StateRAMP and TX-RAMP. Cloud Authorization Forged for State Government.

StateRAMP is a nonprofit organization that provides a standardized approach to cloud security authorization for state and local government agencies. Before StateRAMP, cloud service providers selling to government agencies faced a fragmented landscape: each state, county, and municipality maintained its own security evaluation criteria, its own assessment processes, and its own authorization decisions. A provider authorized in one state held no recognized status in another. StateRAMP addresses this by establishing a common security verification framework modeled directly after FedRAMP. Cloud service providers undergo a third-party assessment against NIST 800-53 baselines, receive a StateRAMP authorization status, and are listed on the StateRAMP Authorized Product List. State and local agencies can then reference that list during procurement, relying on StateRAMP's verified security status rather than conducting their own independent security evaluation. The program operates through a Program Management Office (PMO) that reviews assessment packages, issues authorization decisions, and monitors ongoing compliance through continuous monitoring requirements.

TX-RAMP is the Texas Risk and Authorization Management Program, managed by the Texas Department of Information Resources (DIR). TX-RAMP establishes cloud security certification requirements for any cloud computing service used by Texas state agencies. The program defines three certification levels based on data sensitivity: Level 1 for services handling publicly available data with minimal confidentiality requirements, Level 2 for services processing confidential or sensitive data that requires substantive security controls, and Level 3 for services handling the most sensitive categories of state data. TX-RAMP requires vendors to complete a security assessment, submit documentation to DIR, and maintain ongoing compliance through periodic reassessment. The program recognizes FedRAMP authorization as satisfying TX-RAMP requirements, establishing a reciprocity pathway that reduces duplicative assessment effort. Texas state agencies are required to verify that cloud services they procure hold appropriate TX-RAMP certification, making it a gating requirement for state contract awards and renewals.

Both StateRAMP and TX-RAMP derive their security baselines from the same source: NIST 800-53. StateRAMP's Impact Levels align with FedRAMP's Low, Moderate, and High baselines, which are themselves selections from the NIST 800-53 control catalog. This structural alignment means that organizations with existing FedRAMP authorization have already satisfied the controls required for StateRAMP listing. The reciprocity is not approximate; it is deterministic. FedRAMP Authorized products can achieve StateRAMP status through an expedited review process rather than a full independent assessment. TX-RAMP provides similar reciprocity for FedRAMP Authorized services. This shared NIST lineage creates a compliance ecosystem where federal authorization work compounds directly into state-level authorization, and state-level work traces back to the same NIST 800-53 controls that underpin CMMC, SOC 2, and ISO 27001. The investment in security posture is not siloed by jurisdiction. It propagates through every framework that shares the same foundation.

The state and local government cloud market represents hundreds of billions of dollars in annual technology spending across thousands of agencies, school districts, counties, and municipalities. Each of these entities has a responsibility to verify that the cloud services they procure meet appropriate security standards for the data they handle. Without a standardized authorization framework, this verification happens independently at every level of government. A cloud provider selling to state agencies in ten states faces ten different security questionnaires, ten different evaluation criteria, ten different assessment timelines, and ten different ongoing compliance obligations. The security questions overlap substantially because they all trace back to common concerns: access control, encryption, incident response, vulnerability management, audit logging. But each state asks them differently, weights them differently, and verifies them differently. The result is a compliance burden that scales linearly with the number of state markets a vendor enters, regardless of the underlying security posture being evaluated.

For cloud service providers, this fragmentation creates a direct tension between market expansion and compliance capacity. Every new state engagement requires dedicated compliance staff to interpret that state's requirements, map existing controls to local criteria, prepare state-specific documentation packages, and manage state-specific assessment timelines. Engineering teams are pulled into repetitive evidence collection cycles that differ only in format and terminology, not in substance. The same encryption configuration is documented differently for each state's questionnaire. The same access control architecture is described using each state's preferred vocabulary. The same audit logging infrastructure produces evidence packages formatted to each state's template. Organizations that lack dedicated compliance teams for each market either limit their geographic reach or accept the risk of inconsistent documentation quality across state engagements. Neither outcome serves the organization's security posture or its business objectives.

