State regulatory agencies face mounting cybersecurity challenges in today’s risk-filled environment. As cloud solutions play a larger role in managing data and services, public sector agencies must secure their systems against evolving threats. Modeled after FedRAMP authorization, StateRAMP offers a standardized approach to verifying cloud security, ensuring vendors meet stringent risk management requirements. By adopting StateRAMP, regulatory agencies boost their cybersecurity posture, enhance public trust and streamline procurement processes.
As a cybersecurity framework, StateRAMP helps state and local governments verify the security of cloud service providers. Modeled after the FedRAMP certification program for federal agencies, it establishes standardized security requirements, ensuring vendors meet strict risk management protocols and cybersecurity standards before working with government agencies. By providing a structured process for assessing and monitoring cloud security, StateRAMP enables regulatory agencies to mitigate cyber threats, protect sensitive data and simplify procurement. Through a tiered authorization process, agencies confidently select vendors that align with their security needs while reducing compliance burdens and enhancing public trust in cloud-based government services.
On February 14, StateRAMP announced a rebrand to GovRAMP, reinforcing their mission to unify public and private sectors in advancing cybersecurity. As part of this transition, StateRAMP legally remains the organization’s name but now operates as (dba) GovRAMP. The transition reflects the organization’s broader commitment to securing cloud solutions across all levels of government, beyond state agencies. By aligning more closely with national cybersecurity priorities, GovRAMP aims to streamline compliance processes, enhance collaboration between government entities and vendors and strengthen the overall security framework for cloud service providers. For state regulatory agencies, the rebrand signifies continued support in navigating cybersecurity challenges while benefiting from a more cohesive and nationally recognized security verification process.
State agencies that manage criminal justice information must meet the FBI’s Criminal Justice Information Services (CJIS) Security Policy. Previously, aligning StateRAMP requirements with CJIS standards required complex mapping. Now, StateRAMP simplifies the process with the StateRAMP CJIS-aligned overlay.
The overlay helps vendors and agencies bridge the gap between cloud security and CJIS compliance. It maps CJIS requirements directly to StateRAMP baselines, providing a clear path for vendors seeking authorization. The alignment eliminates redundancy, reduces compliance overhead, and accelerates cloud adoption for criminal justice-related services.
For example, a state law enforcement agency adopting a cloud-based system now validates the vendor’s security status through StateRAMP’s CJIS overlay. Instead of navigating two separate compliance frameworks, the agency receives a streamlined verification process, ensuring CJIS minimum requirements and standards remain intact without added complexity.
StateRAMP categorizes vendors into distinct readiness stages, allowing state agencies to assess security maturity before onboarding a regulatory software provider. Understanding these stages enables agencies to make informed decisions when selecting cloud service providers.
Working with a StateRAMP certified vendor eliminates the need for your regulatory agency to validate vendor security practices.
Evaluate your regulatory software vendors against the protocols outlined by StateRAMP. Inquire about a vendor’s StateRAMP status to better understand the security they provide.
Cloud vendors looking to achieve full StateRAMP certification must take deliberate steps toward full compliance. The transformation journey requires strategic planning, collaboration and a commitment to cybersecurity.
Choose vendors in this stage to gain the highest level of assurance. The Authorized Product List (APL) includes products verified for security status as Ready, Provisionally Authorized or Authorized. To be verified, products must meet security requirements and pass an audit by a Third Party Assessment Organization (3PAO). “Ready” products meet minimum standards, “Provisionally Authorized” products are close to full authorization but lack certain certifications, and “Authorized” products comply with all required security controls. StateRAMP ensures ongoing compliance through continuous monitoring, maintaining security standards across the listed products.
Work with vendors in this stage when you need security assurance backed by a formal review but full authorization is still in progress. StateRAMP recognizes cloud services working toward verification with a “progressing” status. To be listed, products must either join the StateRAMP Progressing Snapshot Program or engage a Third-Party Assessment Organization (3PAO) for an audit. Progressing statuses include “Security Snapshot,” where products are working toward their initial Snapshot score, and “Security Product Review,” where products are actively working toward Ready or Authorized status or are pending review by the StateRAMP PMO.
