What is StateRAMP?

With increasingly daring cybercriminals targeting government data, a group of CIOs and CISOs bound together to create the State Risk and Authorization Management Program (StateRAMP). As a nonprofit organization, StateRAMP establishes a common cybersecurity framework for state and local government agencies to verify the security of cloud solutions that store, process and transmit sensitive data.


Cloud providers who do business with federal agencies are familiar with the Federal Risk and Authorization Management Program (FedRAMP). StateRAMP offers both state and local governments the same assurance that independent software vendors (ISVs) meet their minimum cybersecurity standards through independent assessments and continuous monitoring.

StateRAMP’s purpose is to:

  • Protect citizen data: Recent onslaughts of ransomware, phishing, and other complex cyber threats are putting the public’s sensitive data at risk. This data includes personally identifiable information (PII), personal health information (PHI), and payment card industry (PCI) information.
  • Save taxpayer and service provider dollars: StateRAMP’s “verify once, serve many” model is designed so that cloud vendors only need to authorize a product once to ensure its cybersecurity standards are compliant. Any state agency or local government can join StateRAMP at no cost.
  • Ease the burden on state and local government: StateRAMP eliminates the need to perform the same security assessment twice and allows a government agency to focus its resources elsewhere.
  • Promote cybersecurity best practices: The program aims to share cloud security knowledge transparently and make resources available to all who want to learn.

How does StateRAMP work?

StateRAMP’s Security Assessment Framework process uses the National Institute of Standards and Technology (NIST) Risk Management Framework. With NIST as its basis, the program standardizes a process of security assessment, authorization and continuous monitoring for state and local agencies.

According to StateRAMP’s security requirements, ISVs seeking an authorization must:

  • Comply with NIST Special Publication 800-53 Rev. 5.
  • Engage a third-party assessment organization (3PAO) to serve as a partner and educator during the process.
  • Work with the 3PAO to produce a comprehensive security report that proves the organization has met all cybersecurity standards and security requirements.
  • Implement continuous monitoring and demonstrate continuous StateRAMP compliance.

ISVs who follow this process can earn a place on the StateRAMP Authorized Vendor List under one of three security statuses:

  • StateRAMP Ready: The service provider meets the 25 minimum security requirements and most critical controls.
  • StateRAMP Provisional: A service provider submits a package for authorization but does not meet all necessary requirements and controls.
  • StateRAMP Authorized: The provider meets all security requirements and complies with all mandatory controls.

Project Hosts is StateRAMP Authorized

Project Hosts offers ISVs a simpler approach to StateRAMP compliance. As a StateRAMP Authorized cloud service provider, we can provide your organization the opportunity to streamline the authorization process and kick-start your journey into the state and local government market.

When you partner with Project Hosts, you gain access to three key compliance-as-a-service offerings:

  • Compliance Inheritance: By migrating onto our pre-audited turnkey platform you outsource at least 80% of security controls to Project Hosts, meaning a 3PAO only needs to assess the remaining 20% that are specific to your solution. Not only does this accelerate the assessment process, but it also offers peace of mind to any government agency wanting to use it to their advantage.
  • Compliance by Certification: We make it easy to earn a StateRAMP certification using our turnkey compliance services. When you partner with Project Hosts, you get two options: doing it yourself or letting us do it for you — it’s that simple.

    If you decide to do it yourself, our team of experts will support your effort by sharing policies and procedures and collecting evidence on your behalf.

    But if you let us take the weight off your shoulders, we’ll engage an assessor on your behalf, prepare you for the audit and create policies, procedures and evidence documents. We run the audit for you, meaning you’re free to focus on developing innovative solutions for your users.
  • Continuous Compliance: With your application on your platform, you can rest assured that our operation and security teams are monitoring performance, preventing intrusion and constantly patching your cloud environment. We track and record any change or incident and alert the appropriate personnel to ensure you always maintain compliance.


What used to take years can now be done in just 2-6 months — and at a fraction of the cost. That’s the power of Project Hosts. So, what are you waiting for?