As cyber threats against state and local governments increase, the need for a united front is more critical than ever. StateRAMP, modeled on the Federal government’s FedRAMP program, is leading the way. By promoting best practices through education, advocacy, and policy development, StateRAMP is helping drive a standardized approach to cybersecurity, resulting in more strategic and effective cyber postures for state and local governments.

What is StateRAMP?

Founded in 2020, StateRAMP is a non-profit organization offering cloud security verification services to state and local governments. It’s the brainchild of the State of Arizona’s CIO, J.R. Sloan who was a key driver in creating their state’s version of the U.S. Government’s FedRAMP program. Known as AzRAMP, its success grew awareness among other states that they could also benefit from adapting the FedRAMP model, as Arizona had done.

As cyber attacks against local infrastructure, including transportation, utilities, and public safety ratcheted up, other state and local government IT leaders began to see the value of standing together as a more unified front. The result was StateRAMP and a “verify once, serve many” strategy. Today, the organization’s membership includes service providers offering IaaS, PaaS, and/or SaaS solutions, plus third party assessment groups and government officials.

“Cisco’s been an early supporter of StateRAMP, having joined as a Member shortly after StateRAMP launched. StateRAMP provides a tremendous opportunity for states to adopt a common cyber security model which will result in increased confidence in the security posture of cloud services and provide efficiencies for state governments when conducting risk assessments.”

-Claudio Belloli, Cloud Relationship Manager, Cisco U.S. Pubic Sector

While modeled on the U.S. Government’s Federal Risk and Authorization Management Program (FedRAMP), which is mandatory for Federal Agencies, StateRAMP is a voluntary validation program that states can opt to adopt. StateRAMP aims to provide states with common security criteria for standardizing cloud security verification. It does this by:

  • Creating a shared resource model
  • Providing continuous monitoring.

This approach can assist state and local leaders to better understand and simplify cloud compliance and risk management. The end result helps them to better protect critical data, systems, and infrastructure from cyber-attacks and ransomware.

Why StateRAMP?

As the complexity of threats against government networks, users, and data increases there is an ongoing need for an equally determined validation mechanism for the cybersecurity solutions deployed to meet the challenge. Through standardization and validation, StateRAMP enables service providers to verify their security posture, giving customers the assurance of a predetermined level of compliance. This assurance is increased by establishing an independent, unbiased review of and systematic confirmation of any solution’s capabilities via a third-party.

By working together with service providers and third-party assessment groups, StateRAMP has been able to develop a viable validation system, allowing their members to be confident that cloud providers and vendors meet stringent cybersecurity requirements, including adhering to published best practices and policies. The validation approach, as defined by StateRAMP below, includes:

  • Progressing Offerings – StateRAMP recognizes offerings in the process of working toward a verified offering. To be listed in progress, the provider must be engaged with a third party assessing organization (3PAO) for an independent audit. The progressing statuses include Active, In Process, and Pending. Active is working toward Ready; In Process is working toward Authorized; Pending has submitted a security package to the Program Management Office (PMO) and is awaiting a determination for a verified status.
  • Verified Offerings – To be verified, the provider must meet minimum security requirements and provide an independent audit conducted by a third party assessing organization (3PAO). StateRAMP recognizes three verified statuses, including Ready, Provisional, and Authorized. Ready meets minimum requirements. Provisional exceeds minimum requirements and has a government sponsor. Authorized satisfies all requirements and has a government sponsor. To ensure ongoing security compliance and risk mitigation, providers must comply with continuous monitoring requirements to maintain a verified security status.

StateRAMP also provides its membership with a variety of tools and resources to help guide them to greater cyber resilience. Most important among these is the StateRAMP Authorized Vendor (AVL) list. It details verified offerings and those in the process of working toward an authorization.

Cisco congratulates StateRAMP

With twenty-three “Active” solutions for StateRAMP (including our most popular SaaS solutions like Cisco Webex,  Cisco Secure Endpoint, and Cisco SecureX), Cisco is excited to be a part of this landmark effort to secure government. We congratulate StateRAMP’s leadership for innovating in the face of evolving challenges and pushing the security of state and local governments forward in such a short period of time.

Our StateRAMP Active cloud solutions help your agency provide stronger, risk-based security featuring deeper visibility and automation. By partnering with Cisco, your transition to a hybrid working environment can include enhanced security, reduced risks, and faster deployment. Cisco experts can help you:

  • Harness the flexibility of cloud technologies
  • Securely enable users across the miles
  • Provide training anywhere
  • Explore creative solutions with multi-cloud confidence.

Plus, we can help fast-track your IT modernization with Cisco Services that help you get the most out of your existing collaboration tools and speed your upgrade path.

At Cisco, we also offer a variety of FedRAMP Authorized and In-Process solutions that state and local governments can leverage. These have been through a rigorous validation program that meets the stringent requirements of the U.S. Federal Government. This gives you the assurance of trust, security, and reliability you need for your daily operations.

At Cisco, we’re committed to helping secure state and local networks, users, data, and infrastructure against the evolving risks they face in today’s threat landscape. Together with StateRAMP, we’re helping define the next generation of cybersecurity for government.

Additional resources


Marcus Moffett

Vice President of Solutions Engineering & Architectures