Arapahoe County, Colorado

StateRAMP Adoption 

About the Program

Why StateRAMP

Protecting our County’s most sensitive and critical data is a team sport in Colorado. We have cybersecurity teams working non-stop to protect and defend our networks and systems from hackers, but the threats are always changing and we must work to stay ahead by strengthening those networks and systems. We must all work together to ensure the confidentiality, integrity, and accessibility of our County’s data. 

One way we can do this is by ensuring that the vendors that touch or hold any of our critical data are meeting minimum cybersecurity standards – rather than just checking a box. This is where StateRAMP comes in.  

Standing for Risk and Authorization Management Program, StateRAMP has developed a roadmap for vendors to follow to demonstrate that they are meeting national cybersecurity standards through an externally verifiable process.  

Arapahoe County is excited to lead the way in adopting StateRAMP as a framework for our contract and procurement process to ensure that we are covering every angle possible when it comes to protecting our residents’ data and ensuring our overall security. 

Learn more about this initiative on the Arapahoe County Website.

Not every contract will require StateRAMP authorization. To help begin to discern where StateRAMP does need to be required, the following is a list of survey questions:  

  • Will the vendor process, transmit, and/or store non-sensitive State data, metadata, and/or data that may be released to the public that requires no additional levels of protection?
      • If yes, StateRAMP Low is recommended. 
  • Will the vendor process, transmit, and/or store personally identifiable information (PII) as defined by the U.S. Department of Labor (DOL)?
      • If yes, StateRAMP Moderate is recommended. 
  • Will the vendor process, transmit, and/or store protected health information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA)?
      • If yes, StateRAMP Moderate is recommended. 
  • Will the vendor process, transmit, and/or store payment card industry (PCI) data as defined by the PCI Security Standards Council (PCI SSC)?
      • If yes, StateRAMP Moderate is recommended.
  • Will the loss or unavailability of the data that is processed, transmitted, and/or stored by the service provider result in a disruption to government operations?
      • If yes, StateRAMP Moderate is recommended.
  • Will the loss or unavailability of the data that is processed, transmitted, and/or stored by the service provider result in a loss of confidence or trust in the government?
      • If yes, StateRAMP Moderate is recommended. 
  • Will the vendor process, transmit, and/or store criminal justice information (CJI) data?
      • If yes, StateRAMP Moderate is recommended. Note: States may add additional controls to StateRAMP Moderate to comply with the CJIS requirements. 

If you would like assistance determining when authorization may be needed, StateRAMP has a Program Management Office (PMO) Team that is happy to review upcoming solicitations, contract renewals, and other research to help proactively identify for the State and vendors when to implement StateRAMP.

For additional information and insights in determining when StateRAMP may be required, we will have Data Classification training available here

Please also feel free to reach out to info@stateramp.org for additional information on Data Classification. 

Navigating government security requirements can be an obstacle for service providers, costing precious time and resources. StateRAMP membership simplifies this process by allowing you to streamline compliance for your IaaS, PaaS, and SaaS offerings across multiple government contracts. Leverage your once-verified security posture to unlock doors to wider public sector opportunities.

Service providers interested in becoming a StateRAMP Member should complete the service provider membership form. Service provider membership is available for organizations offering and/or using IaaS, PaaS, and/or SaaS solutions that process, store, and/or transmit government data.

To learn more about how to obtain a StateRAMP Status, visit our Getting Started with StateRAMP Guide for Service Providers. This document provides an overview of the StateRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the StateRAMP verification process. In the meantime, please feel free to subscribe to our mailing list at the bottom of the page to receive updates from StateRAMP.

For new contracts,

service providers needing to submit a letter of StateRAMP authorization (Snapshot, Ready status or Authorized status) in response to a respective solicitation. 

If the service provider is not already at Ready or Authorized status at the time a contract is awarded, they must submit a Progressing Snapshot score to demonstrate progress towards Ready or Authorized status. 

The Purchasing Division provides a centralized source for pricing, sourcing, quotations, order placement, vendor contact and general problem solving. 

To accomplish this, we assess the marketplace, determine the best way to acquire materials and services, and develop bid documents that are consistent with state laws, county policies and government procurement practices. Purchasing oversees all of the bid processes to ensure compliance with these standards. If you are a vendor looking to do business with the County, check out current bid opportunities or contact our office. 

If you need assistance, please visit the RMEPS website, or contact the RMEPS Vendor Support department at 1-800-835-4603, option 2.

The goal for existing contracts is to ensure that service providers demonstrate cybersecurity compliance before a contract renewal. The general guidance here is for service providers to begin working towards Ready or Authorized status (as determined by the general impact level) with at least 12 or 18 months respectively of the contract renewal date. 

Contact Information and Trainings

Please join StateRAMP staff on the first Wednesday of every month from 2:30 pm – 3:00 pm Eastern for Office Hours! This is an open forum for Service Providers, 3PAOs, State and local governments, and higher education institutions to ask questions to StateRAMP staff. For more information on office hours, please visit StateRAMP Event Information

For additional questions, please reach out to:  

Nikki Rosecrans – Manager of Information Security and Compliance  NRosecrans@arapahoegov.com

Please email technical questions to pmo@stateramp.org or visit our Service Providers page