UPCOMING IN-PERSON EVENTS: The Schellman team will be around the country at events the week of June 5th

View Events
Contact a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
Build Your Compliance Roadmap
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
View All Industry Solutions
Learning Center
Articles
Whitepapers
Case Studies
Events & Live Webinars
On-Demand Webinars
Visit the Learning Center
Our Process
About Us
Leadership Team
Careers
Corporate Social Responsibility
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Learning Center
Learning Center
Visit the Learning Center
Articles
Articles
Whitepapers
Whitepapers
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
Our Process
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Contact a Specialist

«  View All Posts

FedRAMP vs StateRAMP Blog Feature
Andy Rogers

By: Andy Rogers

Print/Save as PDF

FedRAMP vs StateRAMP

FedRAMP | Federal | StateRAMP

Sometimes, it might be easier to think of compliance as a vending machine.

The choices are priced differently, flavored differently, and suit the tastes of different people. When you were a kid and your parents gave you money to pick a snack, you probably thought long and hard about what you wanted—what would satisfy your craving at the time.

You’re not choosing between potato chips or a candy bar when it comes to government compliance—obviously, the stakes are much higher.

FedRAMP is probably the most well-known government compliance initiative, but it’s not the only one. There’s another program out there—State Risk Assessment Management Program (StateRAMP)—and you might be wondering if that’s where you should be spending your “nickels and dimes” on compliance.

You’re a cloud service provider (CSP) that wants to get your offering out there for use. To do that, you’ll need a form of compliance, and we are going to help you navigate the options.

In this article, we’ll outline what StateRAMP is. Because FedRAMP is more established, we’ll draw comparisons to it to help make StateRAMP more easily digestible.

After reading, you’ll understand StateRAMP and what it could mean for your Cloud Service Offering (CSO).

What is StateRAMP?

As you may have guessed, StateRAMP is a program for CSPs that want to offer cloud services to the state government and its many departments, bureaus, non-profits, agencies, and organizations.

You’ll recall that FedRAMP is for those with a desire to do business with the federal government.

That difference will, no doubt, play a major role in the selection process. But as with most projects, so will their respective costs. Before we address the complexities of the relationship between these two programs, you should know that—when you do eventually get around to working with a 3PAO—the respective prices are very similar:

  • $230k-$260k** for an initial assessment; and
  • $160k-$200k** for annual assessments.

**These numbers are estimates for organizations seeking StateRAMP ATO outright. However, your StateRAMP price will vary depending on a number of factors. Importantly among those will be if you have already completed a FedRAMP assessment and FedRAMP Authorization to Operate (ATO) (which we will get into in a moment).

Though these two programs are separate, we should note a couple of important things about their relationship:

  • If you already have a FedRAMP ATO with a federal sponsor, that does not mean that you are good to go across all of StateRAMP.
  • However, a FedRAMP ATO will allow you access to StateRAMP Fast Track, which significantly reduces the amount of StateRAMP process time from months to weeks.
    • The initial assessment and annual assessment are streamlined, and nothing additional is generally required to assess.
    • In going this route, you will need to pay for the StateRAMP membership fee, which varies depending on the organization.
    • You will also need to pay for the StateRAMP’s Program Management Office (PMO) review:
      • Initial and authorization review combined total: Estimated $7,500**
      • Continuous Monitoring assessment reviews: Approximately $5,000**

** These numbers are only estimated if you are in the process of or have completed an initial and annual FedRAMP assessment and are able to take the Fast Track route.

 

What is the StateRAMP Process?

Let’s talk more about the StateRAMP process. Similar to FedRAMP’s, to obtain StateRAMP ATO you’ll need to:

  • Secure a sponsoring organization;
  • Prepare your environment according to the StateRAMP requirements (more about this below);
  • Hire a Third-Party Assessment Organization (3PAO) designated by the American Association for Lab Accreditation (A2LA) to assess your environment and on the StateRAMP Marketplace as a 3PAO;
  • Successfully complete the PMO and sponsoring agency reviews of the security authorization package; and
  • Await ATO before you can begin providing your services to your government sponsor(s).

StateRAMP, like FedRAMP, has a marketplace that lists organizations that have already received an ATO as well as accredited 3PAOs. 

The review and buildout process ahead of your assessment will also look very consistent as well. The same National Institute of Standards and Technology (NIST) publication NIST 800-53 v4 (soon to be v5) that applies to FedRAMP also applies to StateRAMP.

 

Non-Sponsor Assessment Package Review (StateRAMP Approvals Committee) *

CSPs without a StateRAMP sponsor may still submit an initial SAR package for authorization review to the StateRAMP Approvals Committee. Unlike the JAB, the committee is not selective and is first-in-first-out (queue). The Approvals Committee has set a rate of review of 2-3 packages per month.

What are StateRAMP’s Requirements? **

The similarities between the programs don’t end with just the process. When you undergo a StateRAMP assessment, the purpose is also very comparable to that of FedRAMP—you must identify your risk tolerance based on the data you will store.

