StateRAMP
StateRAMP is the state and local government equivalent of FedRAMP — a standardized cloud security authorization framework for technology vendors serving US state and local agencies.
StateRAMP was established in 2021 to address a gap in the cloud security landscape: while FedRAMP provides a rigorous authorization pathway for federal agencies, state and local governments had no equivalent standard. Each state was independently evaluating cloud vendors with inconsistent criteria, creating both security gaps and procurement friction. StateRAMP provides a common framework — based on NIST SP 800-53 controls — that allows vendors to achieve a single authorization recognized across participating member states.
StateRAMP has three authorization statuses. StateRAMP Ready indicates a vendor has completed a third-party assessment and is in the authorization queue. StateRAMP Authorized (Low, Moderate, or High impact level) indicates full authorization with continuous monitoring requirements. The impact levels mirror FedRAMP's categorization — Low for publicly available information, Moderate for controlled data, High for sensitive government data. Most state procurement contracts require at minimum StateRAMP Ready status for cloud services.
The relationship between StateRAMP and FedRAMP matters for vendors selling to both markets. FedRAMP Authorized vendors receive automatic StateRAMP authorization at the equivalent impact level — no separate assessment required. However, StateRAMP Authorized vendors do not automatically receive FedRAMP authorization. For vendors targeting state and local markets without federal requirements, StateRAMP-only authorization is a faster and lower-cost pathway than FedRAMP.
We architect StateRAMP authorization requirements into cloud systems from the initial design — selecting the appropriate impact level, implementing NIST 800-53 controls through infrastructure-as-code, and building continuous monitoring capabilities that satisfy StateRAMP's ongoing reporting requirements. For vendors already pursuing FedRAMP, we design systems that satisfy both simultaneously.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.