FedRAMP vs StateRAMP
Though FedRAMP is probably the most well-known government compliance initiative, it’s not the only one. There’s another program out there—State Risk Assessment Management Program (StateRAMP)—and you might be wondering if that’s where you should be spending your “nickels and dimes” on compliance.
You’re a cloud service provider (CSP) that wants to get your offering out there for use. To do that, you’ll need a form of compliance, and as one of the most prolific Third Party Assessment Organizations (3PAO) on the FedRAMP marketplace, we are going to help you navigate the options.
In this article, we’ll outline what StateRAMP is. Because FedRAMP is more established, we’ll draw comparisons to it to help make StateRAMP more easily digestible. After reading, you’ll understand StateRAMP and what it could mean for your Cloud Service Offering (CSO).
What is StateRAMP?
As you may have guessed, StateRAMP is a program for CSPs that want to offer cloud services to the state government and its many departments, bureaus, non-profits, agencies, and organizations.
You’ll recall that FedRAMP is for those with a desire to do business with the
That difference will, no doubt, play a major role in the selection process. But as with most projects, so will their respective costs. Before we address the complexities of the relationship between these two programs, you should know that—when you do eventually get around to working with a 3PAO—the respective prices are very similar:
- $230k-$260k** for an initial assessment; and
- $160k-$200k** for annual assessments.
**These numbers are estimates for organizations seeking StateRAMP ATO outright. However, your StateRAMP price will vary depending on a number of factors. Importantly among those will be if you have already completed a FedRAMP assessment and FedRAMP Authorization to Operate (ATO) (which we will get into in a moment).
Though these two programs are separate, we should note a couple of important things about their relationship:
- If you already have a FedRAMP ATO with a federal sponsor, that does not mean that you are good to go across all of StateRAMP.
- However, a FedRAMP ATO will allow you access to StateRAMP Fast Track, which significantly reduces the amount of StateRAMP process time from months to weeks.
- The initial assessment and annual assessment are streamlined, and nothing additional is generally required to assess.
- In going this route, you will need to pay for the StateRAMP membership fee, which varies depending on the organization.
- You will also need to pay for the StateRAMP’s Program Management Office (PMO) review:
- Initial and authorization review combined total: Estimated $7,500**
- Continuous Monitoring assessment reviews: Approximately $5,000**
- You will also need to pay for the StateRAMP’s Program Management Office (PMO) review:
** These numbers are only estimated if you are in the process of or have completed an initial and annual FedRAMP assessment and are able to take the Fast Track route.
What is the StateRAMP Process?
Let’s talk more about the StateRAMP process. Similar to FedRAMP’s, to obtain StateRAMP ATO you’ll need to:
- Secure a sponsoring organization;
- Prepare your environment according to the StateRAMP requirements (more about this below);
- Hire a 3PAO designated by the American Association for Lab Accreditation (A2LA) to assess your environment and on the StateRAMP Marketplace as a 3PAO;
- Successfully complete the PMO and sponsoring agency reviews of the security authorization package; and
- Await ATO before you can begin providing your services to your government sponsor(s).
StateRAMP, like FedRAMP, has a marketplace that lists organizations that have already received an ATO as well as accredited 3PAOs.
The review and buildout process ahead of your assessment will also look very consistent as well. The same National Institute of Standards and Technology (NIST) publication NIST 800-53 v4 (soon to be v5) that applies to FedRAMP also applies to StateRAMP.
Non-Sponsor Assessment Package Review (StateRAMP Approvals Committee) *
CSPs without a StateRAMP sponsor may still submit an initial SAR package for authorization review to the StateRAMP Approvals Committee. Unlike the JAB, the committee is not selective and is first-in-first-out (queue). The Approvals Committee has set a rate of review of 2-3 packages per month.
What are StateRAMP’s Requirements? **
The similarities between the programs don’t end with just the process. When you undergo a StateRAMP assessment, the purpose is also very comparable to that of FedRAMP—you must identify your risk tolerance based on the data you will store.
(This bit is arguably made easier as you can leverage the StateRAMP’s classification tool.)
Much like the FedRAMP Low, Moderate, and High risk designation StateRAMP also has its own risk designations which only differ slightly with Low, Low+, and Moderate. The below control numbers are what you can expect when completing your StateRAMP assessment.
- StateRAMP Low:117 Controls
- StateRAMP Low+: 179 Controls with additional control requirements
- What are the additional control requirements? These are added controls to comply with additional requirements associated with the applicable standards, regulations, and services.