State agencies suffer from the same fragmentation. Procurement officers evaluating cloud services must assess each vendor's security claims independently, often without the technical expertise or resources to conduct rigorous security evaluations. Self-attested security questionnaires provide limited assurance. Point-in-time assessments conducted years ago may not reflect the current security posture of the service. Agencies in smaller jurisdictions face particular challenges: they may lack the staff to evaluate vendor security claims meaningfully, relying instead on checkbox compliance that provides a false sense of verification. The absence of a standardized, third-party-verified authorization framework means that agency procurement decisions are made with inconsistent security assurance levels. StateRAMP and TX-RAMP exist to close this gap by providing a verified, standardized authorization that both vendors and agencies can reference with confidence. The verification is conducted by accredited third-party assessors against NIST 800-53 baselines. The authorization status is maintained through continuous monitoring. The result is a common trust framework that reduces duplicative effort on both sides of the procurement relationship.

StateRAMP readiness begins with baseline selection. The program defines three Impact Levels that correspond to the sensitivity of the data the cloud service will process. Impact Level 1 aligns with FedRAMP Low and covers services handling data with limited sensitivity where a breach would cause minimal adverse effect. Impact Level 2 aligns with FedRAMP Moderate and covers services processing data where a breach could cause serious adverse effect, including most state agency operational data, personally identifiable information, and law enforcement records. Impact Level 3 aligns with FedRAMP High and applies to services handling the most sensitive state data where a breach could cause severe or catastrophic adverse effect. TX-RAMP uses a similar three-level structure. The baseline selection determines which NIST 800-53 controls apply to your assessment: Level 1 requires approximately 125 controls, Level 2 requires approximately 325 controls, and Level 3 requires over 400 controls. Selecting the wrong baseline wastes preparation effort on controls that do not apply, or leaves gaps in controls that do.

The Security Snapshot is StateRAMP's initial readiness assessment. It provides a point-in-time evaluation of the organization's current security posture against the selected baseline before engaging a 3PAO for the formal assessment. The snapshot identifies which controls are already satisfied, which have partial implementations that need strengthening, and which are entirely missing. This gap analysis determines the scope and timeline of the remediation effort required before formal assessment. Organizations that skip readiness assessment and proceed directly to 3PAO engagement risk discovering fundamental gaps during the formal assessment, resulting in wasted assessment fees and extended timelines. The readiness phase also establishes the authorization boundary: which systems, environments, data flows, and infrastructure components are included in the scope of the StateRAMP authorization. Boundary definition errors propagate through the entire assessment. An overly broad boundary inflates the control count and evidence burden. An overly narrow boundary leaves in-scope components unassessed, creating both a security gap and a potential authorization deficiency.

Sentinel runs continuous discovery across your connected accounts and infrastructure, enumerating every resource, configuration, network path, and data flow within the declared authorization boundary. Rampart maps discovered resources to the applicable StateRAMP or TX-RAMP baseline, resolving each NIST 800-53 control to your specific environment and generating the initial security snapshot from observed posture data. Artificer guides the readiness process by asking targeted questions about your service model, data classification, and multi-tenant architecture. Artificer adapts its questions based on what Sentinel has already discovered: if Sentinel identifies encryption configurations on storage resources, Artificer focuses its inquiry on key management practices and rotation policies rather than asking whether encryption exists at all. Garrison displays the discovered estate as a live inventory, providing the foundation for authorization boundary documentation. The readiness assessment is not a documentation exercise conducted in isolation from your running systems. It is a structured evaluation driven by discovery data, guided by intelligence, and mapped to the specific baseline your authorization requires.

The formal authorization process requires engagement with an accredited Third-Party Assessment Organization (3PAO). StateRAMP maintains a list of approved 3PAOs qualified to conduct assessments against StateRAMP baselines. The 3PAO evaluates the cloud service provider's implementation of every control in the selected baseline through document review, evidence examination, personnel interviews, and technical testing. The assessment produces a Security Assessment Report (SAR) that documents findings for each control: whether the control is satisfied, partially satisfied, or not satisfied, along with the specific evidence reviewed and any identified weaknesses. The SAR, along with the System Security Plan (SSP), POA&M, and supporting artifacts, forms the authorization package submitted to the StateRAMP PMO for review. The PMO evaluates the package and issues an authorization decision. Authorization statuses include Ready (security snapshot completed, actively pursuing authorization), Provisional (assessment completed with acceptable risk posture but outstanding items), and Authorized (full authorization with all required controls satisfied or acceptably mitigated).