StateRAMP’s standardized approach to cloud security transforms the way state regulatory agencies adopt modern solutions. By leveraging StateRAMP’s CJIS overlay, agencies reduce compliance burdens while ensuring criminal justice data protection. Understanding the readiness stages empowers agencies to select secure vendors and support Progressing Status providers on their path.
Several states and local governments have partnered with StateRAMP to standardize and enhance their cybersecurity protocols.Notable participants include Colorado, Maine, North Dakota, Vermont, West Virginia and local entities like Sacramento County, California.
Indiana’s recent mandate requiring state agencies to engage only with StateRAMP-authorized vendors underscores the state’s commitment to enhancing cybersecurity, streamlining vendor access and accelerating technology adoption.
In January 2025, Indiana Governor Mike Braun issued Executive Order 25-19, directing all state agencies to engage exclusively with cloud service providers that demonstrate compliance with the National Institute of Standards and Technology (NIST) 800-53 standards. This initiative mandates that vendors either prove their current compliance or present a detailed plan outlining their path to full compliance, emphasizing the state’s commitment to robust cybersecurity practices.
By implementing these stringent requirements, Indiana aims to streamline vendor access, accelerate the adoption of secure technologies and bolster public trust in the state’s cybersecurity measures. This proactive approach not only enhances the protection of sensitive government data but also sets a precedent for other states to follow in strengthening their cybersecurity frameworks.
See StateRAMP’s extensive list of participating governments and public educations institutions that work with StateRAMP to “recognize a common standard for cybersecurity.”
Answer: A cloud security verification program designed for state government agencies, StateRAMP ensures that cloud service providers meet standardized security requirements, protecting sensitive state data and reducing cybersecurity risks. By adopting StateRAMP, regulatory agencies strengthen their security posture, enhance public trust, and streamline vendor procurement.
Answer: The CJIS-aligned overlay simplifies the compliance process for agencies handling Criminal Justice Information (CJI). It maps CJIS security requirements directly to StateRAMP baselines, reducing redundant compliance efforts and accelerating cloud adoption for criminal justice-related services while ensuring FBI CJIS standards remain intact.
Answer: The stages of StateRAMP readiness:
Answer: Achieving Authorized Status with StateRAMP benefits state agencies by ensuring that cloud service providers meet rigorous security standards, maintain continuous monitoring and undergo regular audits. This status streamlines vendor selection, accelerates technology adoption and enhances public trust in the agency’s cybersecurity practices.
Answer: A Third-Party Assessment Organization (3PAO) independently evaluates a vendor’s security posture, testing system controls, verifying risk management policies and ensuring compliance with StateRAMP standards. This validation represents a crucial step for vendors progressing toward full authorization.
Answer: Continuous monitoring ensures that vendors maintain security compliance by tracking vulnerabilities, applying system patches, updating security measures, and providing agencies with regular reports. This proactive approach helps mitigate evolving cybersecurity threats.
Answer: By categorizing vendors into readiness stages, StateRAMP helps agencies assess a vendor’s security maturity before onboarding. Agencies can prioritize vendors in Ready or Active Status for immediate security assurance while monitoring Progressing vendors for compliance improvements.
Answer: Certification demonstrates strong cybersecurity practices, reduces procurement barriers and streamlines the approval process for providing cloud solutions to government entities.
GL Solutions is on track to being the first StateRAMP certified government licensing solution. GL Solutions, a leader in regulatory software, currently stands in the Progressing Status and continues to actively work toward full StateRAMP authorization. By engaging in the third-party assessment process, refining security controls and aligning with StateRAMP’s rigorous standards, GL Solutions aims to enhance security for our state agency clients. As we move toward certification, our clients gain a transparent, security-driven approach to cloud-based regulatory agency solutions.
