StateRAMP vs FedRAMP: Compliance for State Government Cloud

Two Authorization Programs, One Underlying Standard

State and local governments procure cloud services in much the same way federal agencies do, but the federal FedRAMP program does not formally apply to state and local purchases. For years this left a gap: state governments wanted FedRAMP-grade assurance for their cloud purchases but lacked a recognized authorization mechanism. StateRAMP (the State Risk and Authorization Management Program) was established in 2020 to fill that gap.

StateRAMP and FedRAMP share most of their substantive foundation. Both use NIST SP 800-53 Rev. 5 controls. Both define impact baselines (Low, Moderate, High). Both rely on third-party assessment organizations (3PAOs for FedRAMP, audited assessment by approved assessors for StateRAMP). The differences are in governance, sponsorship model, sponsor agency, and which jurisdictions accept which authorization.

For cloud service providers selling into both federal and state markets, the question is not "which program to pursue" but "how to operate both efficiently from a shared compliance program."

The Two Programs Side by Side

Aspect FedRAMP StateRAMP

Authority U.S. General Services Administration StateRAMP (non-profit, public benefit)

Customers U.S. federal agencies State and local governments, education

Control baseline NIST 800-53 Rev. 5 NIST 800-53 Rev. 5 (same)

Impact baselines Low, Moderate, High Low, Moderate, High

Sponsorship Federal agency sponsor or JAB State agency sponsor or board review

Assessor model Accredited 3PAO Approved assessor

Continuous monitoring Monthly vulnerability scans, quarterly POA&M Similar cadence aligned to FedRAMP model

Reciprocity One-way: StateRAMP recognizes FedRAMP FedRAMP does not automatically recognize StateRAMP

Cost $150K–$800K initial; $100K–$600K annual Lower (~25-50% of FedRAMP equivalent)

Timeline 12-36 months 6-18 months typical

When Each Applies

FedRAMP applies when the customer is a U.S. federal agency. Federal procurement vehicles, federal funding flowing through state programs, and federal contracts with state pass-through commonly require FedRAMP. The federal contracting officer determines the impact baseline based on FIPS 199 categorization of the data the cloud will handle.

StateRAMP applies when the customer is a state, local, or education entity (the "SLED" segment). StateRAMP authorizations are increasingly required as a procurement prerequisite in states that have adopted StateRAMP as their cloud security baseline. As of recent adoption, dozens of states reference StateRAMP in procurement decisions, with adoption breadth varying by state.

Some procurements straddle both. A state-administered federal program (Medicaid, SNAP, federal grants distributed by state agencies) may require FedRAMP for the federal portion and StateRAMP or equivalent for the state-only portion. Cloud providers serving these mixed environments often pursue both.

The Reciprocity Question

One-way reciprocity is the most important practical asymmetry: StateRAMP recognizes FedRAMP authorizations at the equivalent impact baseline, but FedRAMP does not automatically recognize StateRAMP.

This means:

A cloud service with a FedRAMP Moderate authorization can typically use that authorization to satisfy StateRAMP procurement requirements at Moderate. The cloud provider submits the FedRAMP package to StateRAMP, which conducts an abbreviated review.

A cloud service with only StateRAMP authorization must pursue a separate FedRAMP authorization to sell to federal customers.

For cloud providers entering the public sector, the strategic implication is: if there is any prospect of federal procurement, FedRAMP first is generally the better sequence. If the market is firmly state-only (e.g., a SaaS specific to state DMVs), StateRAMP alone is often sufficient.

The Assessor and Authorization Process

Both programs follow a similar high-level lifecycle:

1. Readiness assessment: optional but common. The cloud provider engages an assessor for a gap analysis before formal authorization work.

2. System Security Plan (SSP): a detailed plan documenting the system, its boundary, applicable controls, and implementation status. The SSP is the foundational artifact.

3. 3PAO assessment (FedRAMP) or approved assessor audit (StateRAMP): independent assessment of control implementation and operational effectiveness.

4. Security Assessment Report (SAR): the assessor's findings, including identified deficiencies and Plan of Action and Milestones (POA&M).

5. Authorization decision: FedRAMP issues an Authorization to Operate (ATO) via agency or JAB. StateRAMP issues a status (Ready, Authorized, Provisional) based on review.

6. Continuous monitoring: ongoing scanning, POA&M updates, annual self-assessment, and re-authorization on the defined cadence.

The artifacts overlap substantially. An organization that maintains the SSP and supporting evidence for FedRAMP can typically reuse 80-90% of the same artifacts for StateRAMP.

