FedRAMP vs. StateRAMP: A Guide
Updated: Jul 14
Wondering if your organization needs StateRAMP or FedRAMP authorization...or both? You’re not alone. While the two frameworks are both modeled after the National Institute of Standards and Technology (NIST) Risk Management Framework and Special Publication 800-53, and look similar at first glance, there are some key differences that CSPs must account for, especially those actively seeking authorization. Think of them as siblings – not twins.
What They Are
FedRAMP, also known as The Federal Risk and Authorization Management Program, exists to provide a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services that support the Federal government.
StateRAMP - the newer of the two frameworks - is a consortium of cybersecurity officials across the public and private sectors charged with assisting state and local governments in vetting third party vendors’ cyber and cloud security posture. If this sounds a lot like FedRAMP, it’s because it is. The primary difference here ultimately boils down to the communities they serve: a FedRAMP authorization solely applies to vendors working with the federal government, while StateRAMP, as the name suggests, solely applies to organizations working with state and local government entities.
How To Get Them
Navigating the paths to a FedRAMP authorization is notoriously difficult. Here, at RISCPoint, our team recommends an agency sponsorship path for a variety of reasons – the primary one being that it allows for risk acceptance by the agency sponsor, which is much different than the Joint Authorization Board prioritization process. You can read more about that and the process for FedRAMP authorization here.
StateRAMP, although newer than its federal counterpart, has a very transparent, straightforward process. CSPs may consult the organization’s vast repertoire of documents, including a Start Guide, which details the step-by-step process for approval. For key considerations to keep in mind before beginning your authorization journey, check out our blog post here.
But, What if I Already Have a FedRAMP Authorization?
Great news! There is indeed a reciprocity agreement between the two frameworks. If you have an IaaS, PaaS, or SaaS solution that has a FedRAMP Ready, P-ATO, or ATO designation, the same product can be reviewed by the Project Management Office under FedRAMP Reciprocity, as stated in the StateRAMP Guidelines. While the CSP provider must become a StateRAMP member, no further security assessment is required.
Have more questions about FedRAMP and StateRAMP and what’s best suited for your organization’s needs? Get in touch with us with the form below!