StateRAMP, without the binders

Get authorized to serve state and local government

NIST 800-53 baselines for Low, Moderate, and High, a continuous-monitoring program, and FedRAMP reciprocity — managed as living controls for the StateRAMP Authorized Product List.
Start free trialBook a demo

What is StateRAMP?

StateRAMP is a nonprofit program that brings a standardized, FedRAMP-style approach to cloud security for state and local governments. Like FedRAMP, it is based on the NIST SP 800-53 control catalog and uses accredited third-party assessment organizations (3PAOs), and it maintains an Authorized Product List (APL) of cloud offerings that government agencies can procure with confidence.

Baselines and status

StateRAMP uses Low, Moderate, and High impact baselines drawn from NIST 800-53. Providers progress through recognized statuses — from an early-stage Security Snapshot to Ready and ultimately Authorized — reflecting how far an offering has advanced through assessment and continuous monitoring. Authorization requires a government sponsor or review through the StateRAMP PMO.

FedRAMP reciprocity

Because StateRAMP and FedRAMP share the same NIST 800-53 foundation, StateRAMP offers reciprocity: a provider's FedRAMP authorization work can be leveraged toward StateRAMP status, and a single 800-53 control program can serve both federal and state/local buyers.

How episki helps

episki ships the NIST 800-53 baselines as living controls, generates the System Security Plan from real evidence, tracks the POA&M and monthly continuous-monitoring deliverables, and cross-maps everything to FedRAMP — so reaching the StateRAMP Authorized Product List builds on work you are already doing rather than starting a separate project.

StateRAMP outcomes with episki

Quantify the impact security and compliance brings to your business.
3 baselines
Low, Moderate, and High impact levels based on NIST 800-53.
APL listed
Reach Ready or Authorized status on the StateRAMP Authorized Product List.
FedRAMP reuse
Reciprocity lets FedRAMP work carry over to StateRAMP.

Why teams choose episki for StateRAMP

Framework-specific automation, collaboration, and reporting in one workspace.
800-53 baselines, pre-mapped
The same NIST 800-53 control work as FedRAMP, scoped to StateRAMP.
  • Low, Moderate, and High baselines
  • SSP generated from control evidence
  • POA&M tracked to closure
Continuous monitoring
The ongoing ConMon deliverables StateRAMP expects.
  • Monthly vulnerability and POA&M reporting
  • Significant-change workflow
  • Security Snapshot and progressing status
FedRAMP reciprocity
Reuse FedRAMP evidence to accelerate StateRAMP, and vice versa.
  • Shared 800-53 control library
  • 3PAO assessment workspace
  • One program for federal and SLG buyers

StateRAMP readiness inside episki

What a cloud provider needs to reach the StateRAMP APL.

Plug episki into your stack and work directly from this checklist during the free trial.

  • Impact-level determination (Low / Moderate / High)
  • NIST 800-53 baseline implemented as controls
  • System Security Plan from control evidence
  • 3PAO assessment and POA&M tracking
  • Continuous monitoring cadences and reporting
  • Government sponsor or StateRAMP PMO path
StateRAMP accelerators

StateRAMP authorization accelerators

Move from intent to the Authorized Product List faster.
SSP generator
Compose the System Security Plan from live control data.
ConMon dashboard
Track your monthly continuous-monitoring obligations.
FedRAMP crosswalk
Reuse FedRAMP control evidence toward StateRAMP.

StateRAMP frequently asked questions

Other compliance frameworks

CCPA / CPRACIS ControlsCMMCCSA STARCyber EssentialsDORAEU AI ActFedRAMPFFIECGDPRGLBAHIPAAHITRUST CSFISO 22301ISO 27001ISO 27017ISO 27018ISO 27701ISO 42001LGPDNIS2NIST 800-171NIST 800-53NIST AI RMFNIST CSFNY DFS Part 500PCI DSSPIPEDAPOPIASOC 1 Type I/IISOC 2 Type I/IISOC 3SOXTISAX

Reach StateRAMP Authorized in episki

Build on your NIST 800-53 and FedRAMP work to serve state and local government.
Start free trialBook a walkthrough