(This bit is arguably made easier as you can leverage the StateRAMP’s classification tool.)

When classifying said data, the StateRAMP Low, Low +, and Moderate designations also have a direct mapping to FedRAMP:

  • StateRAMP Low:117 Controls
  • StateRAMP Low+: 179 Controls with overlay requirements
    • What is a control overlay? These are added controls to comply with additional requirements.
    • Common control overlays would include those to accommodate Criminal Justice Information Services (CJIS), International Traffic in Arms Regulation (ITAR), Minimum Acceptable Risk Standards for Exchanges (MARS-E), Privacy Controls, Health Insurance Portability and Accountability Act (HIPAA), etc.
  • StateRAMP Moderate: 312 Controls--while there's no specific control set designation, a government sponsor can add additional controls to be assessed.
  • StateRAMP Moderate+: 312 Controls plus overlays—while there are no additional controls specified as part of this baseline, the same overlays mentioned for Low+ may also be layered on top of the Moderate baseline.

    Note: The higher the baseline, the more restrictive the requirements become.

Is There a StateRAMP High Baseline?

That being said, you may be wondering about a high baseline. After all, within FedRAMP, the High baseline represents the strongest level of security that protects sensitive, unclassified data.

However, StateRAMP does not account for a High baseline—if your environment contains systems covering that kind of information, you would be deferred to FedRAMP.

StateRAMP's FedRAMP Requirements

StateRAMP also actually leverages many FedRAMP requirements, including the:

  • Annual assessment performed by a 3PAO once the CSO achieves ATO
  • Continuous monitoring requirements with the sponsoring organization
  • Plan of Action and Milestone (POA&M) requirements
    • Required monthly submission to the PMO and your agency
  • Vulnerability mitigation requirements
    • 30 days for High, 90 days for Moderate, 180 days for Low 

The point is, if you’re already familiar with FedRAMP requirements, you’re ahead of the game in preparing for StateRAMP.

However, don’t assume that working at the state level means it’s going to be easier. Everything still has to do with your sponsoring organization and the data that you are storing and processing.

How is StateRAMP Different from FedRAMP?

Now that we have established some of the similarities between these two programs, let’s talk about the primary areas where they diverge:

  • Backing: FedRAMP is federally funded while StateRAMP is a nonprofit organization 501(c)(6). That explains the aforementioned membership fee and report review fees relevant to StateRAMP.
  • “Showstoppers:” Because the programs are run by two different PMOs, they may have different “showstoppers” that could hold you up in the ATO process.
  • Ready Statuses: Unlike FedRAMP’s—which expires after 12 months—StateRAMP Ready status does not expire.
  • ATO Approach: StateRAMP offers two different approaches to ATOs:
    • Non-Sponsored Assessment Package to gain a full ATO via their StateRAMP Approvals Committee
    • The typical Agency-Sponsored path known from FedRAMP
Important Note: StateRAMP ATOs are a lot like FedRAMP JAB ATOs in that they provide authorization to serve all departments, bureaus, non-profits, agencies, and organizations (within the government of the state granting the ATO).

Do You Already Have FedRAMP ATO and Are Now Undergoing StateRAMP?

 

Good newsyou'll be able to leverage StateRAMP Fast Track.

From a compliance and effort perspective, FedRAMP is the more challenging project, but if you've already received that ATO, you may be grandfathered into StateRAMP via FastTrack and consequently can get a StateRAMP ATO for just the Continuous Monitoring assessment price. 

It'll also be a quicker processthe StateRAMP PMO only has to review your CSP's FedRAMP documentation package and you're good to go.

Moving Forward with StateRAMP Compliance

 

As is the case with its fellow FedRAMP, StateRAMP compliance can make a worthy investment—especially if you already have a viable product and a state agency to engage it. It’s your doorway to providing your local and state government with your CSO.

But this isn’t the vending machine in your break room—it’s critical that you make the right decision for your government compliance.

You can do that a little better now that you have a baseline of how the StateRAMP program works, especially in comparison to FedRAMP. Between them, they have many of the same requirements, and if you’re already in the FedRAMP marketplace, it’s not a far stretch to get your StateRAMP ATO.

To learn more about other types of government compliance, check out our other content:

About Andy Rogers

Andy Rogers is a Senior Associate with Schellman based in Indianapolis, IN. Prior to joining Schellman in 2021, Andy Rogers worked as a Cyber Security Consultant, for a Government Aeronautics company specializing in UAVs, Satellites, and FedRAMP audits. Andy Rogers has over 17 years of experience comprised of serving clients in various industries, including health insurance, nuclear energy production, government contracting, IT services, and tactical aircraft manufacturing. Andy Rogers is now focused primarily on FedRAMP, assessing for organizations across various industries.

Schellman

4010 W Boy Scout Boulevard, Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S. 1.813.288.8833

Services
Industries
Resources
Company

© SchellmanPrivacy PolicyTerms

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.