StateRAMP group says cloud-security standards being used in 10 states

The group, which is modeled on the FedRAMP certifications for federal cloud vendors, said it is "far surpassing our expectations."
cloud with a ladder
(Getty Images)

StateRAMP, a group of government technology and industry officials that formed last year to create security standards for state-government cloud vendors, said Tuesday that its practices have been adopted in at least 10 states.

The list includes both statewide and local governments in states including California, Texas, Florida, North Carolina and Arizona, which was the first to implement the organization’s standards.

StateRAMP is modeled on the Federal Risk and Authorization Management Program, or FedRAMP, which rates cloud vendors doing business with the U.S. government. Like the federal program, StateRAMP relies on a series of third-party organizations to assess if IT companies selling to state governments meet certain cybersecurity and risk assessment standards.

The organization’s list of approved vendors and services now reaches 80 products from dozens of companies. Those companies and products also undergo continuous monitoring, according to the StateRAMP organization.


“Until StateRAMP, there was not a standardized method to provide state and local governments consistent, independent, and ongoing validation of a product’s cyber posture,” Arizona Chief Information Officer J.R. Sloan, who sits on StateRAMP’s executive board, said in a press release.

The organization’s executive director, Leah McGrath, said its first-year growth is “far surpassing our expectations.” The group launched with a goal of reaching three to five states.

Along with Arizona, the program is also being broadly implemented in Texas, which since last summer has been developing a vendor authentication model officials are calling TexRAMP.

In a recent interview, Texas Chief Information Security Officer Nancy Rainosk told StateScoop that while the TexRAMP initiative — which was created as part of a comprehensive cybersecurity law last year — is still in “phase one,” it’s already certified more than 500 cloud services used by the state’s many agencies.

“Our overall goal is to have our vendors be required to follow the same security practices our state agencies follow,” she said. “We want to make sure our cloud vendors are securing our data the way Texas wants it secure.”

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts