Rev. 5 Templates and Resources
StateRAMP’s security templates are developed based on policies adopted by the Board of Directors and recommended by the Standards & Technical Committee. Find the policies, templates, and resources you need on this page.
Announcing StateRAMP's New Rev. 5 Baselines
The updated StateRAMP Security Snapshot criteria and scoring will be in effect beginning January 2024. Providers submitting for or maintaining a status of StateRAMP Ready, Authorized or Provisional have until October 1, 2024, to update security packages, including annual Third Party Assessment Organization (3PAO) audits, to comply with the updated Rev. 5 requirements.
StateRAMP Standards
StateRAMP has selected the NIST 800-53, Rev. 5 framework as the foundation for all applicable standards. This is in part due to the best practice demonstrated by FedRAMP and given that many security frameworks used by state and local governments are generally tied to the NIST 800-53 framework. This framework is applied in the assessment of service provider’s specific products that serve state and local governments and additional public sector organizations.
The following outlines StateRAMP policies that establish StateRAMP security standards and requirements. These polices are adopted and reviewed annually by the StateRAMP Standards and Technical Committee and Board of Directors.
- Security Assessment Framework
- Baseline Controls Matrix and Guidance
- Security Snapshot Criteria and Scoring
- Data Classification Tool
- Ready Minimum Mandatory Requirements for Low Impact Level
- Ready Minimum Mandatory Requirements for Moderate and High Impact Levels
- Baseline Controls by Impact Level for Authorization
- Authorization Boundary Guidance
- Penetration Test Guidance
- Continuous Monitoring Guide
- Vulnerability Scan Requirements Guide
- Incident Communications Procedures
- Continuous Monitoring Escalation Process Guide
Criteria & Guidance for StateRAMP Security Snapshot
The 2024 StateRAMP Security Snapshot includes updated controls aligned with Rev. 5 and updated scoring that is weighted in accordance with the MITRE ATT&CK Framework control protection values. The Security Snapshot does not require a 3PAO, and includes an abridged audit conducted virtually by the StateRAMP PMO. The following resources provide test case examples and artifact guidance for those preparing for a Snapshot assessment.
Download the Security Snapshot Test Case Criteria and Artifact Guidance (.zip)
Get Started With StateRAMP Security Snapshot
Tthe StateRAMP Security Snapshot provide a gap analysis that validates a product’s current maturity in relation to meeting the Minimum Mandatory Requirements for StateRAMP Ready. Click the button below to learn more about the Security Snapshot and see available options.
Templates for Ready, Provisional, and Authorized Statuses
StateRAMP statuses of Ready, Provisional, and Authorized rely on independent audits that are conducted by Third Party Assessing Organizations (3PAOs).
Following the conclusion of the 3PAO audit for Ready or Authorized, the provider and 3PAO must assemble a final package and submit the package for security review to the StateRAMP PMO.
Assessors must provide a package that includes:
- Assessor Matrix
*Incorporated into the new Assessor Matrix is the StateRAMP Readiness Assessment Review (RAR), StateRAMP Security Assessment Review (SAR), test case procedures, risk exposure template, and system overview. - Security Assessment Plan
Service Providers must provide a security package that includes:
- Operational Controls Matrix
*Formerly known as the System Security Plan - Continuous Monitoring Matrix
*Now combined with a Plan of Action & Milestones
Products that achieve a StateRAMP Ready, Authorized or Provisional status are listed on the StateRAMP Authorized Product List.
Download compiled Packages with Templates and Sample Policies for Service Providers and Assessors below.
Provider packages include all required templates and sample policies and procedures for every NIST 800-53 control family, in addition to templates for Rules of Behavior, Incident Response Plan, Configuration Management Plan, Information System Contingency Plan, and Supply Chain Risk Management.
Service Provider Package for Low Impact (Last Published: Jan 8, 2024)
Service Provider Package for Moderate Impact (Last Published: Jan 10, 2024)
3PAO Package for Low Impact (Last Published: Jan 8, 2024)
3PAO Package for Moderate Impact (Last Published: Jan 8, 2024)
Get Started With StateRAMP
Our team is available to assist you through this process. Connect with our Membership Engagement Team at info@stateramp.org.
The StateRAMP Security Snapshot allows you to purchase a single Snapshot or enroll in the Progressing Snapshot Program.
StateRAMP allows service providers to leverage their verified IaaS, PaaS, and SaaS solutions across multiple government contracts. Read more about the Ready or Authorized processes.
StateRAMP Program Management Office (PMO)
StateRAMP has an agreement with Knowledge Services to serve as the StateRAMP Program Management Office (PMO), given authority to carry out its work through the PMO Charter. The StateRAMP PMO supports service providers as they work to achieve their required/necessary level of StateRAMP authorization.
The fee schedule for the PMO to review security packages and facilitate the StateRAMP Security Snapshot Program is adopted by the StateRAMP Board and is available here. Reduced fees are available to small businesses.
StateRAMP PMO holds monthly office hours for general requirements and process questions. View upcoming staff hours at stateramp.org/events.
Inquiries about the program, membership, and security program may be sent to info@stateramp.org.
Receive StateRAMP Updates
Interested in StateRAMP? Sign up below to receive StateRAMP Updates.