FedRAMP vs. StateRAMP

Sometimes, it might be easier to think of compliance as a vending machine.

The choices are priced differently, flavored differently, and suit the tastes of different people. When you were a kid and your parents gave you money to pick a snack, you probably thought long and hard about what you wanted—what would satisfy your craving at the time.

You’re not choosing between potato chips or a candy bar when it comes to government compliance—obviously, the stakes are much higher.

FedRAMP is probably the most well-known government compliance initiative, but it’s not the only one. There’s another program out there—State Risk Assessment Management Program (StateRAMP)—and you might be wondering if that’s where you should be spending your “nickels and dimes” on compliance.

You’re a cloud service provider (CSP) that wants to get your offering out there for use. To do that, you’ll need a form of compliance, and we are going to help you navigate the options.

In this article, we’ll outline what StateRAMP is. Because FedRAMP is more established, we’ll draw comparisons to it to help make StateRAMP more easily digestible.

After reading, you’ll understand StateRAMP and what it could mean for your Cloud Service Offering (CSO).

What is StateRAMP?

As you may have guessed, StateRAMP is a program for CSPs that want to offer cloud services to the state government and its many departments, bureaus, non-profits, agencies, and organizations.

You’ll recall that FedRAMP is for those with a desire to do business with the federal government.

That difference will, no doubt, play a major role in the selection process. But as with most projects, so will their respective costs. Before we address the complexities of the relationship between these two programs, you should know that—when you do eventually get around to working with a 3PAO—the respective prices are very similar:

  • $230k-$260k** for an initial assessment; and
  • $160k-$200k** for annual assessments.

**These numbers are estimates for organizations seeking StateRAMP ATO outright. However, your StateRAMP price will vary depending on a number of factors. Importantly among those will be if you have already completed a FedRAMP assessment and FedRAMP Authorization to Operate (ATO) (which we will get into in a moment).

Though these two programs are separate, we should note a couple of important things about their relationship:

  • If you already have a FedRAMP ATO with a federal sponsor, that does not mean that you are good to go across all of StateRAMP.
  • However, a FedRAMP ATO will allow you access to StateRAMP Fast Track, which significantly reduces the amount of StateRAMP process time from months to weeks.
    • The initial assessment and annual assessment are streamlined, and nothing additional is generally required to assess.
    • In going this route, you will need to pay for the StateRAMP membership fee, which varies depending on the organization.
    • You will also need to pay for the StateRAMP’s Program Management Office (PMO) review:
      • Initial and authorization review combined total: Estimated $7,500**
      • Annual assessment reviews: Approximately $5,000**

** These numbers are only estimated if you are in the process of or have completed an initial and annual FedRAMP assessment and are able to take the Fast Track route.

What is the StateRAMP Process?

Let’s talk more about the StateRAMP process. Similar to FedRAMP’s, to obtain StateRAMP ATO you’ll need to:

  • Secure a sponsoring organization;
  • Prepare your environment according to the StateRAMP requirements (more about this below);
  • Hire a Third Party Assessment Organization (3PAO) designated by the American Association for Lab Accreditation (A2LA) to assess your environment;
  • Successfully complete the PMO and sponsoring agency reviews of the security authorization package; and
  • Await ATO before you can begin providing your services to your government sponsor(s).

StateRAMP, like FedRAMP, has a marketplace that lists organizations that have already received an ATO as well as accredited 3PAOs. The good news is that designated FedRAMP 3PAOs are also StateRAMP 3PAOs, meaning you can use FedRAMP 3PAOs for StateRAMP and vice versa. 

The review and buildout process ahead of your assessment will also look very consistent as well. The same National Institute of Standards and Technology (NIST) publication NIST 800-53 v4 (soon to be v5) that applies to FedRAMP also applies to StateRAMP.

What are StateRAMP’s Requirements?

The similarities between the programs don’t end with just the process. When you undergo a StateRAMP assessment, the purpose is also very comparable to that of FedRAMP—you must identify your risk tolerance based on the data you will store.

