Menu
StateRAMP’s security templates are developed based on policies adopted by the Board of Directors and recommended by the Standards & Technical Committee. Find the policies, templates and resources you need on this page.
Throughout 2023, the StateRAMP Standards & Technical Committee met to update the baseline requirements to align with NIST 800-53 Rev. 5. The Committee and Board recommended a transition for providers so that those submitting for or maintaining a status of StateRAMP Ready, Authorized or Provisional have until October 1, 2024, to update security packages, including annual Third Party Assessment Organization (3PAO) audits, to comply with the updated Rev. 5 requirements. The updated StateRAMP Security Snapshot criteria and scoring will be in effect beginning January 2024.
In May, the StateRAMP Board of Directors adopted the Standards & Technical Committee’s recommended baseline controls that incorporate NIST 800-53 Rev.5 into StateRAMP’s security requirements.
The following templates are associated with Rev. 4 baseline requirements and will not be accepted after October 1, 2024. View updated requirements and templates here.
StateRAMP Readiness Assessment Report (RAR) Template
StateRAMP Security Assessment Report (SAR) Template
StateRAMP Security Assessment Plan (SAP) Template
StateRAMP Inventory Workbook Template
System Security Plan (SSP) Template
Plan of Action and Milestones (POAM) Template
Continuous Monthly Executive Summary Template
Vulnerability Deviation Request Form
Significant Change Form Template
Configuration Management Plan (CMP) Template
Incident Response Plan (IRP) Template
Information System Continuous Monitoring (ISCM) Plan
AC – Access Control Policy Template
AC – Access Control Procedure Template
AT – Awareness & Training Policy Template
AT – Awareness & Training Procedure Template
AU – Audit & Accountability Policy Template
AU – Audit & Accountability Procedure Template
CA – Security Assessment and Authorization Policy Template
CA – Security Assessment and Authorization Procedure Template
CM – Configuration Management Policy Template
CM – Configuration Management Procedure Template
CP – Contingency Planning Policy Template
CP – Contingency Planning Procedure Template
IA – Identification & Authentication Policy Template
IA – Identification & Authentication Procedure Template
IR – Incident Response Policy Template
IR – Incident Response Procedure Template
MA – Maintenance Policy Template
MA – Maintenance Procedure Template
MP – Media Protection Policy Template
MP – Media Protection Procedure Template
PE – Physical & Environmental Policy Template
PE – Physical & Environmental Procedure Template
PL – Planning Policy Template
PL – Planning Procedure Template
PS – Personnel Policy Template
PS – Personnel Procedure Template
RA – Risk Assessment Policy Template
RA – Risk Assessment Procedure Template
SA – System & Services Acquisition Policy Template
SA – System & Services Acquisition Procedure Template
SC – System & Communications Protection Policy Template
SC – System & Communications Protection Procedure Template
SI – System & Information Integrity Policy Template
SI – System & Information Integrity Procedure Template
The first Authorized Product List (APL) includes a listing of Subscriber Members who are actively pursuing third party verification for their offerings. Follow the steps below to be listed on the Authorized Product List.
Assessors play an important role in conducting independent security audits.
A government sponsor is required for providers wishing to submit a request for authorization.
Do you want your products included on the StateRAMP Authorized Product List? Submit a Security Review Request to begin the process.
StateRAMP is proud to partner with Knowledge Services to serve as the PMO.
Interested in StateRAMP? Sign up below to receive StateRAMP Updates.