Workshop on the StateRAMP authorization process for cloud service providers selling to state and local agencies. Covers the StateRAMP Security Snapshot, Ready vs Authorized status, baseline selection, the difference from FedRAMP, and the Product Authorization Management process. Includes timing and budget planning.
State and local government agencies are accelerating cloud adoption, and the vendors that serve them face a growing authorization requirement: StateRAMP. This four-hour workshop cuts through the complexity of the StateRAMP authorization lifecycle and gives cloud service providers a practical, sequenced roadmap for achieving and maintaining authorized status with SLED customers.
Instructor Carl B. Johnson, President and CISO at Cleared Systems, guides participants through each stage of the process with the precision that compliance practitioners need and the strategic framing that satisfies the managers responsible for authorizing the investment.
The session opens by establishing why StateRAMP exists as a distinct authorization framework and how state, local, and education (SLED) procurement requirements differ from their federal counterparts. Participants learn how StateRAMP governance is structured, who the key stakeholders are, and how the program interacts with individual state procurement offices.
A central focus of the workshop is the StateRAMP Security Snapshot—what it evaluates, how it is scored, and why it matters even before a full authorization is pursued. Carl walks through the difference between StateRAMP Ready and StateRAMP Authorized status, the evidence each requires, and the strategic decision points that determine which path is right for your organization at a given moment.
Participants work through the logic of baseline selection—Low, Moderate, and High impact levels—grounded in the NIST SP 800-53 control catalog that underpins StateRAMP requirements. The session covers how to map your existing security posture against the applicable baseline, identify control gaps, and prioritize remediation work before engaging a Third-Party Assessment Organization (3PAO).
Many practitioners assume StateRAMP is simply a scaled-down version of FedRAMP. This section addresses that misconception directly. The workshop compares authorization bodies, reciprocity provisions, continuous monitoring obligations, and the practical differences in documentation and evidence requirements so that organizations holding or pursuing a FedRAMP authorization understand exactly where StateRAMP diverges and what additional work is required.
The workshop closes with an in-depth look at the Product Authorization Management (PAM) process—how StateRAMP tracks authorized products, how vendors maintain their listing, and what continuous monitoring requirements apply after authorization is granted. Timing expectations, common submission pitfalls, and realistic budget planning for both the initial authorization and ongoing compliance are covered in detail.
This workshop is built for compliance managers, security analysts, and GRC practitioners at cloud service providers that sell—or intend to sell—to state and local government customers. It is equally valuable for product managers and technical program managers who coordinate authorization efforts across engineering and security teams. If your organization is responding to SLED RFPs that ask about StateRAMP status, or if a state agency has made authorization a contract condition, the right people to send are those who will own the documentation, manage the 3PAO relationship, and report progress to leadership.
Managers approving this training investment should know: participants return with a scoped plan, not just awareness. If your team also supports broader Federal and SLED risk assessment work or is building out a formal compliance program, this workshop integrates directly with those efforts. Organizations that need hands-on support after the workshop can explore compliance program development services tailored to cloud authorization requirements.
This is not a survey course. Four hours is enough time to cover the StateRAMP authorization process thoroughly only because the session stays focused, moves at a practitioner's pace, and treats participants as professionals who can apply what they learn immediately. Attendees are encouraged to bring current information about their cloud offering, existing security documentation, and any SLED customer requirements they are already working against. The more context you bring in, the more actionable your outputs will be.
Ask about group rates, private delivery of this curriculum for your team, or whether this session fits your compliance roadmap.
Contact Us
