StateRAMP is a nonprofit membership organization that provides a standardized approach to security assessment and authorization for cloud service providers selling to state and local governments. It is modeled after FedRAMP but specifically designed for state-level procurement.

StateRAMP Authorization

Achieve StateRAMP authorization for state government contracts

Evidr automates NIST control mapping, evidence collection, and continuous monitoring for StateRAMP authorization. Sell to state and local governments across 20+ member states with a single security assessment.

Get a Demo View Pricing

Built by the same team that builds platforms for

20+

Member states

190

Category 2 controls

3-6

Months to authorization

Assessment, many states

StateRAMP Security Categories

StateRAMP defines security categories based on data sensitivity and potential impact. Most cloud SaaS providers targeting state government fall into Category 2.

Category 1: Low Impact125 controls

Low sensitivity data. Minimal adverse impact if compromised.

Category 2: Moderate Low190 controlsMost Common

Moderate impact, low sensitivity. Most government SaaS.

Category 3: Moderate High250 controls

Moderate impact, higher sensitivity. PII and sensitive data.

FedRAMP: Equivalency325 controls

FedRAMP authorized providers. Reciprocity pathway.

StateRAMP Category 2Ready for Review

Access Control — 25/25 controls

Audit & Accountability — 12/12

System & Comm. Protection — 38/38

Risk Assessment — 6/6

Controls Implemented190/190

Platform Capabilities

Everything you need for StateRAMP authorization

From security package generation to continuous monitoring, Evidr automates the path to StateRAMP authorization and APL listing.

NIST 800-53 Control Mapping

Automatic mapping to NIST SP 800-53 controls based on your security category. Track implementation status across control families with real-time progress.

Security Package Generation

Generate StateRAMP-compliant security documentation including System Security Plan, policies, procedures, and control implementation statements.

Continuous Monitoring

Meet StateRAMP continuous monitoring requirements with automated evidence collection, vulnerability tracking, and monthly/annual deliverables.

Authorized Catalog Listing

Prepare for StateRAMP Authorized Product List (APL) listing. Documentation, evidence, and attestations ready for verification review.

Evidence Artifact Collection

AI-powered evidence review with confidence scoring. Upload once, map to multiple controls. Automatic classification for 3PAO assessment.

Multi-State Compliance

StateRAMP authorization accepted across member states. Single assessment, multiple state contracts. Eliminate duplicate audits.

Market Access

One authorization, 20+ state markets

StateRAMP member states accept StateRAMP authorization for cloud procurement, eliminating duplicate security assessments and accelerating your sales cycle.

ArizonaArkansasColoradoConnecticutGeorgiaIndianaLouisianaMinnesotaMontanaNevadaNew MexicoNorth CarolinaOhioOklahomaOregonSouth CarolinaTennesseeTexasUtahVermont

Membership continues to grow. Check StateRAMP.org for the current member list.

Why Automate

Manual vs. automated StateRAMP compliance

Without Evidr

6-12 months to authorization

Track 190+ controls in spreadsheets

Write SSP documentation from scratch

Manually collect evidence for each control

Repeat assessments for each state

No visibility into authorization readiness

With Evidr

3-6 months to authorization

All controls mapped and tracked automatically

Generate SSP with AI-powered templates

AI-powered evidence review and mapping

One assessment covers all member states

Real-time readiness scoring by control family

Your Path to Authorization

StateRAMP authorization roadmap

Follow our proven process to achieve StateRAMP authorization and APL listing in 3-6 months.

Readiness Assessment

AI-guided assessment profiles your environment and identifies gaps against StateRAMP baselines. Determine appropriate security category.

Week 1-2

Security Package Development

Generate SSP, policies, and procedures with AI assistance. Complete control implementation statements and system documentation.

Week 3-8

Evidence Collection

Upload evidence artifacts for each control. AI reviews with confidence scoring and maps to NIST control families automatically.

Week 8-12

3PAO Assessment

Engage StateRAMP-approved Third-Party Assessment Organization for independent security assessment and verification.

Week 12-16

Authorization & Listing

Submit assessment package for StateRAMP review. Upon approval, achieve Authorized status and listing on the Authorized Product List.

Week 16-20

FedRAMP Reciprocity

Already FedRAMP authorized?

FedRAMP authorized providers can achieve StateRAMP equivalency through a streamlined verification process. Your FedRAMP authorization demonstrates compliance that meets or exceeds StateRAMP requirements.

No duplicate assessment required

Faster path to APL listing

Leverage existing documentation

Reciprocity Pathway

1Submit FedRAMP ATO package

2StateRAMP verification review

3Achieve StateRAMP equivalency

FAQ

Frequently asked questions about StateRAMP

What is StateRAMP?

StateRAMP is a nonprofit membership organization that provides a standardized approach to security verification for cloud service providers (CSPs) serving state and local governments. Modeled after FedRAMP, StateRAMP reduces duplicative security assessments by enabling authorization reciprocity across member states, saving time and costs for both vendors and government agencies.

What are the StateRAMP security categories?

StateRAMP defines four security categories based on data sensitivity and impact: Category 1 (Low Impact) for minimal sensitivity data, Category 2 (Moderate Impact, Low Sensitivity) for most government SaaS, Category 3 (Moderate Impact, Moderate Sensitivity) for PII and sensitive data, and FedRAMP Equivalency for providers already holding FedRAMP authorization.

Who needs StateRAMP authorization?

Cloud service providers seeking to sell software or cloud services to state and local government agencies benefit from StateRAMP authorization. With over 20 member states now recognizing StateRAMP, authorization is increasingly required or preferred in government procurement. It simplifies multi-state sales by eliminating duplicate security assessments.

Which states accept StateRAMP?

StateRAMP has over 20 member states including Arizona, Colorado, Georgia, Indiana, Minnesota, North Carolina, Ohio, Oklahoma, Oregon, Tennessee, Texas, Utah, and Vermont. The membership continues to grow as more states adopt standardized cloud security verification. Check StateRAMP.org for the current member list.

How is StateRAMP different from FedRAMP?

StateRAMP focuses on state and local government while FedRAMP targets federal agencies. Key differences: StateRAMP has streamlined security categories, lower assessment costs, and faster authorization timelines. FedRAMP authorized providers can achieve StateRAMP equivalency through a simplified verification process without a full new assessment.

How long does StateRAMP authorization take?

StateRAMP authorization typically takes 3-6 months for prepared organizations. Timeline depends on your security category, current compliance posture, and 3PAO availability. Organizations with existing SOC 2 or FedRAMP certifications can often accelerate the process by leveraging existing evidence and documentation.

What is the StateRAMP Authorized Product List?

The StateRAMP Authorized Product List (APL) is a public registry of cloud service providers that have achieved StateRAMP authorization. Government agencies can use the APL to identify pre-vetted solutions that meet security requirements. APL listing demonstrates your commitment to security and simplifies procurement.

Can I use FedRAMP authorization for StateRAMP?

Yes. FedRAMP authorized providers can achieve StateRAMP equivalency through a streamlined verification process. This recognizes FedRAMP as meeting or exceeding StateRAMP requirements. The reciprocity pathway is faster and less expensive than pursuing a separate StateRAMP authorization.

Related Frameworks

Often paired with StateRAMP

Evidr supports 12+ compliance frameworks with shared evidence and unified control mapping.

FedRAMPFederal cloud authorization

SOC 2Enterprise security controls

ISO 27001Information security standard

TX-RAMPTexas risk authorization

Ready to achieve StateRAMP authorization?

Schedule a demo with our compliance team. We will walk you through automated control mapping, evidence collection, and the path to APL listing.

Schedule a Demo Start Free