StateRAMP's three Impact Levels determine the rigor and scope of the assessment. Impact Level 1 requires implementation of approximately 125 NIST 800-53 controls from the FedRAMP Low baseline. This level is appropriate for services processing publicly available data or data with minimal sensitivity. Impact Level 2 requires approximately 325 controls from the FedRAMP Moderate baseline and covers the majority of state agency cloud deployments where data includes PII, financial records, health information, or law enforcement data. Impact Level 3 requires over 400 controls from the FedRAMP High baseline and applies to services handling the most sensitive state data categories. TX-RAMP's three levels follow a parallel structure. The control count difference between levels is substantial: an organization authorized at Level 1 that needs to move to Level 2 must implement roughly 200 additional controls, which represents a significant infrastructure and policy expansion. Selecting the appropriate level from the outset avoids rework and ensures the assessment scope matches the service's actual data handling profile.

Organizations with existing FedRAMP authorization have a direct acceleration path. FedRAMP Authorized products can achieve StateRAMP authorization through an expedited review process that leverages the existing FedRAMP authorization package. The StateRAMP PMO reviews the FedRAMP package, verifies that the authorization is current and in good standing, and issues StateRAMP authorization without requiring a separate 3PAO assessment. This reciprocity is structural: both programs derive from the same NIST 800-53 baselines, use the same assessment methodology, and require the same continuous monitoring deliverables. Rampart maintains your authorization package in a format that satisfies both FedRAMP and StateRAMP submission requirements simultaneously. Artificer generates control narratives that reference your actual infrastructure state as observed by Sentinel, producing implementation descriptions that are specific, verifiable, and consistent across both authorization contexts. Alliance provides your 3PAO with time-bound, read-only access to your controls, evidence, and narratives during the assessment period, enabling independent verification without requiring your team to pull artifacts on demand.

The StateRAMP Authorized Product List is the public registry of cloud services that have achieved StateRAMP authorization. State and local government agencies reference this list during procurement to identify cloud products that have undergone verified security assessment against NIST 800-53 baselines. Listing on the Authorized Product List is not a marketing credential. It is a procurement gating mechanism. Agencies that have adopted StateRAMP standards will limit their cloud procurement to products that appear on this list, or will require vendors not on the list to achieve authorization before contract award. The listing includes the product name, the authorization status (Ready, Provisional, or Authorized), the Impact Level, the authorization date, and the continuous monitoring status. Procurement officers can filter by Impact Level to identify products authorized at the level required for their data sensitivity classification. For cloud service providers, marketplace presence translates directly into revenue opportunity: it opens the door to state and local government contracts across every jurisdiction that recognizes StateRAMP authorization.

TX-RAMP maintains a similar certified products list managed by the Texas DIR. Products that achieve TX-RAMP certification are listed in the DIR's catalog, making them available for procurement by all Texas state agencies. Given that Texas is the second-largest state economy in the United States, TX-RAMP certification represents significant market access for cloud service providers. Texas state agencies are required by statute to verify that cloud services they procure hold appropriate TX-RAMP certification for the data sensitivity level involved. This is not a recommended practice; it is a legal requirement codified in Texas Government Code and enforced by DIR policy. Vendors that lack TX-RAMP certification for the appropriate level are ineligible for contract award. The certification must be maintained through ongoing compliance; a lapsed certification means the product is removed from the DIR catalog and existing state agency contracts may be affected. The stakes of maintaining certification are both commercial and contractual.

Maintaining marketplace-ready posture requires continuous attention to the authorization conditions that earned the listing. Authorization is not a one-time achievement that persists indefinitely. StateRAMP requires ongoing continuous monitoring deliverables, and any significant change to the authorized system (new components, changed architecture, modified data flows, updated infrastructure) may trigger a reassessment requirement. A listing that lapses due to missed continuous monitoring submissions or unresolved findings is removed from the Authorized Product List, and the revenue pipeline it supported evaporates. Sentinel monitors every component within the authorization boundary for changes that could affect authorization status. Rampart tracks your continuous monitoring deliverable schedule and flags upcoming deadlines. Artificer evaluates whether infrastructure changes constitute significant modifications that require PMO notification. The platform maintains your marketplace-ready posture as a continuous state, not a periodic compliance sprint.