What the StateRAMP Statuses Mean

StateRAMP differentiates between statuses that indicate where a cloud service is in the assessment lifecycle:

Ready: the cloud service has completed an assessment and submitted documentation; the StateRAMP authority is reviewing.

Provisional Authorized: a state sponsor has provided a provisional authorization based on the assessment; the cloud service can be procured by that sponsor.

Authorized: the cloud service has full StateRAMP authorization, supported by a state sponsor or by the StateRAMP authorization committee.

The "Authorized" status with a state sponsor is the equivalent of FedRAMP Agency ATO. The provisional status allows a single sponsor to procure while the broader authorization completes.

Continuous Monitoring Across Both Programs

Both FedRAMP and StateRAMP rely on continuous monitoring to maintain authorization. The expectations are similar:

Monthly vulnerability scans of in-scope assets

Quarterly POA&M updates documenting open findings and remediation progress

Annual self-attestation and re-assessment activities

Configuration baseline enforcement with drift detection

Incident reporting per program guidance

A cloud provider operating in both programs typically runs a single continuous monitoring program that produces evidence for both. The submission cadences and review processes differ, but the underlying scans, baseline enforcement, and audit log retention are common.

The largest source of operational efficiency in dual authorization is automating the continuous monitoring discipline. CIS benchmark scanning, configuration drift detection, and POA&M tracking can serve both program submissions from a single evidence pipeline.

How a Dual Authorization Program Operates

Cloud providers serving both federal and SLED customers structure their compliance program with shared foundations:

Single boundary, two authorizations. The cloud service offering operates within a single FedRAMP-eligible boundary. The same architecture, same personnel, same monitoring serves both authorizations.

Single SSP, dual mapping. The SSP documents the implementation once, with cross-references to both FedRAMP and StateRAMP control baselines. Where the two programs have minor variations, the SSP notes them explicitly.

Single evidence pipeline. Vulnerability scans, configuration scans, audit logs, incident records — generated once, retained centrally, submitted to both authorities.

Two assessment cycles. The FedRAMP 3PAO and StateRAMP-approved assessor work from the same evidence but conduct separate assessments. Scheduling them in succession is more efficient than running them simultaneously.

Two POA&M trackers. Each authority requires its own POA&M format and update cadence. The underlying findings are the same; the tracker reflects each program's reporting conventions.

The ongoing operational cost of maintaining dual authorization is substantially less than 2x single authorization. The estimated incremental cost of adding StateRAMP to an existing FedRAMP program is 15-30% of the FedRAMP cost, primarily for the StateRAMP-specific assessor engagement and submission overhead.

State Adoption Variation

Not every state has adopted StateRAMP. Adoption varies:

Some states require StateRAMP authorization for cloud procurement

Some states accept StateRAMP authorization but do not require it

Some states reference FedRAMP directly without StateRAMP integration

Some states operate their own state-specific cloud assessment programs (TX-RAMP for Texas, AZ-RAMP for Arizona, others)

For cloud providers, the adoption variation means that StateRAMP may not unlock every state. A state-specific assessment may also be required. Cloud providers operating broadly across the SLED segment monitor state procurement requirements continuously.

Common Findings in StateRAMP Assessments

The findings in early StateRAMP assessments mirror the patterns in FedRAMP assessments, with some variation:

Configuration baseline drift away from the documented baseline

Audit log retention gaps below the program requirement

Vulnerability remediation lag beyond the documented SLA

Personnel security gaps in background screening or termination processes

Subservice provider documentation gaps where third-party services are inherited without clear documentation

Continuous monitoring submission inconsistencies where evidence is generated but not submitted on the required cadence

The pattern: most findings are operational discipline rather than architectural gaps. They are correctable through continuous compliance tooling that produces evidence as a byproduct of operations.

How CISGuard Supports FedRAMP and StateRAMP

CISGuard is built for the continuous monitoring operating model both programs require:

22 CIS benchmarks mapped to NIST 800-53 Rev. 5 controls, with per-control evaluation status

AWS GovCloud and Azure Government deployment support for FedRAMP-eligible regions

Per-asset baseline enforcement and drift detection across the boundary

Immutable audit trail of every scan and finding, with cryptographic integrity protection

POA&M-formatted reporting with status, owner, target date, and compensating controls

Single evidence pipeline producing reports for both FedRAMP and StateRAMP from the same scans

See FedRAMP and StateRAMP-aligned features in CISGuard or request a public sector readiness review.