Skip to main content
Knox has achieved our 16th federal sponsor, FEMA for Fed High authorization.

StateRAMP Explained: What It Is, Who Needs It, and How It Differs From FedRAMP

Written by: 
Team Knox
Published on: 
June 11, 2026

Until recently, no standardized framework existed for verifying the security posture of cloud vendors selling into the public sector. Each state, county, school district, and tribal entity ran its own assessment process, producing a patchwork of redundant security reviews that added months to every deal without adding security.

The State Risk and Authorization Management Program (StateRAMP), now operating as GovRAMP (Government Risk and Authorization Management Program), was created to address that problem.

For vendors deciding whether to pursue StateRAMP, the Federal Risk and Authorization Management Program (FedRAMP), or both, the order of these decisions has financial consequences. This piece explains what StateRAMP is, which states require it, how authorization works, where it overlaps with and differs from FedRAMP, and how to sequence both programs.

Key Takeaways

  • GovRAMP standardizes SLTT reviews. The program provides state, local, tribal, and education entities with a common authorization framework built on the same National Institute of Standards and Technology (NIST) 800-53 controls used by FedRAMP.
  • Mandates are uneven. Texas and North Carolina have hard procurement mandates, and Texas recognizes FedRAMP authorization through its TX-RAMP program.
  • Reciprocity runs one way. FedRAMP authorization satisfies StateRAMP through the Fast Track program, but a StateRAMP authorization does not count toward FedRAMP.
  • FedRAMP first is efficient. One FedRAMP authorization opens federal markets, GovRAMP SLTT markets via Fast Track, and Texas TX-RAMP via a separate certification request submitted to the Department of Information Resources (DIR) through ARCHER.

What StateRAMP Is and Why It Was Created

StateRAMP is a 501(c)(6) nonprofit that standardizes cloud security authorization for state, local, tribal, and education (SLTT) government entities. It launched in January 2021 and announced its transition to GovRAMP in February 2025, reflecting its expansion beyond state governments.

Vendors can "verify once, serve many." A vendor achieves authorization once against a NIST SP 800-53-based baseline, and that authorization can be reused across participating government jurisdictions.

That reuse model depends on procurement teams relying on it in practice. GovRAMP carries the most weight where it is a buying requirement rather than a general signal of security maturity.

Who StateRAMP Applies To and Where It Matters Most

StateRAMP applies to SaaS companies selling cloud services to state agencies, municipalities, public universities, K-12 school districts, and tribal governments.

In some jurisdictions, authorization is a hard gate. In others, participation shapes evaluation criteria and purchasing preference. GovRAMP adoption has expanded, with more than half of all US states participating.

States with hard procurement mandates or formal participation include:

  • Texas. TX-RAMP rules require all state agencies and higher education institutions to contract only with cloud providers meeting TX-RAMP requirements. Vendors must submit a separate request for FedRAMP products via ARCHER (archerirm.cloud) and undergo a reciprocity review.
  • North Carolina. Beginning April 1, 2026, vendors working with the executive branch must meet GovRAMP's cloud security standard, with full compliance required by April 1, 2027.
  • Arizona. Arizona transitioned its prior AZ-RAMP program to GovRAMP, with participation spanning state-level, K-12, local government, and higher education entities.
  • Other participating states. Indiana, Kansas, Massachusetts, Minnesota, New York, Ohio, and Oklahoma have confirmed participating government entities. No statutory mandates were confirmed, but state-level participation signals a de facto requirement for requests for proposals (RFPs).

These mandates show where GovRAMP affects procurement and where status levels matter.

The StateRAMP Authorization Process and Status Levels

The StateRAMP program uses staged designations that show how far a provider has progressed:

  • Progressing: The vendor is enrolled in the Snapshot Program and actively working toward a verified status. This entry point signals intent rather than completed assessment work.
  • Core: An assessment of 60 prioritized NIST SP 800-53 Rev5 controls. No 3PAO assessment is required at this stage.
  • Ready: The vendor meets GovRAMP's minimum mandatory requirements per a Readiness Assessment Report (RAR) conducted by an accredited 3PAO. Unlike FedRAMP Ready (which expires after one year), the GovRAMP RAR does not expire.
  • Provisionally Authorized: The vendor has not yet met all requirements for full authorization but has been granted interim recognition while the remaining work is completed.
  • Authorized: Full compliance with all required controls at the designated impact level, with 3PAO attestation, PMO verification, and acceptance by a government sponsor or the Approvals Committee. High-rated products can reach this designation through multiple pathways, including FedRAMP reciprocity.

Vendors begin by joining GovRAMP and determining the impact level (Low, Moderate, or High) appropriate for the data their service will handle. They then engage an independent Third-Party Assessment Organization (3PAO) with accreditation from the American Association for Laboratory Accreditation (A2LA).

Next, vendors prepare a documentation package that includes a System Security Plan (SSP), Plan of Action and Milestones (POA&M), and the 3PAO-authored Security Assessment Plan (SAP) and Security Assessment Report (SAR). They then secure a government sponsor or submit to the Approvals Committee, after which the Program Management Office (PMO) security team reviews the package and conducts a call with the provider and 3PAO.

After authorization, providers must maintain continuous monitoring through monthly vulnerability reporting, POA&M updates, and annual reassessments.

The overlap with FedRAMP is close enough that a direct comparison is useful.

StateRAMP and FedRAMP Share a Common Foundation

Rev5 baselines show that both programs build on NIST SP 800-53, Revision 5 as their security control catalog and apply the same three impact tiers (Low, Moderate, High) derived from Federal Information Processing Standards (FIPS) 199 categorization.