(This bit is arguably made easier as you can leverage the StateRAMP’s classification tool.)

When classifying said data, the StateRAMP Category 1, Category 3, and Category 3+ designations also have a direct mapping to FedRAMP:

  • StateRAMP Category 1 = FedRAMP Low (Tailored), 125 controls
  • StateRAMP category 3 = FedRAMP Moderate, 325 controls
  • StateRAMP Category 3+ does not have a specific control set designation, but a government sponsor can add additional controls to be assessed. Note: The higher the baseline, the more restrictive the requirements become. 

StateRAMP also leverages many FedRAMP requirements, including the:

  • Annual assessment performed by a 3PAO once the CSO achieves ATO
  • Continuous monitoring requirements with the sponsoring organization
  • Plan of Action and Milestone (POA&M) requirements
    • Required monthly submission to the PMO and your agency
  • Vulnerability mitigation requirements
    • 30 days for High, 90 days for Moderate, 180 days for Low 

The point is, if you’re already familiar with FedRAMP requirements, you’re ahead of the game in preparing for StateRAMP.

However, don’t assume that working at the state level means it’s going to be easier. Everything still has to do with your sponsoring organization and the data that you are storing and processing.

How is StateRAMP Different from FedRAMP?

Now that we have established some of the similarities between these two programs, let’s talk about the primary areas where they diverge:

  • Backing: FedRAMP is federally funded while StateRAMP is a nonprofit organization 501(c)(6). That explains the aforementioned membership fee and report review fees relevant to StateRAMP.
  • “Showstoppers:” Because the programs are run by two different PMOs, they may have different “showstoppers” that could hold you up in the ATO process.
  • Ready Statuses: Unlike FedRAMP’s—which expires after 12 months—StateRAMP Ready status does not expire.
  • ATO Approach: StateRAMP offers only one approach to ATO while FedRAMP offers two—through an agency or the JAB.
    • Important Note: StateRAMP ATOs are a lot like FedRAMP JAB ATOs in that they provide authorization to serve all departments, bureaus, non-profits, agencies, and organizations (within the government of the state granting the ATO).
  • High Baseline: Within FedRAMP, the High baseline represents the strongest level of security that protects sensitive, unclassified data. However, StateRAMP does not account for a High baseline—if your environment contains systems covering that kind of information, you would be deferred to FedRAMP.

Moving Forward with StateRAMP Compliance

As is the case with its fellow FedRAMP, StateRAMP compliance can make a worthy investment—especially if you already have a viable product. It’s your doorway to providing your local and state government with your CSO.

But this isn’t the vending machine in your break room—it’s critical that you make the right decision for your government compliance.

You can do that a little better now that you have a baseline of how the StateRAMP program works, especially in comparison to FedRAMP. Between them, they have many of the same requirements, and if you’re already in the FedRAMP marketplace, it’s not a far stretch to get your StateRAMP ATO.

To learn more about other types of government compliance, check out our other content:

About the Author

Andy Rogers

Andy Rogers is a Senior Associate with Schellman & Company, LLC based in Indianapolis, IN. Prior to joining Schellman & Company, LLC in 2021, Andy Rogers worked as a Cyber Security Consultant, for a Government Aeronautics company specializing in UAVs, Satellites, and FedRAMP audits. Andy Rogers has over 17 years of experience comprised of serving clients in various industries, including health insurance, nuclear energy production, government contracting, IT services, and tactical aircraft manufacturing. Andy Rogers is now focused primarily on FedRAMP, assessing for organizations across various industries.

More Content by Andy Rogers
Previous Video
What Does Agency Sponsorship Mean in FedRAMP
What Does Agency Sponsorship Mean in FedRAMP

Next Article
When to Engage a FedRAMP Consultant vs. When to Engage a 3PAO
When to Engage a FedRAMP Consultant vs. When to Engage a 3PAO

Trying to get started with FedRAMP? To help you avoid confusion, we break down what kind of firm you need a...