A Step-by-Step Guide to the StateRAMP Authorization Process
Created in 2020, StateRAMP provides a standardized approach to cybersecurity for cloud vendors working with state and local governments. StateRAMP authorization is required for any organization that wishes to do business with state and local governments.
If you are seeking StateRAMP authorization, here is a look at the step-by-step process you’ll need to complete with A-LIGN:
- Step 1: Pre-Assessment Review
- Step 2: Planning Activities
- Step 3: Assessment Activities
- Step 4: Reporting Activities
- Step 5: Earning Authorization
Look familiar? This is very similar to the process for FedRAMP authorization.
Before You Begin
Before the assessment process gets underway, you’ll need to complete a few initial tasks to help your organization prepare:
- Obtain a Sponsor (optional)
- Find a Third Party Assessment Organization (3PAO)
- Complete a Readiness Assessment (optional)
It’s always good to gain a baseline understanding of StateRAMP and the assessment process before diving into it. Here is some recommended reading to help you begin your research:
- StateRAMP Frequently Asked Questions
- What Is StateRAMP and How Does It Relate to FedRAMP?
- Templates & Resources – StateRAMP
Leverage a Sponsor or the Approvals Committee
Sponsors are individuals or agencies responsible for reviewing a security package and approving StateRAMP Authorized status. Sponsors are the state agency or organization that will eventually be using the cloud product.
Providers looking to achieve StateRAMP Authorization may choose to leverage a sponsor OR use StateRAMP’s Approvals Committee instead. Either route is acceptable and there is no difference (beyond some minor administrative changes) in the authorization process.
Find a Third Party Assessment Organization (3PAO)
StateRAMP assessments must be completed by a 3PAO, an organization that has gained special authorization to conduct assessments on behalf of the StateRAMP program. Any FedRAMP 3PAO is eligible to conduct the assessments but must register with StateRAMP.
A-LIGN is a StateRAMP-registered assessor and accredited FedRAMP 3PAO. We have a longstanding relationship with FedRAMP and StateRAMP, and served as advisors on how best to adapt the FedRAMP framework into StateRAMP when the program was first created. We also currently serve on the Steering Committee and the Appeals Committee.
Complete a Readiness Assessment
Prior to undergoing a StateRAMP assessment you may want to perform a StateRAMP Readiness Assessment and get a Readiness Assessment Report (RAR). During this assessment, a 3PAO looks at your environment to determine if it is technically capable of meeting the StateRAMP requirements.
A readiness assessment can help identify gaps in controls prior to the official 3PAO assessment — which ultimately will save you time and money in the official audit process. After the assessment, organizations can qualify for StateRAMP Ready status, which designates your organization as one that is qualified to achieve StateRAMP authorization and is in process.
A-LIGN can provide you with both a readiness assessment, as well as an official assessment for StateRAMP authorization.
Step 1: Pre-Assessment Review (1-4 Weeks)
If you have already completed a readiness assessment with A-LIGN and received a StateRAMP Readiness Assessment Report, we will skip this step and move immediately to Step 2 in the process.
Once you are ready for an official assessment and have signed a contract with A-LIGN, we’ll begin with a pre-assessment review phase.
During this phase, our team will compare your current environment against the StateRAMP requirements to determine any known issues or gaps that need to be remediated before the official assessment.
Keep in mind that the quality of the evaluation is dependent on the accuracy and volume of information you provide to us. The more you can provide, the better. Once the review is complete, we will meet with your team to review the findings and outline the next steps.
Step 2: Planning Activities (4 Weeks)
After the Pre-Assessment Review phase, you will need to submit responses to an initial Information Request List (IRL) that A-LIGN provides you with.
While you are working on the IRL responses, we will submit a few materials to your sponsor to review. These include:
- An Authority to Test (ATT) – This is part of our penetration (pen) test planning and is only required if the system being reviewed is classified as StateRAMP Moderate impact level. Low and Low+ impact levels do not require pen tests under current guidance from StateRAMP.
- A Security Assessment Plan (SAP).
Step 3: Assessment Activities (7 weeks)
During the assessment phase, we will conduct on-site fieldwork (team interviews) and remote fieldwork (evidence review).
Keep in mind that we do not begin our evidence review until at least 90% of the IRL evidence is provided by your team. Any delays in evidence collection will result in delays in our review timeline. It’s important to plan ahead so we can stay on schedule throughout the assessment process.
We will also conduct a pen test at this time. Again, this is only a requirement for StateRAMP Moderate. It is an optional step for Low and Low+. Although it is optional, we highly recommend undergoing this step as a safety net to eliminate any surprises we may encounter during the actual testing phase.
Once we conduct the penetration test and get through a majority of the evidence review, we’ll provide your team with a draft of a risk exposure table. Your team can then review the draft and create a plan of action and milestones to remediate any initial issues that were found.
Step 4: Reporting Activities (5 weeks)
Upon completion of our full evidence review and pen test, we will provide you with a draft Security Assessment Report (the next iteration of the initial risk exposure table) and pen test report for review. We will analyze and discuss the findings with your team before drafting a final report for you.
Once the final report is complete, it will be sent to StateRAMP.
Step 5: Earning Authorization (2-3 weeks)
The security package is then reviewed by the security professionals at StateRAMP’s Program Management Office (PMO). The PMO will verify the security status of your organization and grant you:
StateRAMP Authorized Status: A status that indicates the product or offering has:
- A government sponsor
- Meets all the required NIST controls by impact level
- Has completed the necessary documentation, including a 3PAO Security Assessment Report
StateRAMP Provisional Status: A status that indicates the product or offering has:
- Met the minimum requirements and MOST critical controls, but not all
- Providers listed as provisional may continue to work toward authorized status
All authorized providers will be listed on the publicly-available Authorized Vendor List (AVL) on stateramp.org, which includes information about the service providers’ products, including impact level, provider type, and security status. The PMO maintains responsibility for continuously monitoring providers listed on the StateRAMP Authorized Vendor List (AVL).
Get Started Today
For any organization looking to work with state and local government entities, StateRAMP authorization is essential. With careful planning, a solid 3PAO partner, and an understanding of the process and associated timeline, you can streamline efforts to achieve StateRAMP authorization.
For more information about the StateRAMP process, contact A-LIGN today.