- Common additional control requirements include those to accommodate Criminal Justice Information Services (CJIS), International Traffic in Arms Regulation (ITAR), Minimum Acceptable Risk Standards for Exchanges (MARS-E), Privacy Controls, Health Insurance Portability and Accountability Act (HIPAA), etc.
- StateRAMP Moderate: 312 Controls—while there's no specific control set designation, a government sponsor can add additional controls to be assessed.
Note: “It is the goal of StateRAMP to provide the state or local government Authorizing Body flexibility to require additional controls as appropriate. For example, additional controls may be necessary to comply with CJIS or MARS-E 2.0 requirements. These additional controls would be noted as (+) on the StateRAMP Authorized Product List (APL) so that service providers can benefit from the higher authorization indicating an ability to comply with more rigorous standards.”
Is There a StateRAMP High Baseline?
That being said, you may be wondering about a high baseline. After all, within FedRAMP, the High baseline represents the strongest level of security that protects sensitive, unclassified data.
However, StateRAMP does not account for a High baseline—if your environment contains systems covering that kind of information, you would be deferred to FedRAMP.
StateRAMP's FedRAMP Requirements
StateRAMP also actually leverages many FedRAMP requirements, including the:
- Annual assessment performed by a 3PAO once the CSO achieves ATO
- Continuous monitoring requirements with the sponsoring organization
- Plan of Action and Milestone (POA&M) requirements
- Required monthly submission to the PMO and your agency
- 30 days for High, 90 days for Moderate, 180 days for Low
The point is, if you’re already familiar with FedRAMP requirements, you’re ahead of the game in preparing for StateRAMP.
However, don’t assume that working at the state level means it’s going to be easier. Everything still has to do with your sponsoring organization and the data that you are storing and processing.
How is StateRAMP Different from FedRAMP?
Now that we have established some of the similarities between these two programs, let’s talk about the primary areas where they diverge:
- Backing: FedRAMP is federally funded while StateRAMP is a nonprofit organization 501(c)(6). That explains the aforementioned membership fee and report review fees relevant to StateRAMP.
- “Showstoppers:” Because the programs are run by two different PMOs, they may have different “showstoppers” that could hold you up in the ATO process. For more on StateRAMP baseline mandates, check these links:
- Ready Statuses: Unlike FedRAMP’s—which expires after 12 months—StateRAMP Ready status does not expire.
- ATO Approach: StateRAMP offers two different approaches to ATOs. StateRAMP allows for Non-Sponsored Assessment Package to gain a full ATO via their StateRAMP Approvals Committee as well as the typical Agency-Sponsored path known from FedRAMP.
Important Note: StateRAMP ATOs are a lot like FedRAMP JAB ATOs in that they provide authorization to serve all departments, bureaus, non-profits, agencies, and organizations (within the government of the state granting the ATO).
Do You Already Have FedRAMP ATO and Are Now Undergoing StateRAMP?
Good news—you'll be able to leverage StateRAMP Fast Track.
From a compliance and effort perspective, FedRAMP is the more challenging project, but if you've already received that ATO, you may be grandfathered into StateRAMP via FastTrack and consequently can get a StateRAMP ATO for just the Continuous Monitoring assessment price.
It'll also be a quicker process—the StateRAMP PMO only has to review your CSP's FedRAMP documentation package and you're good to go.
Moving Forward with StateRAMP Compliance
As is the case with its fellow FedRAMP, StateRAMP compliance can make a worthy investment—especially if you already have a viable product and a state agency to engage it. It’s your doorway to providing your local and state government with your CSO.
Now that you have a baseline of how the StateRAMP program works, especially in comparison to FedRAMP, you can make a decision on your government compliance. Between these two options, they have many of the same requirements, and if you’re already in the FedRAMP marketplace, it’s not a far stretch to get your StateRAMP ATO.
To learn more about other types of government compliance, check out our other content:
- Preparing for CMMC: Three Things You Can Do Right Now
- Finding Your FedRAMP Consultant: What to Ask and When
- Which of the NIST SP 800-Series Publications Should You Follow?
About Andy Rogers
Andy Rogers is a Senior Associate with Schellman based in Indianapolis, IN. Prior to joining Schellman in 2021, Andy Rogers worked as a Cyber Security Consultant, for a Government Aeronautics company specializing in UAVs, Satellites, and FedRAMP audits. Andy Rogers has over 17 years of experience comprised of serving clients in various industries, including health insurance, nuclear energy production, government contracting, IT services, and tactical aircraft manufacturing. Andy Rogers is now focused primarily on FedRAMP, assessing for organizations across various industries.