StateRAMP Authorized/Provisionally Authorized Status

Attain the Highest Level of Security in StateRAMP

Gain a Competitive Edge With Higher Authorization

To achieve StateRAMP Authorized status, providers must complete all necessary documentation, including a 3PAO security assessment report. Government sponsorship is required to obtain Authorized status, with both the StateRAMP Project Management Office and the sponsoring government in agreement that the product in question meets all requirements.

Learn more in “Getting Started with StateRAMP: A Guide for Service Providers Pursuing Authorization.”

Download the Guide

The StateRAMP Authorized Process

Step 1:

Become a StateRAMP Member
All service providers must become an active StateRAMP member before their cloud products and services can be validated by the program management office, obtain a StateRAMP security status, or become listed on the StateRAMP Authorized Product List (APL).

Step 2:

Optional: Submit a Security Snapshot Request Form
As a first step toward achieving a verified StateRAMP Security Status, you may complete a StateRAMP Security Snapshot. The snapshot serves as a “pre-Ready” measurement and the criteria are designed to provide a gap analysis to validate a product’s current maturity in relation to meeting the Minimum Mandatory Requirements for StateRAMP Ready.

Step 3:

Determine Your Appropriate Security Category
Before engaging a third-party assessment organization (3PAO) or submitting documentation for review, providers must determine the appropriate StateRAMP Impact Level—Low, Low+, or Moderate—required by their prospective state or local government partners. If you are unsure, you may use our data classification tool.

Step 4:

Engage a Third-Party Assessment Organization (3PAO)
Review the list of StateRAMP-Approved Assessors and engage with a 3PAO to complete a Security Assessment Report (SAR).

Step 5:

Complete Authorized Review Documentation & Security Review Request
Once engaged with a 3PAO, you must complete 100 percent of your documentation before the assessor can submit a StateRAMP Security Assessment Report to the StateRAMP Project Management Office. Before you can submit completed documentation to the StateRAMP PMO security team, you must complete the StateRAMP Security Review Request Form. Upon receiving completed documentation and payment of a StateRAMP Authorized review fee, StateRAMP will update a your status on the Authorized Product List (APL) to Pending.

Step 6:

Obtain Government Sponsorship or Committee Approval
To achieve StateRAMP Authorized status, providers must have an authorizing government official approve their security package. You may choose to secure government sponsorship on your own or leverage the StateRAMP Approvals Committee. The Approvals Committee, composed of active state and local government representatives, can elect to serve as the provider’s appointed sponsor and confirm their security package meets all StateRAMP requirements.

Step 7:

Obtain StateRAMP Authorized Verified Status

If the 3PAO attests to the your readiness, the StateRAMP PMO has verified that your product meets all of the mandatory requirements and critical controls, and all outstanding issues or inquiries have been resolved, your security status on the APL will be updated to Authorized.

A StateRAMP Provisional status may be assigned by a sponsoring government if you have submitted a security package for consideration and are found to meet most security requirements. Providers with Provisional status must comply with continuous monitoring requirements while an additional assessment may be required to obtain StateRAMP Authorized status.

Step 8:

Begin Continuous Monitoring Activities
Once you have obtained StateRAMP Authorized status, you must begin submitting the required documentation monthly and annual reporting as detailed in the StateRAMP Continuous Monitoring Guide.

Frequently Asked Questions

Pricing is tiered as follows:

  • $1,500 for providers with less than $1 million annual revenue
  • $5,000 for providers with annual revenue between $1-5 million
  • $7,500 for providers with annual revenue greater than $5 million

The level of effort to participate in the StateRAMP Authorized process varies based on the complexity of the system being assessed and the maturity of the organizational information security program. Organizations that have a current FedRAMP Authorized status may leverage their existing documentation to obtain StateRAMP Ready status with minimal additional effort. Organizations that have conducted other framework assessments, such as a SOC2 or HITRUST will be familiar with providing evidence to demonstrate control compliance. Organizations that are not familiar with framework assessments will have a sharper learning curve.

StateRAMP provides many resources to help participating organizations. These include:

Fast Track Option*

If a provider has a product, service, or offering with a federal authorization or is pursuing a federal authorization, that offering is eligible for the StateRAMP Fast Track process. Providers will partner with the StateRAMP Project Management Office (PMO) to provide and authenticate the necessary security documentation they’ve already completed for federal authorization. The Fast Track process is detailed below.

Step 1:

Become a StateRAMP Member
All service providers must become an active StateRAMP member before their cloud products and services can be validated by the program management office, obtain a StateRAMP security status, or become listed on the StateRAMP Authorized Product List (APL).

Step 2:

Engage the StateRAMP PMO
After joining as a StateRAMP member, service providers must complete a Security Review Request Form to engage the StateRAMP PMO. Prior to their first intake call, they can use this form to provide more information about their company and product.

Step 3:

Complete Required Documentation

Service providers should work with their third-party assessment organization (3PAO) to gather and submit the required security documentation, including the provider’s federal-approved security package, 90 days of continuous monitoring, and any necessary StateRAMP templates.

The security team at the StateRAMP PMO accepts documents in FedRAMP formatting.

Step 4:

PMO Review
The PMO will review the service provider’s complete security package and conduct a call with the provider and 3PAO to make any final adjustments to the submitted documentation.

Step 5:

Begin Continuous Monitoring Activities
Once you have obtained StateRAMP Authorized status, you must begin submitting the required documentation monthly and annual reporting as detailed in the StateRAMP Continuous Monitoring Guide.

*Attention Texas Vendors:

In 2021, Texas passed a law requiring all vendors who use a cloud solution to serve Texas to become TX-RAMP authorized. By administrative rule, TX-RAMP recognizes StateRAMP with automatic reciprocity. StateRAMP provides an efficient, reusable certification that applies in Texas and across our rapidly expanding list of participating governments.

StateRAMP provides a weekly sync with TX-RAMP, so StateRAMP Authorized Products appear on the TX-RAMP list with ease.