Important News:SafeLogic announces PQC Early Adopter Program at RSA Conference 2024 Learn more!

Understanding FIPS 140 Requirements for StateRAMP Compliance

StateRAMP FIPS 140 Compliance

What is StateRAMP?

StateRAMP is a security framework designed to standardize, strengthen, and streamline cloud security for government entities at the state and local level. Drawing heavily from the success and structure of FedRAMP, the Federal Risk and Authorization Management Program, StateRAMP provides a unified approach to assessing and managing cybersecurity risk for cloud service providers (CSPs) serving state and local governments. SafeLogic is a StateRAMP member.

StateRAMP FIPS Compliance


How is StateRAMP Related to FedRAMP?

StateRAMP & FIPS 140

StateRAMP draws heavily on the structure and success of FedRAMP, adopting its methodologies while tailoring its scope and application for state and local government entities. This allows CSPs working with state and local governments to leverage their FedRAMP experience and knowledge while aligning with the specific requirements of StateRAMP. Thus, StateRAMP and FedRAMP, while distinct in their scope, are fundamentally allied in their mission to provide robust cybersecurity frameworks for government operations.

IaaS, PaaS, and SaaS Providers Must use FIPS Validated Cryptography for Encryption to Obtain their StateRAMP Certification

StateRAMP is based on FedRAMP, which is in turn based on NIST Special Publication (SP) 800-53. There are three (3) critical controls that have been mapped from NIST 800-53,  are required at every StateRAMP baseline, and that address encryption:

  • IA-7 Cryptographic Module Authentication
  • SC-12 Cryptographic Key Establishment and Management
  • SC-13 Cryptographic Protection

NIST security controls in all their publications always reference the standards it wrote for cryptography – Federal Information Processing Standard 140, now in the process of transitioning from its second revision, FIPS 140-2, to its third, FIPS 140-3.

SP 800-53 states that in all cases, if encryption is employed as a mechanism to meet a security requirement, it must be FIPS 140 validated under the Cryptographic Module Validation Program (CMVP).

You can never go wrong with FIPS 140-2 validated encryption in federal government deployments or when satisfying NIST requirements.

FIPS for StateRAMP Certification


SafeLogic's FIPS 140 Validation-as-a-Services Meets StateRAMP Requirements


Getting your own cryptography software reviewed, tested, validated, and certified by NIST can take as long as two years, not counting the time required to develop the software.  SafeLogic literally cuts the time required to achieve NIST FIPS 140 certification from two years to two months, then keeps your certification active over time with these three key capabilities.


CryptoComply White
CryptoComply White


CryptoComply is SafeLogic’s flagship software, a family of FIPS 140 validated cryptographic software modules. They deliver “Drop-in Compliance” as direct replacements for popular open-source crypto providers.

RapidCert White
RapidCert White


SafeLogic revolutionized the FIPS industry twelve years ago with RapidCert, the industry's first expedited rebranding program. Get a FIPS certification in your name in only two months with RapidCert.

MaintainCert White
MaintainCert White


Now SafeLogic is revolutionizing FIPS again with MaintainCert. FIPS certificates go ‘historical’, meaning they are no longer valid, all the time. Not with MaintainCert, SafeLogic’s new white-glove support service.

Want to learn more about how SafeLogic can help with your StateRAMP effort? Speak with one of our FIPS experts!

What is Required to Get StateRAMP Authorized?

StateRAMP Authorized Products


To have a cloud product StateRAMP certified, a company must first become a Cloud Service Provider (CSP). CSPs must then navigate a multi-step process. Initially, the CSP must complete a Security Assessment Plan (SAP), which provides a detailed description of the security controls in place and how they are implemented. This plan is then assessed by a StateRAMP approved Third Party Assessment Organization (3PAO). After the assessment, the 3PAO prepares the Security Assessment Report (SAR) which details the results of the security assessment.

The CSP is also required to prepare a System Security Plan (SSP), which provides an overview of the security requirements of the system and describes the controls in place to meet those requirements. The CSP then submits the SSP, the SAR, and a Plan of Action and Milestones (POAM) to the StateRAMP PMO. The POAM should detail how any outstanding security issues will be addressed.

The StateRAMP PMO reviews the submitted documents and, if everything is in order, certifies the CSP's cloud product as StateRAMP-ready. Regular monitoring is conducted to ensure that the company's cloud product continues to meet the StateRAMP requirements. This cycle of continuous monitoring and reauthorization ensures that the cloud product remains compliant and secure in the ever-evolving cyberspace.