StateRAMP
With increasingly daring cybercriminals targeting government data, a group of CIOs and CISOs bound together to create the State Risk and Authorization Management Program (StateRAMP). As a nonprofit organization, StateRAMP establishes a common cybersecurity framework for state and local government agencies to verify the security of cloud solutions that store, process and transmit sensitive data.
Cloud providers who do business with federal agencies are familiar with the Federal Risk and Authorization Management Program (FedRAMP). StateRAMP offers both state and local governments the same assurance that independent software vendors (ISVs) meet their minimum cybersecurity standards through independent assessments and continuous monitoring.
StateRAMP’s purpose is to:
01
Protect citizen data
Recent onslaughts of ransomware, phishing, and other complex cyber threats are putting the public’s sensitive data at risk. This data includes personally identifiable information (PII), personal health information (PHI), and payment card industry (PCI) information.
03
Ease the burden on state and local government
StateRAMP eliminates the need to perform the same security assessment twice and allows a government agency to focus its resources elsewhere.
02
Save taxpayer and service provider dollars
StateRAMP’s “verify once, serve many” model is designed so that cloud vendors only need to authorize a product once to ensure its cybersecurity standards are compliant. Any state agency or local government can join StateRAMP at no cost.
04
Promote cybersecurity best practices
The program aims to share cloud security knowledge transparently and make resources available to all who want to learn.
How does StateRAMP work?
StateRAMP’s Security Assessment Framework process uses the National Institute of Standards and Technology (NIST) Risk Management Framework. With NIST as its basis, the program standardizes a process of security assessment, authorization and continuous monitoring for state and local agencies.
​
According to StateRAMP’s security requirements, ISVs seeking an authorization must:
-
Comply with NIST Special Publication 800-53 Rev. 5.
-
Engage a third-party assessment organization (3PAO) to serve as a partner and educator during the process.
-
Work with the 3PAO to produce a comprehensive security report that proves the organization has met all cybersecurity standards and security requirements.
-
Implement continuous monitoring and demonstrate continuous StateRAMP compliance.
​​
ISVs who follow this process can earn a place on the StateRAMP Authorized Vendor List under one of three security statuses:
​ISVs who follow this process can earn a place on the StateRAMP Authorized Vendor List under one of three security statuses:
-
StateRAMP Ready: The service provider meets the 25 minimum security requirements and most critical controls.
-
StateRAMP Provisional: A service provider submits a package for authorization but does not meet all necessary requirements and controls.
-
StateRAMP Authorized: The provider meets all security requirements and complies with all mandatory controls.
Project Hosts is StateRAMP Authorized
Project Hosts offers ISVs a simpler approach to StateRAMP compliance. As a StateRAMP Authorized cloud service provider, we can provide your organization the opportunity to streamline the authorization process and kick-start your journey into the state and local government market.
When you partner with Project Hosts, you gain access to three key compliance-as-a-service offerings:
Have questions about StateRAMP?
