Key Considerations for StateRAMP Authorization

November 29, 2021
Jake Nix

In November 2021, StateRAMP, a consortium of public and private industry cybersecurity officials bringing FedRAMP-style security standards to a new layer of government, announced their inaugural class of  Approved (Authorized) Vendors. BlackBerry, Cisco, Google, McAfee Enterprise, Microsoft, Qualys, Sophos, and ZScaler are some of the most recognizable names among twenty four organizations becoming the first set of companies to be approved under new cybersecurity guidelines for work with state and local governments.

For vendors seeking to add their own names to this list, here are some key considerations you can expect when evaluating a StateRAMP authorization.

Modeled after the National Institute of Standards and Technology (NIST) Risk Management Framework, and borrowing heavily from FedRAMP’s authorization model, StateRAMP’s Security Assessment Framework process has four key requirements for Cloud Service Providers (CSPs) seeking authorization:

  • Compliance with standards set forth in NIST Special Publication 800-53 Rev. 5.
  • A trusted advisor, to help the CSP navigate the complex and rigorous Cybersecurity standards set forth in the StateRAMP framework to ensure a successful Journey and protect the investment r
  • An in-depth security controls assessment from an A2LA accredited 3PAO that satisfies the sponsoring organization’s risk profile.  proving that the organization seeking authorization meets all requirements and has all the necessary controls established and operating effectively.
  • Ongoing monitoring to ensure the authorized service offering continues to adhere to StateRAMP compliance.  

In addition to the requirements listed above, CSPs seeking authorization also must determine their impact level category. These categories correspond to FedRAMP impact levels and are based upon the sensitivity of the government data being handled, as well as the subsequent potential impact a breach could have, should one occur. Fortunately, StateRAMP provides an easy-to-use data classification tool to help CSPs determine the appropriate level, as listed below:

  • Category 1 – This category applies to all systems handling publicly available data, and it’s the one category all CSPs must abide by. In FedRAMP terms, this category would qualify as a “low” impact level.
  • Category 2 – This category encompasses PII as well as any other data not publicly available. Like Category 1, it would be deemed a “low” impact level according to FedRAMP standards, although it does contain characteristics of a “moderate” baseline as well.
  • Category 3 – This category addresses systems handling confidential data that is critical to the continuity of government — equivalent to a “moderate” impact level in FedRAMP.
  • Category 3+ – This category only applies to FedRAMP High authorized systems for reciprocity agreements with StateRAMP.  

Have more questions about the StateRAMP Authorization process? Fill out the form below, and a member of our team will get in touch.


Stay Informed, Stay Secure

Subscribe to our newsletter and get the latest cybersecurity insights, updates, and event invitations delivered straight to your inbox. Join our community and empower your security journey with RISCPoint's expert knowledge.

Thank you! We'll keep you up to date!
Oops! Something went wrong while submitting the form.

Join our newsletter for updates. Terms.