StateRAMP Authorization Package

Overview

Draft and validate StateRAMP authorization packages for cloud service providers serving U.S. state and local government: System Security Plan (SSP) with attachments, Security Assessment Plan (SAP), Security Assessment Report (SAR), Plan of Action & Milestones (POA&M), and the StateRAMP Snapshot for the Authorized Products List.

Getting Started

Add your source materials to the project workspace, then activate the StateRAMP Authorization Package skill. The agent will guide you through the process step by step.

Example Conversation

You: We’re pursuing StateRAMP Moderate authorization for our permitting and licensing SaaS platform used by state agencies. I’ve uploaded our architecture diagrams and our existing SOC 2 Type II report. Where do we start?

Agent: Great starting point — a SOC 2 Type II report gives us a lot of reusable material. To scope the StateRAMP package: (1) What types of state data does the system process — PII of citizens, agency employee data, financial data? (2) Is the system hosted on a FedRAMP-authorized infrastructure we can leverage for control inheritance? (3) Which states are currently using or procuring this system?

You: It processes PII — names, addresses, business registration data. We’re on AWS GovCloud. Customers are in California, Texas, and Ohio so far.

Agent: AWS GovCloud’s FedRAMP P-ATO gives us solid inheritance for infrastructure controls. I’ve started ssp-draft.md. For the Privacy Impact Assessment, processing citizen PII across three states triggers California’s CPRA and breach notification obligations — I’ll make sure those are referenced in the PIA and the Incident Response Plan. Shall I draft the authorization boundary first, or start with the control implementations so you can see scope?

You: Start with the IRP — our CISO wants that reviewed first.

Agent: I’ve created irp.md — Incident Response Plan. I’ve drafted the reporting chain: system owner → company CISO → state agency CISO contacts → StateRAMP PMO within 1 hour for High/Critical incidents. I’ve added a state breach notification section with statutes for CA (72-hour consumer notification), TX (60 days), and OH (45 days). The IRP includes four incident severity tiers with escalation procedures and a tabletop test schedule. Want me to add the contact directory section now?

Sample Output Excerpt

Below is a representative excerpt from a StateRAMP Moderate System Security Plan and StateRAMP Snapshot.

Control IA-2(1) — Multi-Factor Authentication: Privileged Accounts

Status: Implemented Origination: SP System

Implementation narrative:

Multi-factor authentication is enforced for all privileged account access to the system, including administrative console access, database administration, and infrastructure management functions. MFA is implemented via Okta Verify (TOTP) integrated with the organisation’s identity provider. Privileged accounts are defined as any account with elevated rights including system administration, security administration, database administration, and CI/CD pipeline management roles.

MFA is enforced at the identity provider level; bypass is not technically possible without the registered device. Privileged sessions are additionally subject to privileged access management controls — all privileged sessions are proxied through CyberArk, recorded, and subject to session anomaly alerting.

Parameter values: MFA required for all privileged access (StateRAMP Moderate parameter, aligned with FedRAMP). Lockout after 3 failed attempts per AC-7.

State context: This control directly supports compliance with applicable state security policies requiring MFA for access to systems processing citizen PII.

StateRAMP Snapshot

System name: CivicPermit SaaS Platform v3.2 CSP: Acme Government Solutions, Inc. | compliance@acmegovsolutions.com Service model: SaaS | Deployment model: Government Community Cloud (AWS GovCloud) Impact level: Moderate

System description: Cloud-based permitting and licensing management platform for state and local government agencies. Supports business registration, permit application, status tracking, and payment processing. Processes citizen PII including names, addresses, and business registration data.

Authorization status: StateRAMP Authorized Authorization date: 15 March 2025 | Expiration: 14 March 2026 Assessing ATPO: ClearSecure Assessment Partners, LLC

Scope: Authorization covers the CivicPermit SaaS application, API gateway, database tier, and CI/CD pipeline hosted in AWS GovCloud (us-gov-east-1). Excludes: legacy on-premises integration connector (separately assessed), professional services engagements.

Open POA&M summary: High: 0 / Moderate: 3 / Low: 7 — all items have documented remediation plans with target dates.

Continuous monitoring: Monthly scans: Current | POA&M updates: Current | Annual pen test: 22 Jan 2025

Built-in Scripts and Validation

The skill includes a validation tool the agent runs against SSP files, POA&M updates, and the StateRAMP Snapshot throughout the authorization lifecycle.

Validation tools