StateRAMP continuous monitoring requirements follow a structured cadence derived from FedRAMP's continuous monitoring program. Monthly deliverables include vulnerability scan results across all components within the authorization boundary, POA&M updates reflecting remediation progress on open findings, and inventory updates documenting any changes to the system's hardware, software, and service components. Quarterly deliverables include a comprehensive security status review, updated risk assessment documentation, and evidence of ongoing security awareness training. Annual deliverables include a full security assessment refresh, updated System Security Plan reflecting any architectural or operational changes over the previous year, and a penetration test conducted by the 3PAO or an independent assessor. Each deliverable has a specific submission deadline, and missed submissions trigger escalation procedures that can result in suspension of the authorization status. The cadence is not advisory. It is a condition of maintaining the authorization that earned your marketplace listing.

The practical difficulty of StateRAMP continuous monitoring compounds when an organization holds authorizations across multiple state programs simultaneously. StateRAMP, TX-RAMP, and individual state procurement programs each impose their own submission formats, reporting cadences, and escalation thresholds. A vulnerability scan result that satisfies StateRAMP's monthly deliverable may need reformatting or supplemental context for TX-RAMP submission. Inventory change reports require different levels of detail depending on which state program receives them. POA&M tracking must reflect remediation timelines that vary by program: one state may allow 90 days for moderate findings while another requires 60. The deliverable fatigue is real. Compliance teams that manage three or four state authorizations spend the last week of every month assembling, formatting, and cross-checking artifacts from disparate sources for each program's specific requirements. Evidence collected once must be repackaged multiple times. Missed submission deadlines for any single program risk suspension of that authorization, creating pressure to maintain parallel tracking systems that duplicate effort without improving actual security posture. The burden scales linearly with each additional state program, and most organizations underestimate the operational overhead until they are already committed.

Evidence freshness is the operational challenge that continuous monitoring programs are designed to address. A control that was verified six months ago may no longer reflect the current state of the system. Configurations drift. Personnel change roles. New services are deployed. Encryption keys rotate (or fail to rotate). Access reviews are conducted (or overdue). Each StateRAMP control has an evidence freshness requirement: some controls must be reverified monthly, others quarterly, others annually. When evidence for a control approaches its freshness threshold, Sentinel re-collects from continuous sources automatically for controls that are observed from connected infrastructure. For controls that require human action (policy approvals, management reviews, training completions), the platform escalates through notifications with increasing urgency as the deadline approaches. Citadel's action queue surfaces expiring evidence alongside other compliance actions, ensuring that evidence freshness is managed proactively rather than discovered as a gap during the next deliverable preparation cycle. The goal is zero stale evidence at all times, not periodic evidence refreshes driven by submission deadlines.

Reciprocity between FedRAMP and StateRAMP is not an informal courtesy. It is a structural feature of both programs, rooted in their shared reliance on NIST 800-53 baselines and accredited third-party assessment methodology. A cloud service provider that holds a current FedRAMP Authorization to Operate (ATO) at the Moderate baseline has already demonstrated implementation of approximately 325 NIST 800-53 controls through a FedRAMP-accredited 3PAO assessment. StateRAMP Impact Level 2 requires the same control set assessed against the same baseline. The StateRAMP PMO accepts FedRAMP authorization packages as evidence of compliance, issuing StateRAMP authorization through an expedited review process rather than requiring a separate, redundant assessment. TX-RAMP provides similar recognition: FedRAMP Authorized services satisfy TX-RAMP certification requirements, and the DIR processes these through an accelerated pathway. The reciprocity is bidirectional in intent if not always symmetric in implementation; StateRAMP authorization does not automatically confer FedRAMP status, but the assessment work and evidence collection are directly reusable for FedRAMP pursuit.

