StateRAMP Certification

StateRAMP Overview

Service providers who use or offer cloud solutions to process, store, and transmit government data can adopt a security plan with StateRAMP, a framework that helps state and local governments mitigate cyber threats that might occur from unsecured cloud solutions.

StateRAMP—State Risk and Authorization Management Program—represents the mutual interests of state and local governments, third-party assessment organizations, and service providers with IaaS, SaaS, and PaaS solutions. The StateRAMP framework helps protect data such as personally identifiable information (PII), personal health information (PHI), and payment card industry (PCI) information.

StateRAMP has developed a widely acceptable set of standards, controls, and policies to meet the cybersecurity needs of governments, and its purpose is to:

  • Help state and local governments secure citizens’ data
  • Save taxpayer and service provider costs with its “verify once, service many” model
  • Reduce the burden on government
  • Advance cybersecurity education and best practices

StateRAMP is the states’ equivalent of FedRAMP, which promotes the adoption of secure cloud services across federal entities. It is built on the National Institute of Standards and Technology (NIST) Special Publication 800-53 Rev. 4 framework—which is the same publication the federal government used to develop FedRAMP.

Compared to FedRAMP, StateRAMP has:

  • Less controls
  • A less vigorous process
  • Quicker approval times


Through StateRAMP, state and local governments are provided a common method for verifying cloud security. The security statuses of StateRAMP include:

Verified offerings:

  • Ready—readiness assessment results submitted and approved by the project management officer (PMO)
  • Provisional—status when the cloud service provider (CSP) has met mandatory controls (readiness) but not yet satisfied the minimum (full) controls
  • Authorized—3PAO and PMO attest to CSP meeting minimum security controls and demonstration of plan to achieve deltas

Progressive offerings:

  • Active—CSP registered with StateRAMP and working with a 3PAO
  • In-Process—CSP preparing for full assessment
  • Pending—readiness package submitted and awaiting PMO review

Our Services

Through our gap assessment and advisory services, you’re on your way to reaching StateRAMP verified cloud security. We walk you through each step of the assessment process, and our security professionals are always available to advise you with your compliance questions and concerns. We help you reach your cloud security goals.

Gap Assessment
While StateRAMP requires a FedRAMP Authorized third-party assessment organization (3PAO) to conduct assessments, you can begin your StateRAMP verified process with a 360 Advanced Gap Assessment, which evaluates where you are in terms of compliance.

Our assessment determines the current security status of your cloud service organization and identifies the gaps as they relate to compliance to StateRAMP.

Advisory Services
Preparing to be authorized for StateRAMP can get a little tricky. That’s where 360 Advanced comes in.

We capture your current state of architecture, documentation, policies, and procedures. Through workshops with key stakeholders, we assess gaps against StateRAMP requirements and support demonstration of a mature cybersecurity program in-house and in line with StateRAMP requirements.

Then, we analyze the findings and make recommendations with a proposed implementation plan and actionable next steps.


Arizona’s AZ-RAMP, which began in 2015, was based on a set of security controls maintained by the NIST. AZ-RAMP was the foundation for StateRAMP, which launched in early 2021.

That same year, Texas Department of Information Resources created a statewide risk and authorization management program (RAMP) that included continuous monitoring of CSPs used by state agencies.

StateRAMP has expanded to multiple states, including Arizona, California, Florida, Georgia, Massachusetts, Michigan, New Hampshire, Oklahoma, North Carolina, and Texas, with more expected to follow.


You deserve a conversation, not a questionnaire.

We build long-term relationships through trust and value. If you’re looking for a trusted business advisor to build your holistic compliance strategy, let’s chat!