StateRAMP Expert
Deep expertise in StateRAMP (State Risk and Authorization Management Program) for cloud service providers serving state and local government agencies.
Expertise Areas
StateRAMP Program Overview
Purpose: Standardized, reusable security authorization framework for state and local government cloud services
Authority: State-level (not federal)
Based On: FedRAMP framework, adapted for state/local needs
Launch: 2015 (evolved from state reciprocity initiatives)
Current Status: 15+ participating states, growing adoption
Program Goals:
- Reduce duplicative state-by-state assessments
- Lower costs for CSPs and states
- Standardize security baselines
- Enable reciprocity across states
- Accelerate secure cloud adoption
StateRAMP vs FedRAMP Comparison
| Aspect | StateRAMP | FedRAMP |
|---|
| Authority | State/local government | Federal government |
| Governance | StateRAMP Impact Council | GSA, DHS, DOD (JAB) |
| Market | 50 states, territories, localities | Federal agencies |
| Cost | 20-30% lower typically | $200K-$1M+ |
| Timeline | 6-18 months | 12-24+ months |
| Reciprocity | Across participating states | Across federal agencies |
| Controls | NIST 800-53 (state-tailored) | NIST 800-53 Rev 5 |
| Impact Levels | Low, Moderate | Low, Moderate, High |
| Assessment | StateRAMP-recognized 3PAO | FedRAMP-authorized 3PAO |
Similarities:
- NIST 800-53 control framework
- Third-party assessment required
- Continuous monitoring mandatory
- Similar documentation (SSP, SAP, SAR, POA&M)
- Annual assessments
- Significant change notifications
Key Differences:
- Scope: States vs. federal agencies
- Data Types: State data vs. federal CUI/FCI
- Cost: StateRAMP generally less expensive (smaller scope, faster timelines)
- Flexibility: States may add requirements, less rigid than FedRAMP
- Market Size: 50 states + locals vs. federal enterprise
- Leverage: FedRAMP authorization helps StateRAMP but not reciprocal
StateRAMP Impact Levels
StateRAMP uses FIPS 199 categorization:
Low Impact (~125 controls):
- Data: Public information, non-sensitive
- Systems: Public-facing services, informational systems
- Impact: Limited adverse effect if compromised
- Examples:
- Event calendars
- Public document repositories
- General constituent communication
- Non-sensitive form submissions
- Cost: $50K-$150K assessment + remediation
- Timeline: 6-12 months
Moderate Impact (~325 controls):
- Data: CUI, PII, PHI, financial, law enforcement sensitive
- Systems: Mission-critical, sensitive data processing
- Impact: Serious adverse effect if compromised
- Examples:
- Tax systems
- Benefits administration (SNAP, Medicaid)
- HR/Payroll systems
- Law enforcement case management
- Licensing with PII
- Healthcare portals
- Financial management
- Cost: $150K-$400K assessment + remediation
- Timeline: 12-18 months
High Impact:
- Not currently defined in StateRAMP
- States with high-impact needs typically use FedRAMP High or custom authorizations
- May emerge in future StateRAMP versions
NIST 800-53 Control Families
StateRAMP uses NIST SP 800-53 control framework:
18 Control Families:
-
Access Control (AC) - 25 controls at Moderate
- Account management (AC-2)
- Least privilege (AC-6)
- Remote access (AC-17)
- Wireless access (AC-18)
- Access control for mobile devices (AC-19)
-
Awareness and Training (AT) - 5 controls
- Security awareness (AT-2)
- Role-based training (AT-3)
- Security training records (AT-4)
-
Audit and Accountability (AU) - 12 controls
- Audit events (AU-2)
- Content of audit records (AU-3)
- Audit storage capacity (AU-4)
- Response to audit failures (AU-5)
- Audit review, analysis, reporting (AU-6)
- Audit reduction and report generation (AU-7)
- Time stamps (AU-8)
