Home » The StateRAMP Review Process

Publication date: March 24, 2023

The StateRAMP Review Process


Share this content

Written by Angela Polania

Angela Polania, CPA, CISM, CISA, CRISC, HITRUST, CMMC RP. Angela is the Managing Principal at Elevate and board member, and treasurer at the CIO Council of South Florida.

Founded in 2020, the State Risk and Authorization Management Program (StateRAMP) is a program that aims to help state and local governments in the United States manage the risks associated with using cloud services. Who does StateRAMP Review Process apply to? If your firm is a provider with FedRAMP, it would make sense to consider StateRAMP, especially if your organization plans to engage with or provide proposals to your local or state municipality, it is advisable to register as a StateRAMP member to reduce the internal reporting for multiple engagements.

StateRAMP is an IT security review process modeled after its Federal counterpart, FedRAMP. It is tailored to retrofit state and local municipalities to increase the standards of cloud security framework at the local and state government level. Besides providing a comprehensive security framework to improve cloud security, the main objectives of the newer StateRAMP program are to:

  • Protect civilian data at the state and local government level
  • Prevent/reduce the strain of cyberattacks and recovery on municipalities
  • Create a secure framework that is economical for the service provider and the taxpayer
  • A platform for education efforts regarding cybersecurity in the government sector

StateRAMP Security Controls are defined in three categories:

Low: Aligned with NIST Low Impact Control Baselines
Low+: Aligned with NIST Low Impact Control Baselines, with additional Moderate
Impact Control Baselines for added security
Moderate: Aligned with NIST Moderate Control Baselines

It is the goal of StateRAMP to provide the state or local government Authorizing Body flexibility to
require additional controls as appropriate.

Holding StateRAMP status greatly increases a company’s security reputation and instills a greater level of user and consumer trust. The program is quickly gaining traction and is currently active in 18 states.

StateRAMP participating governments

On both the federal and state levels, the security processes are built on a foundation originally laid by the National Institute of Standards and Technology (NIST). Both federal and state levels are currently incorporating the NIST v5. Continuing their similarities, it is important to note that independent third-party assessment (3PAO) audits must be conducted and maintained.

While the two processes are founded on similar roots, there are some distinct differences between StateRAMP and FedRAMP. One main influential difference is that StateRAMP is a non-profit 501c, which allows visibility within the local and state municipalities for constant monitoring and maintenance. FedRAMP receives government funding from the Office of Management and Budget and the security posture is only visible to federal entities that engage with providers.

The StateRAMP process works to align state & local governments, cloud service providers, and assessment organizations with an end goal to minimize cyber risk by creating a regulated approach for authenticating and continually reviewing security postures.

Below are some additional comparisons of the dichotomy between StateRAMP and FedRAMP.

StateRAMP Review Process
Fig. 1 – StateRAMP, FedRAMP comparisons

Elevate is knowledgeable and ready to assist in preparation for the security assessment and PMO review that is required to become a StateRAMP member. Connect with our team to get started on your StateRAMP certification.

Related posts

Contact Elevate today to learn more about Elevate Insights | IT Compliance and Privacy

Elevate // +1 (888) 601-5351 // Monday to Friday 9am-6pm