FedRAMP vs. StateRAMP

Sometimes, it might be easier to think of compliance as a vending machine.

The choices are priced differently, flavored differently, and suit the tastes of different people. When you were a kid and your parents gave you money to pick a snack, you probably thought long and hard about what you wanted—what would satisfy your craving at the time.

You’re not choosing between potato chips or a candy bar when it comes to government compliance—obviously, the stakes are much higher.

FedRAMP is probably the most well-known government compliance initiative, but it’s not the only one. There’s another program out there—State Risk Assessment Management Program (StateRAMP)—and you might be wondering if that’s where you should be spending your “nickels and dimes” on compliance.

You’re a cloud service provider (CSP) that wants to get your offering out there for use. To do that, you’ll need a form of compliance, and we are going to help you navigate the options.

In this article, we’ll outline what StateRAMP is. Because FedRAMP is more established, we’ll draw comparisons to it to help make StateRAMP more easily digestible.

After reading, you’ll understand StateRAMP and what it could mean for your Cloud Service Offering (CSO).

What is StateRAMP?

As you may have guessed, StateRAMP is a program for CSPs that want to offer cloud services to the state government and its many departments, bureaus, non-profits, agencies, and organizations.

You’ll recall that FedRAMP is for those with a desire to do business with the federal government.

That difference will, no doubt, play a major role in the selection process. But as with most projects, so will their respective costs. Before we address the complexities of the relationship between these two programs, you should know that—when you do eventually get around to working with a 3PAO—the respective prices are very similar:

  • $230k-$260k** for an initial assessment; and
  • $160k-$200k** for annual assessments.

**These numbers are estimates for organizations seeking StateRAMP ATO outright. However, your StateRAMP price will vary depending on a number of factors. Importantly among those will be if you have already completed a FedRAMP assessment and FedRAMP Authorization to Operate (ATO) (which we will get into in a moment).

Though these two programs are separate, we should note a couple of important things about their relationship:

  • If you already have a FedRAMP ATO with a federal sponsor, that does not mean that you are good to go across all of StateRAMP.
  • However, a FedRAMP ATO will allow you access to StateRAMP Fast Track, which significantly reduces the amount of StateRAMP process time from months to weeks.
    • The initial assessment and annual assessment are streamlined, and nothing additional is generally required to assess.
    • In going this route, you will need to pay for the StateRAMP membership fee, which varies depending on the organization.
    • You will also need to pay for the StateRAMP’s Program Management Office (PMO) review:
      • Initial and authorization review combined total: Estimated $7,500**
      • Continuous Monitoring assessment reviews: Approximately $5,000**

** These numbers are only estimated if you are in the process of or have completed an initial and annual FedRAMP assessment and are able to take the Fast Track route.

What is the StateRAMP Process?

Let’s talk more about the StateRAMP process. Similar to FedRAMP’s, to obtain StateRAMP ATO you’ll need to:

  • Secure a sponsoring organization;
  • Prepare your environment according to the StateRAMP requirements (more about this below);
  • Hire a Third-Party Assessment Organization (3PAO) designated by the American Association for Lab Accreditation (A2LA) to assess your environment and on the StateRAMP Marketplace as a 3PAO;
  • Successfully complete the PMO and sponsoring agency reviews of the security authorization package; and
  • Await ATO before you can begin providing your services to your government sponsor(s).

StateRAMP, like FedRAMP, has a marketplace that lists organizations that have already received an ATO as well as accredited 3PAOs. 

The review and buildout process ahead of your assessment will also look very consistent as well. The same National Institute of Standards and Technology (NIST) publication NIST 800-53 v4 (soon to be v5) that applies to FedRAMP also applies to StateRAMP.

Non-Sponsor Assessment Package Review (StateRAMP Approvals Committee) *

CSPs without a StateRAMP sponsor may still submit an initial SAR package for authorization review to the StateRAMP Approvals Committee. Unlike the JAB, the committee is not selective and is first-in-first-out (queue). The Approvals Committee has set a rate of review of 2-3 packages per month.

What are StateRAMP’s Requirements? **

The similarities between the programs don’t end with just the process. When you undergo a StateRAMP assessment, the purpose is also very comparable to that of FedRAMP—you must identify your risk tolerance based on the data you will store.

(This bit is arguably made easier as you can leverage the StateRAMP’s classification tool.)

