StateRAMP builds on the National Institute of Standards and Technology (NIST) Special Publication 800-53 standard, which underpins FedRAMP’s approach to cloud security for Federal agencies by offering a consistent framework for security assessment, authorization and continuous monitoring. Recognizing the need for a similar framework at the State and Local levels, StateRAMP has been developed to tailor these Federal standards to the unique needs of State and Local Governments.
Key to StateRAMP’s initiative is the focus on framework harmonization, which aligns State and Local regulations with broader Federal and industry standards. This harmonization includes efforts like FedRAMP/TX-RAMP reciprocity and the CJIS task force, making compliance more streamlined. By mapping more compliance frameworks to one another, StateRAMP helps Government agencies and industry players leverage existing work, avoid redundancy and facilitate smoother procurement of secure technologies. Carahsoft supports this mission by partnering with StateRAMP Authorized vendors and engaging in initiatives that promote these harmonization efforts, such as the StateRAMP Cyber Summit and Federal News Networks’ StateRAMP Exchange.
Developing Framework Harmonization
CSPs often operate across multiple sectors and industries, each regulated by distinct frameworks such as FedRAMP CJIS, IRS Publication 1075, PCI DSS, FISMA, and HIPPA. Managing compliance across multiple frameworks can lead to redundant processes, inefficiencies and complexity. These challenges have emphasized the need for framework harmonization—aligning various cybersecurity frameworks to create a more cohesive and streamlined process.
With the FedRAMP transition to the NIST SP 800-53 Rev. 5 requirements in 2023, StateRAMP began working towards harmonization with FedRAMP across all impact levels. Through the StateRAMP Fast Track Program, CSPs pursuing FedRAMP authorization can leverage the same compliance documentation, including Plans of Actions and Milestones (POA&M), System Security Plans (SSP), security controls matrix and Third Party Assessment Organization (3PAO) audits, to achieve StateRAMP authorization.
Reciprocity between StateRAMP and TX-RAMP has been established to streamline cybersecurity compliance for CSPs working with Texas state agencies, higher education institutions and public community colleges. CSPs that achieve a StateRAMP Ready or Authorized status are eligible to attain TX-RAMP certification at the same impact level through an established process. Additionally, StateRAMP’s Progressing Security Snapshot Program offers a pathway to provisional TX-RAMP certification, enabling CSPs to engage with Texas agencies while working towards StateRAMP compliance. Once CSPs have enrolled in the Snapshot Program or have engaged with a 3PAO to conduct an audit, they are added to the Progressing Product List, a public directory of products and their cybersecurity maturity status. This reciprocity eases the burden of navigating multiple compliance frameworks and certifications.
Harmonized frameworks enable CSPs to align with the cybersecurity objectives of various organizations while simultaneously addressing a broader range of threats and vulnerabilities, improving overall security. StateRAMP’s focus is to align requirements across the Federal, State, Local and Educational sectors to reduce the cost of development and deployment through a unified set of standards. To ensure the Public and Private Sectors work in alignment, StateRAMP members have access to the same guidance, tools and resources necessary for implementing a harmonized framework. This initiative will streamline the compliance process through a unified approach to cybersecurity that ensures adherence to industry and regulatory requirements.
The Future of StateRAMP
StateRAMP has rolled out an overlay to its Moderate Impact Level baseline that maps to Criminal Justice Information Services (CJIS) Security Policy. This overlay is designed to strengthen cloud security in the law enforcement sector, helping assess a product’s potential for CJIS compliance in safeguarding critical information.
At the 2024 StateRAMP Cyber Summit, Deputy Information Security Officer Jeffrey Campbell from the FBI CJIS addressed the challenges state and local entities face when adopting cloud technologies. He explained that while state constituents frequently asked if they could use FedRAMP for cloud initiatives, the answer was often complicated because FedRAMP alone does not fully meet CJIS requirements. “You can use vendors vetted through FedRAMP, that is going to get you maybe 80% of these requirements. There’s still 20% you’re going to have to do on your own” Campbell noted. He emphasized that, through framework harmonization, StateRAMP can bridge this compliance gap, offering states a viable solution to achieve several parallel security standards.
Another initiative is the NASPO/StateRAMP Task Force, which was formed to unite procurement officials, cybersecurity experts, Government officials and industry experts together with IT professionals. The task force aims to produce tools and resources for procurement officials nationwide to make the StateRAMP adoption process more streamlined and consistent.
Though still relatively new, StateRAMP is gaining traction, with 28 participating states as of October 2024. As cyberattacks become more sophisticated, cybersecurity compliance has become a larger point of emphasis at every level of Government to protect sensitive data. StateRAMP is working to bring all stakeholders together to drive toward a common understanding and acceptance of a standardized security standard. StateRAMP’s proactive steps to embrace framework harmonization are helping CSPs and State and Local Governments move towards a more secure digital future.
To learn more about the advantages the StateRAMP program offers State Governments and technology suppliers watch the Federal News Network’s StateRAMP Exchange, presented by Carahsoft.
To learn more about framework harmonization and gain valuable insights into others, such as cloud security, risk management and procurement best practices, watch the StateRAMP Cyber Summit, presented by Carahsoft.
Automation and Continuous Monitoring (ConMon) stand at the forefront of FedRAMP modernization as the memo underscores the significance of automation and the use of machine-readable formats for authorization and ConMon artifacts. The new guidance will create a system for automating security assessments and reviews, as well as expand on the initiative to obtain FedRAMP security artifacts solely through automated, machine-readable processes. The General Services Administration (GSA) also plans to update ConMon processes within 180 days and exclusively accepting machine-readable artifacts within 18 months. 
A main initiative is evaluating the data security capabilities of cloud solution providers that sell to state and local governments. StateRAMP ensures CSPs meet minimum security requirements and helps them obtain verification and achieve certification. These verification statuses were created by StateRAMP and must be certified by a third party. To simplify this certification process, StateRAMP has introduced “Security Snapshot.”
Government procurement can be lengthy, as it involves handling prime contractors, working through the budgeting process and navigating rapid technology and resource changes. In light of this, many tech companies are unsure of how to deal with the government.