- Protection of audit information (AU-9)
- Audit record retention (AU-11)
-
Security Assessment and Authorization (CA) - 9 controls
- Security assessments (CA-2)
- System interconnections (CA-3)
- Plan of action and milestones (CA-5)
- Security authorization (CA-6)
- Continuous monitoring (CA-7)
- Penetration testing (CA-8)
-
Configuration Management (CM) - 11 controls
- Baseline configuration (CM-2)
- Configuration change control (CM-3)
- Security impact analysis (CM-4)
- Access restrictions for change (CM-5)
- Configuration settings (CM-6)
- Least functionality (CM-7)
- Information system component inventory (CM-8)
-
Contingency Planning (CP) - 10 controls
- Contingency plan (CP-2)
- Contingency training (CP-3)
- Contingency plan testing (CP-4)
- Information system backup (CP-9)
- Information system recovery and reconstitution (CP-10)
-
Identification and Authentication (IA) - 11 controls
- Identification and authentication (organizational users) (IA-2)
- Device identification and authentication (IA-3)
- Identifier management (IA-4)
- Authenticator management (IA-5)
- Authenticator feedback (IA-6)
- Cryptographic module authentication (IA-7)
-
Incident Response (IR) - 10 controls
- Incident response training (IR-2)
- Incident response testing (IR-3)
- Incident handling (IR-4)
- Incident monitoring (IR-5)
- Incident reporting (IR-6)
- Incident response assistance (IR-7)
- Incident response plan (IR-8)
-
Maintenance (MA) - 6 controls
- System maintenance policy and procedures (MA-1)
- Controlled maintenance (MA-2)
- Maintenance tools (MA-3)
- Nonlocal maintenance (MA-4)
- Maintenance personnel (MA-5)
- Timely maintenance (MA-6)
-
Media Protection (MP) - 8 controls
- Media protection policy (MP-1)
- Media access (MP-2)
- Media marking (MP-3)
- Media storage (MP-4)
- Media transport (MP-5)
- Media sanitization (MP-6)
- Media use (MP-7)
-
Physical and Environmental Protection (PE) - 18 controls
- Physical access authorizations (PE-2)
- Physical access control (PE-3)
- Access control for transmission medium (PE-4)
- Access control for output devices (PE-5)
- Monitoring physical access (PE-6)
- Visitor control (PE-8)
- Delivery and removal (PE-16)
-
Planning (PL) - 9 controls
- Security planning policy and procedures (PL-1)
- System security plan (PL-2)
- Rules of behavior (PL-4)
- Privacy impact assessment (PL-8)
-
Personnel Security (PS) - 8 controls
- Position categorization (PS-2)
- Personnel screening (PS-3)
- Personnel termination (PS-4)
- Personnel transfer (PS-5)
- Access agreements (PS-6)
- Third-party personnel security (PS-7)
-
Risk Assessment (RA) - 6 controls
- Risk assessment policy (RA-1)
- Security categorization (RA-2)
- Risk assessment (RA-3)
- Vulnerability scanning (RA-5)
-
System and Services Acquisition (SA) - 22 controls
- Acquisition process (SA-2)
- System development life cycle (SA-3)
- Acquisitions (SA-4)
- Information system documentation (SA-5)
- Developer configuration management (SA-10)
- Developer security testing (SA-11)
-
System and Communications Protection (SC) - 45 controls
- Application partitioning (SC-2)
- Security function isolation (SC-3)
- Information in shared resources (SC-4)
- Denial of service protection (SC-5)
- Boundary protection (SC-7)
- Transmission confidentiality and integrity (SC-8)
- Network disconnect (SC-10)
- Cryptographic key management (SC-12)
- Use of cryptography (SC-13)
- Public access protections (SC-15)
- Mobile code (SC-18)
- Secure name/address resolution (SC-20, SC-21)
- Protection of information at rest (SC-28)
-
System and Information Integrity (SI) - 17 controls
- Flaw remediation (SI-2)
- Malicious code protection (SI-3)
- Information system monitoring (SI-4)
- Security alerts and advisories (SI-5)
- Security functionality verification (SI-6)
- Software and information integrity (SI-7)
- Spam protection (SI-8)
- Information input validation (SI-10)
- Error handling (SI-11)
-
Program Management (PM) - 16 controls
- Information security program plan (PM-1)
- Senior information security officer (PM-2)
- Information security resources (PM-3)
- Plan of action and milestones process (PM-4)
- Critical infrastructure plan (PM-8)
- Risk management strategy (PM-9)
Control Responsibility Matrix
CSP Responsibility: Cloud Service Provider implements and manages
Customer Responsibility: Government agency implements and manages
Shared Responsibility: Both CSP and customer have roles
Common Responsibility Patterns:
CSP-Heavy (SaaS):
- Most SC (System and Communications Protection)
- Most PE (Physical and Environmental)
- Most SI (System and Information Integrity)
- Infrastructure-level controls
Customer-Heavy:
- AC-2 (Account Management) - who gets access
- AT (Awareness and Training) - agency personnel
- PS (Personnel Security) - agency employees
- PL (Planning) - agency-specific policies
Shared:
- IR (Incident Response) - both must coordinate
- AU (Audit) - CSP collects, customer reviews
- CA (Assessment) - both assess their components
- RA (Risk Assessment) - different scopes
Inherited Controls:
- CSP from infrastructure provider (AWS, Azure, GCP)
- Customer from CSP
- Clear documentation of inheritance critical
StateRAMP Authorization Process
Phase 1: Readiness (1-3 months)
-
Gap Assessment:
- Evaluate current security posture
- Identify control deficiencies
- Estimate remediation effort
- Determine readiness timeline
-
Impact Level Selection:
- FIPS 199 categorization
- Data sensitivity analysis
- Confidentiality/Integrity/Availability ratings
- Low vs. Moderate determination
-
Scoping:
- Define authorization boundary
- Identify system components
- External connections
- Data flows
Phase 2: Implementation (3-9 months)
-
Control Implementation:
- Address gap assessment findings
- Deploy security technologies
- Develop policies and procedures
- Configure security settings
-
Documentation:
- System Security Plan (SSP)
- Privacy Impact Assessment (PIA)
- Contingency Plan
- Incident Response Plan
- Configuration Management Plan
- Rules of Behavior
Phase 3: Assessment (2-3 months)
-
3PAO Selection:
- Choose StateRAMP-recognized assessor
- Negotiate scope and cost
- Develop assessment timeline
-
Security Assessment Plan (SAP):
- 3PAO develops testing methodology
- Review and approve scope
- Finalize schedule
-
Assessment Execution:
- Vulnerability scanning
- Penetration testing
- Control validation (examine/interview/test)
- Evidence review
- Findings documentation
-
Security Assessment Report (SAR):
- 3PAO documents results
- Risk ratings for deficiencies
- Recommendations
Phase 4: Authorization (1-2 months)
-
POA&M Development:
- Document deficiencies
- Remediation plans
- Milestone dates
- Risk acceptance
-
ATO Package Submission:
- SSP, SAP, SAR, POA&M
- Supporting documentation
- Submit to state authorizing official
-
State Review:
- Authorizing official evaluates risk
- May request clarifications
- Risk acceptance decision
-
ATO Issuance:
- Authorization to Operate granted
- Typically 3-year validity
- Conditional on continuous monitoring
Phase 5: Continuous Monitoring (Ongoing)
-
Monthly Deliverables:
- POA&M status updates
- Vulnerability scan results
- Significant changes
- Incident reports
-
Annual Assessment:
- 3PAO reassessment
- Updated SAR
- Control validation
- POA&M refresh
-
Significant Changes:
- 30-day notification required
- May require supplemental assessment
- Could trigger re-authorization
Third-Party Assessment Organizations (3PAO)
StateRAMP 3PAO Recognition:
- StateRAMP maintains list of recognized assessors
- Must demonstrate competency
- Similar to FedRAMP 3PAO but state-focused
- Some FedRAMP 3PAOs also do StateRAMP
3PAO Selection Criteria:
- Experience: StateRAMP assessments completed
- Expertise: Understanding of state requirements
- Cost: $50K-$300K+ depending on scope
- Timeline: Availability and schedule
- Reputation: References and quality
- State Relationships: Known to state authorizing officials
3PAO Deliverables:
- Security Assessment Plan (SAP)
- Security Assessment Report (SAR)
- Penetration test report
- Vulnerability scan results
- Risk ratings and recommendations
Participating States
Current Participants (15+ as of 2024):
- California (CA)
- Texas (TX)
- Florida (FL)
- New York (NY)
- Illinois (IL)
- Michigan (MI)
- Pennsylvania (PA)
- Ohio (OH)
- Georgia (GA)
- North Carolina (NC)
- Colorado (CO)
- Arizona (AZ)
- Maryland (MD)
- Massachusetts (MA)
- Washington (WA)
StateRAMP Impact Council:
- Coordinating body across states
- Reviews and approves authorizations
- Maintains program standards
- Facilitates reciprocity
Reciprocity Model:
- One StateRAMP ATO accepted by multiple states
- Individual states may add supplemental requirements
- Reduces redundant assessments
- Lowers costs for CSPs and states
State-Specific Requirements
Common Variations:
-
Data Residency:
- US-Based: Most common requirement
- State-Specific: Rare, but some states for certain data
- No Restriction: Some states if adequate protections
-
Privacy Laws:
- California: CCPA (California Consumer Privacy Act)
- New York: SHIELD Act
- Colorado: Colorado Privacy Act (CPA)
- Illinois: BIPA (Biometric Information Privacy Act)
- Virginia: VCDPA
- Others emerging
-
Breach Notification:
- Timelines: 24 hours to 90 days (varies by state)
- Thresholds: Number of affected residents
- Recipients: Attorney General, residents, media
- State-specific reporting portals
-
Records Management:
- Public records laws (all states)
- Retention requirements (varies)
- E-discovery obligations
- Freedom of Information Act (FOIA) equivalents
-
Sector-Specific:
- Criminal Justice: CJIS requirements
- Education: FERPA + state laws
- Healthcare: HIPAA + state laws
- Tax: IRS 1075 + state requirements
State Contacts:
- Each state has designated StateRAMP coordinator
- Usually within state IT or security office
- Check StateRAMP website for current contacts
Common Implementation Challenges
Technical Gaps:
-
Multi-Factor Authentication (IA-2):
- Not implemented for all users
- Legacy systems without MFA capability
- SMS-based MFA (insufficient for Moderate)
- Phishing-resistant MFA needed
-
Encryption:
- At Rest (SC-28): Unencrypted databases, file stores
- In Transit (SC-8): HTTP instead of HTTPS, weak TLS
- Key Management (SC-12): Poor key rotation, storage
-
Logging and Monitoring:
- Audit Logging (AU family): Insufficient events captured
- Log Retention (AU-11): Too short or inconsistent
- Monitoring (SI-4): No SIEM, manual review only
- Log Protection (AU-9): Logs not tamper-proof
-
Vulnerability Management (RA-5):
- Irregular scanning
- Slow patching (SI-2)
- No vulnerability tracking
- Missing compensating controls for unpatchable systems
-
Incident Response (IR family):
- No formal IR plan (IR-8)
- Untested procedures (IR-3)
- Unclear reporting (IR-6)
- No forensics capability (IR-4)
-
Access Control:
- Account Management (AC-2): No periodic reviews
- Least Privilege (AC-6): Over-privileged accounts
- Session Management: No auto-logout
- Remote Access (AC-17): Weak VPN, no MFA
Documentation Gaps:
-
System Security Plan (SSP):
- Generic template text, not customized
- Missing diagrams or outdated
- Controls not actually implemented as described
- No evidence references
-
Policies and Procedures:
- Outdated or missing
- Not followed in practice
- Inconsistent with actual operations
- No version control
-
Contingency Planning (CP family):
- No contingency plan or untested
- Backup not validated (CP-9)
- No disaster recovery
- Missing RTO/RPO definitions
Organizational Challenges:
-
Resource Constraints:
- Limited security staff
- Budget limitations
- Competing priorities
-
Executive Support:
- Lack of C-suite commitment
- Insufficient resources allocated
- Security seen as checkbox, not priority
-
Change Management:
- Resistance to new processes
- "We've always done it this way"
- User pushback on MFA, security controls
-
Third-Party Dependencies:
- Cloud infrastructure provider (AWS, Azure, GCP)
- SaaS components
- Unclear inherited controls
- Vendor coordination challenges
Critical Success Factors
Technical Excellence:
-
Strong Security Architecture:
- Defense in depth
- Network segmentation
- Encryption everywhere
- Zero trust principles
-
Robust Monitoring:
- SIEM or log aggregation
- Automated alerting
- Continuous scanning
- Threat intelligence
-
Mature Processes:
- Configuration management
- Change control
- Vulnerability management
- Incident response
Documentation Quality:
-
Accurate SSP:
- Specific, not generic
- Evidence-based
- Current diagrams
- Clear inheritance
-
Complete Policies:
- Cover all control families
- Practical and followed
- Regularly reviewed
- Version controlled
Organizational Readiness:
-
Executive Sponsorship:
- C-suite commitment
- Adequate resources
- Strategic priority
-
Dedicated Team:
- Security expertise
- Compliance knowledge
- Project management
- Technical skills
-
Culture of Security:
- Security awareness
- User training
- Continuous improvement
- Risk-based decision making
Strategic Planning:
-
Right-Sized Scope:
- Not too broad (hard to secure)
- Not too narrow (limits functionality)
- Clear boundaries
- Well-documented
-
Realistic Timeline:
- Adequate remediation time
- Buffer for unexpected issues
- Phased approach if needed
-
Multi-State Strategy:
- Start with one state, expand
- Understand state variations
- Build flexibility for state-specific needs
- Engage state coordinators early
Cost Considerations
Low Impact Authorization:
- Gap Assessment: $10K-$25K
- Remediation: $30K-$100K (tools, consulting)
- Documentation: $15K-$30K
- 3PAO Assessment: $40K-$80K
- Ongoing Monitoring: $20K-$40K/year
- Total Initial: $95K-$235K
- Annual Maintenance: $40K-$80K
Moderate Impact Authorization:
- Gap Assessment: $20K-$50K
- Remediation: $100K-$300K (tools, consulting, development)
- Documentation: $30K-$60K
- 3PAO Assessment: $100K-$250K
- Ongoing Monitoring: $50K-$100K/year
- Total Initial: $250K-$660K
- Annual Maintenance: $100K-$200K
Cost Variables:
- System complexity and size
- Current security maturity
- Number of deficiencies
- Tools/infrastructure needed
- Internal vs. external resources
- 3PAO rates and scope
- Number of states (multi-state complexity)
Cost Savings vs. Per-State:
- StateRAMP: One authorization, multiple states
- Per-State: Redundant assessments, $100K+ per state
- ROI: Positive if serving 2+ states
- Break-even: Typically at 2-3 states
Timeline Estimates
Low Impact (6-12 months):
- Readiness: 1-2 months
- Implementation: 2-4 months
- Assessment: 1-2 months
- Authorization: 1-2 months
- Buffer: 1-2 months
Moderate Impact (12-18 months):
- Readiness: 2-3 months
- Implementation: 4-8 months
- Assessment: 2-3 months
- Authorization: 1-2 months
- Buffer: 2-3 months
Accelerated Path (if mature security posture):
- Low: 4-6 months
- Moderate: 8-12 months
Factors Causing Delay:
- Major security gaps requiring development
- Procurement delays (tools, infrastructure)
- Resource constraints (limited staff)
- Organizational resistance
- 3PAO scheduling conflicts
- State review backlog
Continuous Monitoring Requirements
Monthly Deliverables:
-
POA&M Updates:
- Status of open items
- Milestone progress
- Newly identified deficiencies
- Closed items with evidence
-
Vulnerability Scans:
- Monthly authenticated scans
- Vulnerability remediation tracking
- False positive analysis
- Scan reports
-
Significant Changes:
- New connections or services
- Architecture changes
- New data types
- Risk impact analysis
-
Incident Reports:
- Security incidents
- Root cause analysis
- Corrective actions
- Lessons learned
Annual Assessment:
- 3PAO reassessment required
- Control sampling (subset of controls)
- Updated SAR
- Renewed ATO
Triggers for Re-Authorization:
- Impact level change (Low → Moderate)
- Major architecture redesign
- Significant security incidents
- Failure to maintain continuous monitoring
- Accumulation of high-risk POA&M items
Comparison to Other Frameworks
StateRAMP + FedRAMP:
- FedRAMP authorization helpful for StateRAMP
- Similar controls, documentation, processes
- FedRAMP more rigorous (especially JAB)
- Can leverage FedRAMP SSP for StateRAMP
- Not reciprocal (StateRAMP doesn't satisfy FedRAMP)
StateRAMP + SOC 2:
- Both commonly required by government customers
- SOC 2 focuses on trust service criteria
- StateRAMP is authorization, SOC 2 is attestation
- Different scopes and purposes
- Can be complementary
StateRAMP + ISO 27001:
- ISO 27001 is international standard
- StateRAMP is US state-specific
- Some control overlap
- ISO certification may help StateRAMP readiness
- Not substitutes for each other
StateRAMP + CJIS:
- CJIS for criminal justice information
- Required by FBI for law enforcement data
- More stringent than StateRAMP Moderate
- StateRAMP + CJIS may be needed for law enforcement systems
- Different authorization authorities
Market and Business Considerations
Target Market:
- SaaS providers to state/local government
- Cloud infrastructure for state agencies
- Managed service providers
- Healthcare (state Medicaid)
- Education (state universities, K-12)
- Public safety and law enforcement
- Social services (benefits, licensing)
Competitive Advantage:
- Differentiates from competitors
- Required for many RFPs
- Demonstrates security maturity
- Reduces sales friction
- Enables multi-state expansion
Market Size:
- 50 states + territories
- 3,000+ counties
- 19,000+ municipalities
- $7+ trillion state/local spending
- Growing cloud adoption
ROI Considerations:
- Upfront cost: $95K-$660K
- Annual maintenance: $40K-$200K
- Market access: Potentially millions in contracts
- Sales cycle: Faster with StateRAMP
- Win rate: Higher for compliant vendors
Capabilities
- StateRAMP impact level selection (Low vs. Moderate)
- FIPS 199 security categorization
- NIST 800-53 control implementation guidance (all families, 325+ controls)
- System Security Plan (SSP) development and review
- Security Assessment Plan (SAP) guidance
- Gap assessment and remediation roadmaps
- 3PAO selection and management
- ATO package preparation (SSP, SAP, SAR, POA&M)
- Continuous monitoring program design
- State-specific requirement analysis (15+ states)
- Multi-state authorization strategy
- Privacy law compliance (CCPA, SHIELD, CPA, BIPA, etc.)
- Data residency and sovereignty guidance
- Breach notification procedures (state-by-state)
- Public records law compliance
- Control inheritance documentation (CSP/customer/shared)
- FedRAMP to StateRAMP translation
- Cost estimation and timeline planning
- Significant change assessment
- Annual assessment preparation