When classifying said data, the StateRAMP Low, Low +, and Moderate designations also have a direct mapping to FedRAMP:

  • StateRAMP Low:117 Controls
  • StateRAMP Low+: 179 Controls with overlay requirements
    • What is a control overlay? These are added controls to comply with additional requirements.
    • Common control overlays would include those to accommodate Criminal Justice Information Services (CJIS), International Traffic in Arms Regulation (ITAR), Minimum Acceptable Risk Standards for Exchanges (MARS-E), Privacy Controls, Health Insurance Portability and Accountability Act (HIPAA), etc.
  • StateRAMP Moderate: 312 Controls--while there's no specific control set designation, a government sponsor can add additional controls to be assessed.
  • StateRAMP Moderate+: 312 Controls plus overlays—while there are no additional controls specified as part of this baseline, the same overlays mentioned for Low+ may also be layered on top of the Moderate baseline.

    Note: The higher the baseline, the more restrictive the requirements become.

Is There a StateRAMP High Baseline?

That being said, you may be wondering about a high baseline. After all, within FedRAMP, the High baseline represents the strongest level of security that protects sensitive, unclassified data.

However, StateRAMP does not account for a High baseline—if your environment contains systems covering that kind of information, you would be deferred to FedRAMP.

StateRAMP's FedRAMP Requirements

StateRAMP also actually leverages many FedRAMP requirements, including the:

  • Annual assessment performed by a 3PAO once the CSO achieves ATO
  • Continuous monitoring requirements with the sponsoring organization
  • Plan of Action and Milestone (POA&M) requirements
    • Required monthly submission to the PMO and your agency
  • Vulnerability mitigation requirements
    • 30 days for High, 90 days for Moderate, 180 days for Low 

The point is, if you’re already familiar with FedRAMP requirements, you’re ahead of the game in preparing for StateRAMP.

However, don’t assume that working at the state level means it’s going to be easier. Everything still has to do with your sponsoring organization and the data that you are storing and processing.

How is StateRAMP Different from FedRAMP?

Now that we have established some of the similarities between these two programs, let’s talk about the primary areas where they diverge:

  • Backing: FedRAMP is federally funded while StateRAMP is a nonprofit organization 501(c)(6). That explains the aforementioned membership fee and report review fees relevant to StateRAMP.
  • “Showstoppers:” Because the programs are run by two different PMOs, they may have different “showstoppers” that could hold you up in the ATO process.
  • Ready Statuses: Unlike FedRAMP’s—which expires after 12 months—StateRAMP Ready status does not expire.
  • ATO Approach: StateRAMP offers two different approaches to ATOs:
    • Non-Sponsored Assessment Package to gain a full ATO via their StateRAMP Approvals Committee
    • The typical Agency-Sponsored path known from FedRAMP

Important Note: StateRAMP ATOs are a lot like FedRAMP JAB ATOs in that they provide authorization to serve all departments, bureaus, non-profits, agencies, and organizations (within the government of the state granting the ATO).

Do You Already Have FedRAMP ATO and Are Now Undergoing StateRAMP?

Good news—you'll be able to leverage StateRAMP Fast Track.

From a compliance and effort perspective, FedRAMP is the more challenging project, but if you've already received that ATO, you may be grandfathered into StateRAMP via FastTrack and consequently can get a StateRAMP ATO for just the Continuous Monitoring assessment price. 

It'll also be a quicker process—the StateRAMP PMO only has to review your CSP's FedRAMP documentation package and you're good to go.

Moving Forward with StateRAMP Compliance

As is the case with its fellow FedRAMP, StateRAMP compliance can make a worthy investment—especially if you already have a viable product and a state agency to engage it. It’s your doorway to providing your local and state government with your CSO.

But this isn’t the vending machine in your break room—it’s critical that you make the right decision for your government compliance.

You can do that a little better now that you have a baseline of how the StateRAMP program works, especially in comparison to FedRAMP. Between them, they have many of the same requirements, and if you’re already in the FedRAMP marketplace, it’s not a far stretch to get your StateRAMP ATO.

To learn more about other types of government compliance, check out our other content:


About the Author

Andy Rogers

Andy Rogers is a Senior Associate with Schellman & Company, LLC based in Indianapolis, IN. Prior to joining Schellman & Company, LLC in 2021, Andy Rogers worked as a Cyber Security Consultant, for a Government Aeronautics company specializing in UAVs, Satellites, and FedRAMP audits. Andy Rogers has over 17 years of experience comprised of serving clients in various industries, including health insurance, nuclear energy production, government contracting, IT services, and tactical aircraft manufacturing. Andy Rogers is now focused primarily on FedRAMP, assessing for organizations across various industries.

More Content by Andy Rogers
Previous Article
Which of the NIST SP 800-Series Publications Should You Follow?
Which of the NIST SP 800-Series Publications Should You Follow?

Not sure how the NIST 800 Series can help you? We break down 3 of the more well-known publications from the...

Next Article
Preparing for CMMC: Three Things You Can Do Right Now
Preparing for CMMC: Three Things You Can Do Right Now

Though CMMC is officially still on the way, there is plenty you can do right now to get ready. We break dow...