StateRAMP Assessment & Authorization
Highly skilled, client-focused assessors to guide you through the StateRAMP process
"*" indicates required fields
What is StateRAMP?
In 2011, the Federal Risk and Authorization Management Program (FedRAMP) was introduced, offering a framework for federal agencies to manage risk in commercial cloud service provider environments through a standardized assessment methodology. Recognizing FedRAMP’s advantages for the federal sector, the State Risk and Authorization Management Program (StateRAMP) was formed in 2021. This initiative addresses the increasing need for state and local governments to effectively handle third-party risks in commercial cloud environments, introducing an efficient methodology to verify the security posture of cloud environments.
StateRAMP implements a robust security assessment framework with the primary objective of assisting agencies that are transitioning to secure and dependable cloud-based solutions. Cloud service providers (CSPs) intending to offer cloud services to state and local governments must demonstrate compliance with the NIST 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations) and StateRAMP-specific security controls. Compliance assessments are performed by Third Party Assessment Organizations (3PAOs), accredited by the American Association for Laboratory Accreditation (A2LA) and authorized by the FedRAMP program management office (PMO).
What is a StateRAMP assessment?
Following the FedRAMP model, Linford & Company provides StateRAMP compliance certification services, commonly known as StateRAMP authorization. These services are designed to assist organizations in demonstrating their adherence to cloud security controls and fulfilling the requirements of the StateRAMP program. Cloud Service Providers (CSPs) seeking Authorization to Operate (ATO) can leverage our comprehensive StateRAMP compliance assessments and certification services which encompass the following key components:
- Pre-assessment/gap analysis: Evaluating a CSP’s readiness for the StateRAMP process, including reviews of boundary definitions, documentation, and high-priority control implementations.
- Assessment planning and Security Assessment Plan (SAP) development.
- Assessment/testing execution against NIST 800-53 controls and StateRAMP control enhancements, to include penetration testing
- Assessment reporting and final package development for submission to the StateRAMP PMO or relevant state agencies.
- Annual assessments, including penetration testing, of the system after initial ATO award.
Assessment of StateRAMP security controls and associated documentation, policies, and compliance procedures requires an independent A2LA accredited and FedRAMP-approved Third Party Assessment Organization (3PAO) assessor. This assessor should possess a background and expertise in StateRAMP controls, assessment processes, and the capability to document compliance. Linford & Company takes pride in being an accredited 3PAO, ensuring the credibility and proficiency of our certification services.
What is the value of a StateRAMP assessment?
Companies seeking StateRAMP authorization are CSPs aiming to offer their services to state and local governments. The StateRAMP compliance assessment stands out from other methodologies by comprehensively examining the entirety of an organization’s cloud environment, including people, processes, and technology. This assessment demands extensive documentation, often spanning hundreds of pages, and necessitates an ongoing commitment to upholding control environments through rigorous continuous monitoring.
Achieving StateRAMP authorization holds immense value for cloud service providers by significantly expanding their market reach through the demonstration of compliance with a rigorous security framework like StateRAMP. With the “do once, use multiple times” approach, once an organization secures Authorization to Operate (ATO) from a state or local agency (or directly from the StateRAMP PMO), this authorization can be leveraged across multiple state and local government agencies. This strategic advantage enables the marketing of cloud services across a broad spectrum of state and local government entities.
StateRAMP Assessment Process
How does a StateRAMP engagement begin?
Our highly qualified assessors engage in consultations with both management and technical staff to thoroughly understand the requirements of each organization, the specific scope, and the overall timeline associated with the assessment process.
When are the fees and timeline presented?
After the assessment scope is defined, L&C will provide an engagement fee estimate. In conjunction with the assessment kickoff involving the StateRAMP PMO and the state or local agency sponsor, L&C develops a schedule outlining high-level milestones which is also reflected in the Security Assessment Plan (SAP). L&C strives to meet all reporting deadlines.
How does a StateRAMP audit work?
The first step of the StateRAMP process is obtaining StateRAMP Ready status. In order to obtain a StateRAMP-ready status, a CSP must meet the minimum security standards based on the impact level of their system as attested to by an accredited 3PAO. Once all of the documentation is complete, the SAP is developed. Upon completion and approval of the SAP, the assessment begins. Our assessment approach involves a detailed examination of documentation, interviews with CSP staff, and rigorous technical testing to understand the status of control implementation. The testing details are systematically documented in our Test Case Workbooks (TCW), Risk Exposure Table (RET), and Security Assessment Report (SAR). Transparent reporting of test results is then provided to the CSP, the relevant state or local government agency (as applicable), and the StateRAMP Program Management Office (PMO).
How will the audit affect our workplace environment?
Although StateRAMP assessments demand considerable time and effort, L&C’s objective is to minimize disruptions to an organization’s productivity. We strive to efficiently gather essential data, ensuring a thorough and accurate StateRAMP assessment while keeping any impact on the organization’s daily operations to a minimum.
What are the deliverables?
Within the StateRAMP assessment process, L&C will deliver the artifacts outlined by the StateRAMP Program Management Office (PMO), including the SAP, TCW, RET, SAR, and any supplementary supporting documentation. Before delivering the assessment results to any state or local agency and the StateRAMP PMO, L&C will review the testing artifacts with the CSP to make sure there is alignment regarding the test results.
Experienced Assessors
Our highly experienced assessors demystify the StateRAMP process and leverage their vast experience to deliver comprehensive assessments.
Our Partners
Why Choose Linford & Company LLP?
Extensive Experience
Our personnel have over 75 years of combined experience leading successful security engineering efforts for highly complex programs requiring compliance with NIST 800-53 controls. We are no strangers to documenting, engineering, testing, and securely delivering systems to government agencies.
Dedicated Assessors
StateRAMP compliance is a rigorous and challenging process, demanding a deep knowledge of technology and NIST 800-53 controls. At Linford & Company, we provide an experienced and responsive team that are dedicated to a complete and thorough assessment.
Achieve Compliance
Our highly skilled assessors will help your organization successfully navigate the complexities of the StateRAMP process to achieve a StateRAMP authorization.
Ready for a StateRAMP Assessment?
Fill out the form and we’ll put you in touch with one of our experienced assessors. Your contact information stays with us and is only used to talk with you about your StateRAMP assessment—we do not sell or share your contact information with anyone.
"*" indicates required fields