FedRAMP, also known as The Federal Risk and Authorization Management Program, exists to provide a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services that support the Federal government.
StateRAMP - the newer of the two frameworks - is a consortium of cybersecurity officials across the public and private sectors charged with assisting state and local governments in vetting third party vendors’ cyber and cloud security posture. If this sounds a lot like FedRAMP, it’s because it is. The primary difference here ultimately boils down to the communities they serve: a FedRAMP authorization solely applies to vendors working with the federal government, while StateRAMP, as the name suggests, solely applies to organizations working with state and local government entities.
Navigating the paths to a FedRAMP authorization is notoriously difficult. Here, at RISCPoint, our team recommends an agency sponsorship path for a variety of reasons – the primary one being that it allows for risk acceptance by the agency sponsor, which is much different than the Joint Authorization Board prioritization process. You can read more about that and the process for FedRAMP authorization here.
StateRAMP, although newer than its federal counterpart, has a very transparent, straightforward process. CSPs may consult the organization’s vast repertoire of documents, including a Start Guide, which details the step-by-step process for approval. For key considerations to keep in mind before beginning your authorization journey, check out our blog post here.
Great news! There is indeed a reciprocity agreement between the two frameworks. If you have an IaaS, PaaS, or SaaS solution that has a FedRAMP Ready, P-ATO, or ATO designation, the same product can be reviewed by the Project Management Office under FedRAMP Reciprocity, as stated in the StateRAMP Guidelines. While the CSP provider must become a StateRAMP member, no further security assessment is required.
Have more questions about FedRAMP and StateRAMP and what’s best suited for your organization’s needs? Get in touch with us with the form below!
Subscribe to our newsletter and get the latest cybersecurity insights, updates, and event invitations delivered straight to your inbox. Join our community and empower your security journey with RISCPoint's expert knowledge.
Join our newsletter for updates. Terms.
Get ready to harmonize your cybersecurity goals with our team of industry-leading consultants.
