StateRAMP

StateRAMP overview

StateRAMP is a cybersecurity program established in 2021 to address the needs of procurement and security officials with state and local governments (SLGs) in the United States. The security verification model is based on the National Institute of Standards and Technology (NIST) SP 800-53 control framework and modeled in part after the US Federal Risk and Authorization Management Program (FedRAMP). StateRAMP serves SLGs by providing a simplified and standardized approach for validating the cybersecurity posture of cloud service offerings (CSO) that may store, process, or transmit various types of government data.

Like FedRAMP, StateRAMP relies on FedRAMP accredited third-party assessment organizations (3PAOs) to conduct independent audits. Cloud service providers (CSP) desiring to sell services to SLGs can engage a 3PAO to conduct a security assessment and submit the resulting security package to StateRAMP Program Management Office (PMO). The PMO reviews the package, verifies the security status, and manages continuous monitoring to ensure that deployed security controls in a CSO remain effective in an evolving threat landscape and changes that occur in the system environment. StateRAMP maintains a publicly available authorized product list with information about CSP offerings, including cloud service model, achieved security status, and impact level based on the NIST FIPS 199 guidelines — Low, Moderate, and High. These levels rank the impact that the loss of confidentiality, integrity, or availability could have on an organization — Low (limited effect), Moderate (serious adverse effect), and High (severe or catastrophic effect).

StateRAMP recognizes six security statuses on the authorized vendor list:

  • Verified offerings
    • Ready: meets minimum requirements
    • Provisional: exceeds minimum requirements and includes a government sponsor
    • Authorized: satisfies all requirements and includes a government sponsor
  • Progressing offerings
    • Active: working towards Ready
    • In Process: working towards Authorized
    • Pending: submitted a security package to the PMO and awaiting determination for a verified status

A government interested in learning more about CSP cybersecurity posture can review the corresponding security package by submitting an information request form with the StateRAMP PMO. More information is available from the StateRAMP frequently asked questions web page. Extra in-depth documentation intended for state and local governments and cloud service providers can be downloaded from the StateRAMP public documents repository.

Microsoft and StateRAMP

Both Azure and Azure Government maintain FedRAMP High provisional authorizations to operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB) in addition to more than 400 Moderate and High ATOs issued by individual federal agencies for the in-scope services. For details, see the FedRAMP Marketplace. And while FedRAMP High authorization in the Azure public cloud will meet the needs of many US government customers, Azure Government provides extra customer assurances through controls that limit potential access to systems processing customer data to screened US persons.

The following cloud service offerings have achieved the StateRAMP Authorized Security Status — High Impact Level as shown on the StateRAMP authorized product list:

  • Azure
  • Azure Government
  • Dynamics 365
  • Dynamics 365 US Government

Applicability

  • Azure
  • Azure Government

Services in scope

StateRAMP allows for FedRAMP reciprocity as part of the StateRAMP fast track process, which enables the transfer of FedRAMP documentation to StateRAMP templates. Therefore, cloud services in StateRAMP audit scope are the same services that have previously been authorized by FedRAMP. For a list of Microsoft cloud services in scope for the FedRAMP High authorizations in Azure and Azure Government, see Cloud services in audit scope.

Attestation documents

State and local governments can request Microsoft StateRAMP security packages directly from the StateRAMP PMO by submitting an information request form. For more information, see StateRAMP frequently asked questions.

For access to Azure and Azure Government FedRAMP documentation, see FedRAMP attestation documents.

Frequently asked questions

To whom does StateRAMP apply?
StateRAMP serves the needs of state and local governments by providing a simplified and standardized approach for validating the cybersecurity posture of cloud service offerings that may store, process, or transmit various types of government data.

Where does my agency start its own compliance effort?
For an overview of the steps state and local governments must take to successfully navigate StateRAMP, go to StateRAMP documentation.

Where can I get the Azure StateRAMP documentation?
For links to audit documentation, see Attestation documents. You can request security packages directly from the StateRAMP Program Management Office by submitting an information request form.

Can I use Azure StateRAMP compliance in my agency’s authorization process?
Yes. You may use Azure or Azure Government StateRAMP verification as the foundation for any program or initiative that requires authorization from a state or local government agency. Your internal policy should define cybersecurity requirements for cloud service providers. For more information, see StateRAMP documentation.

What Azure Government services are covered by StateRAMP and in what regions?
To find out what services are available in Azure Government, see Products available by region. Cloud services in StateRAMP audit scope match cloud services in existing FedRAMP audit scope. For a list of services in scope for StateRAMP verification, see Azure Government services in FedRAMP audit scope.

Resources