofit state and local municipalities to increase the standards of cloud security framework at the local and state government level. Besides providing a comprehensive security framework to improve cloud security, the main objectives of the newer StateRAMP program are to:

  • Protect civilian data at the state and local government level
  • Prevent/reduce the strain of cyberattacks and recovery on municipalities
  • Create a secure framework that is economical for the service provider and the taxpayer
  • A platform for education efforts regarding cybersecurity in the government sector

On both the federal and state levels, the security processes are built on a foundation originally laid by the National Institute of Standards and Technology (NIST). Both federal and state levels are currently incorporating the NIST v5. Continuing their similarities, it is important to note that independent third-party assessment (3PAO) audits must be conducted and maintained.

While the two processes are founded on similar roots, there are some distinct differences between StateRAMP and FedRAMP. One main influential difference is that StateRAMP is a non-profit 501c, which allows visibility within the local and state municipalities for constant monitoring and maintenance. FedRAMP receives government funding from the Office of Management and Budget and the security posture is only visible to federal entities that engage with providers.

The StateRAMP process works to align state & local governments, cloud service providers, and assessment organizations with an end goal to minimize cyber risk by creating a regulated approach for authenticating and continually reviewing security postures.

Below are some additional comparisons of the dichotomy between StateRAMP and FedRAMP.

StateRAMP Review Process
Fig. 1 – StateRAMP, FedRAMP comparisons

Elevate is knowledgeable and ready to assist in preparation for the security assessment and PMO review that is required to become a StateRAMP member. Contact our group of professional IT Consultants TODAY to get started on your StateRAMP certification.

Related posts

Contact Elevate today to learn more about Insights | IT Compliance and Privacy

Elevate // +1 (888) 601-5351 // Monday to Friday 9am-6pm