Arapahoe County, Colorado

Not every contract will require StateRAMP authorization. To help begin to discern where StateRAMP does need to be required, the following is a list of survey questions:  

• Will the vendor process, transmit, and/or store non-sensitive State data, metadata, and/or data that may be released to the public that requires no additional levels of protection?
  • • If yes, StateRAMP Low is recommended. 
• Will the vendor process, transmit, and/or store personally identifiable information (PII) as defined by the U.S. Department of Labor (DOL)?
  • • If yes, StateRAMP Moderate is recommended. 
• Will the vendor process, transmit, and/or store protected health information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA)?
  • • If yes, StateRAMP Moderate is recommended. 
• Will the vendor process, transmit, and/or store payment card industry (PCI) data as defined by the PCI Security Standards Council (PCI SSC)?
  • • If yes, StateRAMP Moderate is recommended.
• Will the loss or unavailability of the data that is processed, transmitted, and/or stored by the service provider result in a disruption to government operations?
  • • If yes, StateRAMP Moderate is recommended.
• Will the loss or unavailability of the data that is processed, transmitted, and/or stored by the service provider result in a loss of confidence or trust in the government?
  • • If yes, StateRAMP Moderate is recommended. 
• