DataBank Raises $456 Million in 4th Securitization in 3 Years. Read the press release.

StateRamp Explained: Understanding the Government Program for CSPs

StateRamp Explained: Understanding the Government Program for CSPs

StateRAMP is an acronym for State Risk and Authorization Management Program. It was launched in 2020 as a state-level alternative to FedRAMP. Here is a quick guide to what you need to know about it.

The background to StateRAMP

As the name suggests, StateRAMP is heavily inspired by FedRAMP. It is based on the same framework, namely the National Institute of Standards and Technology Special Publication 800-53 Rev. 4. This is supplemented by elements from other relevant frameworks such as ISO 27001, SOC 2, and PCI-DSS.

Like FedRAMP, StateRAMP aims to be a “do-once-use-many-times” solution to data-security compliance for cloud service providers (CSPs). A CSP with StateRAMP certification is automatically cleared for relevant work with any participating state government or agency. In the case of StateRAMP, relevant work means work involving ePHI, PII, and PCI data.

Unlike FedRAMP, StateRAMP currently only has one level. It is, however, entirely possible that this will change in the future as the program matures.

The basics of StateRAMP

Here is an overview of the key points of the StateRAMP certification and, where relevant, how it compares with FedRAMP.

The process for achieving certification

Unlike FedRAMP, StateRAMP (currently) only has one path to certification. The first part is for CSPs to register with the StateRamp organization and submit a self-assessment. This covers its controls, policies, and procedures. The StateRAMP Accreditation Body (SAB) then undertakes an on-site audit of the CSP’s facilities and operations.

The SAB then reports back to the StateRAMP Board with what is technically a recommendation. It’s the board’s decision on whether or not to grant the certificate. In practice, it would be highly unusual for the board to reject a recommendation.

If the CSP is not granted certification, they can simply address the feedback and submit a new application. In fact, the CSP can submit the application straight away if they wish.

As with FedRAMP, StateRAMP is not a “one-and-done” certification. All participating CSPs have to comply with robust monitoring and reporting guidelines. If they fail to meet the criteria in these guidelines, their certification can be withdrawn. Data submitted by the CSPs is analyzed by the StateRAMP organization and used to update its security guidelines.

The awarding body

StateRAMP is overseen by the StateRAMP organization. This operates under the Indiana Nonprofit Corporations Act. Legally, it is a 501(c)(6) nonprofit membership organization rather than a government organization. With that said, its governing Board of Directors is largely composed of representatives of state and local governments.

FedRAMP is overseen by the federal government via specific agencies and the Joint Authorization Board (JAB).

The level of recognition

At present, StateRAMP only has official recognition in a small number of states. Currently, it’s unclear if this is due to the states themselves or to CSPs (or a combination of both).

States may be reluctant to adopt StateRAMP because they are already familiar with FedRAMP. They can simply look for FedRAMP-certified CSPs on the FedRAMP marketplace. Alternatively, they can just replicate the FedRAMP requirements in their own requirements and allow all CSPs to bid for contracts.

If this is the case, then it may create a bit of a “chicken-and-egg” situation. CSPs may hesitate to adopt StateRAMP because too few states support it. States will hesitate to support StateRAMP because CSPs are not supporting it. They are (probably) certifying for FedRAMP instead.

With that said, any CSP that can qualify for FedRAMP certification can almost certainly qualify for StateRAMP certification. This means that the cost of obtaining the second certification should be fairly minimal. It can therefore be easier to justify even if it delivers a lower business benefit.

The benefits of StateRAMP

Even though StateRAMP is currently only formally recognized in a small number of states, there can still be real benefits to the certification. Here are the main ones.

Pre-qualification for state-/local-level work

StateRAMP is not recognized in every state. Getting the certification is, however, still more convenient than qualifying individually in each of the states where it is recognized.

It may also put you ahead of the game as more states come on board. If demand increases ahead of available certification resources, then it may start to take longer to certify. (FedRAMP has experienced this issue).

Pre-qualification for FedRAMP

If you haven’t already qualified for FedRAMP, then getting StateRAMP certified could serve as a test run for getting FedRAMP certified. It could also give you recognizable certification while you are waiting to become FedRAMP certified.

Reassurance for clients and the public in general

In simple terms, the more security certifications you can claim, the more reassurance you can offer (potential) clients and members of the public.


Read More:

What Is FedRAMP Compliance?

Share Article


Discover the DataBank Difference

Discover the DataBank Difference

Explore the eight critical factors that define our Data Center Evolved approach and set us apart from other providers.
Download Now
Get Started

Get Started

Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.

Get A Quote

Request a Quote

Tell us about your infrastructure requirements and how to reach you, and one of the team members will be in touch.

Schedule a Tour

Tour Our Facilities

Let us know which data center you’d like to visit and how to reach you, and one of the team members will be in touch shortly.