Both share a common foundation:

  • They require independent 3PAO assessment and share a common documentation structure: System Security Plan, Security Assessment Report, POA&M, and Authority to Operate (ATO).
  • They mandate continuous monitoring with monthly reporting and annual 3PAO assessments.
  • They follow a "do once, use many" model in which a single authorization package is reused across multiple government customers.

This leads many vendors to assume the programs are interchangeable. But their governance and market structure produce different commercial outcomes.

Where StateRAMP and FedRAMP Differ in Practice

The two programs diverge across governance, sponsorship paths, marketplace structure, and access to monitoring data:

  • Governance and statutory weight. FedRAMP is administered by the General Services Administration (GSA), with the Joint Authorization Board (JAB) playing a role, and is codified in the FedRAMP Authorization Act alongside Office of Management and Budget (OMB) Circular A-130. GovRAMP is governed by a nonprofit Board of Directors with no regulatory authority, and adoption varies by individual state procurement policy.
  • Sponsorship path. The traditional FedRAMP agency path requires a federal agency partner, creating a chicken-and-egg problem for vendors without existing federal contracts, though newer paths are emerging. GovRAMP allows authorization through a state agency sponsor or the Approvals Committee.
  • Separate marketplaces. The FedRAMP Marketplace lists more than 500 authorized services, while the GovRAMP APL has 151 verified offerings. A listing on one does not appear on the other.
  • Continuous monitoring access. FedRAMP ConMon documentation is restricted to federal agencies, while GovRAMP ConMon documentation is accessible to participating state and local governments through a secure repository.

Those differences determine whether work completed in one program carries into the other.

FedRAMP Authorization Satisfies StateRAMP Through One-Way Reciprocity

A FedRAMP-authorized offering qualifies for GovRAMP Authorized status through the Fast Track program, with no separate 3PAO audit required. The vendor submits its FedRAMP-aligned security documentation using GovRAMP/FedRAMP templates, along with continuous monitoring materials, including scan results, inventory documentation, and a POA&M. Cloud service providers (CSPs) holding FedRAMP Ready, ATO, or Provisional Authority to Operate (P-ATO) status all qualify for the Fast Track path.

However, GovRAMP does not create a comparable shortcut into the federal market. FedRAMP's proposed external framework policy (RFC-0022) states explicitly: "this process does NOT establish reciprocity with any external framework." A vendor holding only a GovRAMP authorization that wants to sell to federal agencies must begin the FedRAMP process from scratch.

This one-way reciprocity creates a sequencing decision.

How to Sequence StateRAMP and FedRAMP When Both Are on the Roadmap

FedRAMP authorization can open multiple public-sector paths from a single investment. Specifically, FedRAMP Authorized status supports GovRAMP authorization through Fast Track without a new full 3PAO assessment, and it also supports TX-RAMP certification through Texas's recognition of FedRAMP.

By contrast, GovRAMP pursued first opens only SLTT markets and provides no credit toward FedRAMP, so the vendor pays for two complete authorization efforts instead of one.

Standalone GovRAMP makes sense in one narrow scenario: when a vendor's pipeline is exclusively SLTT with no near-term federal intent. Even then, it provides no head start if federal opportunities materialize later.

Ultimately, the decision comes down to whether the initial path can be reused across both markets without funding the infrastructure and documentation burden twice. For vendors with dual-market ambitions, FedRAMP-first is that path.

Authorization Sequencing Determines Compliance Spend

Every quarter, a SaaS vendor spends on the wrong authorization path, adding duplicate compliance work, delaying the pipeline, and leaving revenue on the table. The state and local market is large and growing, and the federal market is large and protected by statutory procurement requirements. Both are worth pursuing, and the central question is whether you pay for authorization once or twice.

For vendors with both markets on the roadmap, a FedRAMP-first approach is the most capital-efficient path to full coverage.

Knox is a FedRAMP-as-a-Service platform built around a pre-authorized boundary. It lets SaaS vendors inherit a substantial share of the required controls, rather than duplicating infrastructure and documentation efforts across separate authorization tracks. For teams trying to meet federal demand without losing the option to move into SLTT markets through Fast Track, that structure makes it easier to maintain sequencing discipline.

If that sequencing decision is active, book a meeting.

FAQs About StateRAMP

How long does GovRAMP authorization typically take?

Most vendors complete the process in 9 to 18 months, depending on the maturity of their security program and how quickly they can secure a government sponsor. Engaging a 3PAO early and entering the Progressing tier first usually compresses the overall timeline.

Can a single GovRAMP authorization cover multiple cloud offerings?

No. Each service offering must be listed and authorized individually on the APL, even when offerings share underlying infrastructure. Vendors should carefully scope the system boundary before engaging a 3PAO to avoid expensive rescoping later.

What is the practical difference between GovRAMP Core and Ready status?

Core reflects a self-attested review of 60 prioritized controls without 3PAO involvement, while Ready requires a formal RAR from an accredited 3PAO against the full baseline. Procurement teams generally treat Ready as the first credible signal of audit-grade readiness.

What happens if a FedRAMP authorization lapses while using Fast Track?

The corresponding GovRAMP Authorized status is tied to the underlying FedRAMP status, so a lapse cascades into both the GovRAMP listing and any dependent TX-RAMP certification. Vendors should maintain continuous monitoring obligations on the federal side to preserve downstream recognition.

Do GovRAMP fees vary by impact level?

Yes. Membership and authorization fees scale with the impact level pursued, with High Impact authorizations carrying the largest documentation and monitoring burden. Budgeting should account for both the initial assessment and recurring annual reassessment costs.

Book a Meeting