The reciprocity pathway creates a strategic compliance sequence for organizations that serve both federal and state government markets. Achieving FedRAMP authorization first provides the maximum downstream leverage: the FedRAMP package satisfies StateRAMP, TX-RAMP, and other state programs that recognize federal authorization. Organizations that start with StateRAMP can still leverage that work toward FedRAMP, but the path requires additional effort because FedRAMP imposes requirements beyond the baseline controls, including specific continuous monitoring cadences, incident response timelines, and agency-specific integration requirements. The optimal sequence depends on the organization's market priorities and existing compliance posture. An organization with strong federal contracts and emerging state opportunities should maintain FedRAMP as the primary authorization and derive state authorizations from it. An organization entering the government market through state contracts may find StateRAMP authorization a more achievable first milestone, with the work compounding toward eventual FedRAMP pursuit.

Rampart's derivation chain resolves overlapping controls between FedRAMP, StateRAMP, and TX-RAMP at the individual control level. When you satisfy NIST 800-53 control AC-2 (Account Management) for your FedRAMP authorization, Rampart automatically reflects that satisfaction in your StateRAMP assessment, your TX-RAMP assessment, and every other framework that derives from the same control. The resolution is not a percentage estimate or a summary alignment score. It traces each control through the derivation chain from the source framework to the target framework, accounting for framework-specific parameter differences where they exist. FedRAMP may require a specific vulnerability scanning frequency; StateRAMP may accept the same frequency or specify a different one. Rampart surfaces these parameter differences explicitly so your team addresses them without re-implementing the underlying control. Artificer identifies which controls are fully satisfied through reciprocity and which require incremental work to meet state-specific parameters. The marginal effort to add StateRAMP or TX-RAMP authorization to an existing FedRAMP posture is a fraction of the original authorization effort, because the control overlap is structural and the platform resolves it deterministically.

StateRAMP and TX-RAMP baselines derive directly from NIST 800-53, the same control catalog that underpins FedRAMP, CMMC (through NIST 800-171), RMF/FISMA, and the NIST Cybersecurity Framework. This shared lineage means that work performed for any one of these frameworks compounds into progress across all of them. An organization that implements AC-2 (Account Management) for StateRAMP Impact Level 2 has simultaneously satisfied the same control for FedRAMP Moderate, addressed the corresponding CMMC Level 2 practice (AC.L2-3.1.1 through the NIST 800-171 derivation), and advanced its SOC 2 posture under CC6.1 (Logical and Physical Access Controls). The derivation is not approximate. Each relationship traces through published mappings maintained by NIST, the AICPA, and ISO. The investment in StateRAMP authorization is not isolated to the state government market. It propagates through your entire compliance portfolio, reducing the marginal cost of each subsequent framework assessment.

The compounding effect is most pronounced for organizations that serve multiple government jurisdictions. A defense contractor pursuing CMMC Level 2 for DoD contracts, FedRAMP Moderate for civilian federal agencies, and StateRAMP Impact Level 2 for state government opportunities is implementing the same NIST 800-53 Moderate baseline across all three programs. Without cross-framework resolution, this organization would maintain three separate compliance programs, three separate evidence collection processes, and three separate assessment cycles, all evaluating the same underlying controls. The redundancy is not just inefficient; it introduces inconsistency risk. When the same control is documented differently across three frameworks, the organization cannot guarantee that all three descriptions accurately reflect the current implementation. A change to the access control architecture must be updated in three separate SSPs, three separate evidence packages, and three separate continuous monitoring streams. Cross-framework resolution eliminates this redundancy by maintaining a single source of truth for each control and deriving framework-specific representations from that shared foundation.

Rampart resolves cross-framework relationships through five mapping strategies: native control mapping using direct relationships published by framework authorities, NIST 800-53 derivation chain tracing that follows each framework's lineage back through the shared control catalog, NIST CSF 2.0 bridging that uses the Cybersecurity Framework's function and category structure as an intermediary between frameworks that lack direct mappings, published cross-walks from authoritative sources (AICPA for SOC 2, ISO for 27001, NIST for all NIST publications), and intelligence-suggested mappings that require human confirmation before activation. When you activate a new framework assessment in Rampart, it arrives pre-populated from your existing StateRAMP work. Every control that maps through the derivation chain is resolved automatically. Framework-specific parameters that differ (scanning frequencies, evidence retention periods, reporting cadences) are surfaced explicitly so your team addresses the delta rather than re-implementing the entire control. The marginal effort decreases with each framework added, because the control overlap compounds through the shared NIST 800-53 foundation. One security posture. Every framework computed.