Take a standardized, proven approach to StateRAMP authorization.

• An in-depth review of the authorization boundary to ensure all external services, interconnections, and data flows are represented
• Validation of StateRAMP mandates and requirements as well as defining capability information within the readiness assessment report (RAR) template
• A detailed executive summary highlighting notable strengths and weaknesses, control implementations, and maturity of the information system

• Security assessment plan (SAP) that captures how we will perform the assessment and when key milestones will be completed
• Technical interviews to validate control implementations
• Identification of any risks through manual control testing, vulnerability scanning, and penetration testing
• A comprehensive security assessment report (SAR) detailing any risks identified, how they impact the information system, and what remediation activities are needed to reduce risk
• Support throughout the sponsor package review process to provide clarity on testing activity, remediation activities, and insights on gaps noted from the reviewer

• Assistance with preparation for the annual assessment prior to the ATO deadline
• Continuous monitoring for any StateRAMP-authorized product
• Assessment of one-third of your security controls plus any additional controls required by the StateRAMP Program Management Office or State Authorizing Body
• All testing activities that were covered within the initial assessment

• Introduction to the StateRAMP program
• Anticipated timeline for pursuing StateRAMP authorization
• In-depth information-gathering session with stakeholders to learn about organizational structure, information systems, StateRAMP control implementation status, overall compliance posture, and any other concerns regarding position
• Data analysis to understand the implementation status of each security control and appropriately identify control deficiencies

• Expert-led discussion on StateRAMP Ready minimum mandates and required documentation
• Stakeholder review of:
  • Information system security boundary updates and outstanding gaps
  • StateRAMP control baseline-related questions to determine whether systems meet requirements

Using an iterative, collaborative process, the necessary readiness documentation – including the StateRAMP Controls Matrix (implementations) and StateRAMP System Security Plan Template – is finalized in preparation for the readiness assessment.

After receiving your feedback on the initial draft, we make revisions and conduct quality assurance to deliver a final draft of these documents:

• Information security policies
• Data questionnaire
• Privacy threshold analysis and privacy impact analysis
• System security plan and controls matrix
• Rules of behavior
• IT contingency plan
• Configuration management plan
• Incident response plan
• Continuous monitoring plan