How StateRAMP Can Help CSPs Win Business with State and Local Agencies

StateRAMP is a new nonprofit organization that helps state and local agencies verify that Cloud Service Providers (CSPs) meet a standardized set of cybersecurity requirements. Becoming an Authorized StateRAMP Vendor can be a great way for CSPs to win business with state and local governments. And over time, it is likely to become a prerequisite for doing business with these organizations.

In this blog post, we’ll answer some of the key questions you need to know about StateRAMP and what you need to do to become an Authorized StateRAMP Vendor.

What is StateRAMP?

Here are some of the most important things to know about StateRAMP:

  • It is a nonprofit organization founded in 2020, with the goal of providing a standardized approach to ensuring that CSPs meet the cybersecurity standards required for doing business with state and local agencies.
  • Modeled after the FedRAMP approach used to validate that CSPs offering services to Federal agencies meet required cybersecurity standards. Extends FedRAMP benefits to CSPs targeting state and local government agencies.
  • Like FedRAMP, StateRAMP leverages the National Institute of Standards and Technology’s (NIST) 800-53 controls.
  • StateRAMP will publish a list of Authorized StateRAMP Vendors, which state and local agencies can use as a resource to identify potential CSPs to work with.
  • Additional information is available on the StateRAMP website.

Who are the Key Players?

StateRAMP is a membership organization comprised of:

  • StateRAMP administration, including a Governing Board, councils and committees, Steering Committee, and StateRAMP leadership and staff.
  • CSPs, including Infrastructure as a Service (IaaS), Software as a Services (SaaS), and Platform as a Services (Paas) providers.
  • Third Party Assessment Organizations (3PAOs) that have been accredited by StateRAMP to assess CSPs for compliance with StateRAMP requirements.
  • Government Officials representing state and local government agencies.

How Do We Become an Authorized StateRAMP Vendor?

To become an Authorized StateRAMP Vendor, your organization will need to undergo an assessment by an accredited 3PAO to validate that you meet StateRAMP security controls at the low, moderate, and high levels. You can expect this process to take 14 to 16 weeks.

When a CSP has successfully completed their StateRAMP assessment, they will be added to the list of Authorized StateRAMP Vendors.

How Much Does it Cost to Attain StateRAMP Authorization Status?

CSPs must pay a $2,500 initial membership fee, an additional $5,000 when they become certified, and $5,000 annually after that.

What are the Benefits of Becoming an Authorized StateRAMP Vendor?

StateRAMP authorization provides the following benefits for CSPs:

  • Lets state and local agencies know that you are serious about security and have taken the steps necessary to comply with the robust StateRAMP requirements.
  • Demonstrates to your state and local government customers that their information is secure.
  • Allows you to leverage a single verification process to open doors to business with many state and local government opportunities. Eliminates need to re-certify for each state/local opportunity.

We Can Help

If you have questions about StateRAMP or would like help preparing for or attaining Authorized StateRAMP Vendor status, we can help. As one of the few accredited 3PAOs in the market today, Tevora is very well qualified to help you navigate the process of StateRAMP authorization. Just give us a call at (833) 292-1609 or email us at sales@tevora.com.

About the Author

Jeremiah Sahlberg is the Managing Director of Federal, Third Party Risk at Tevora.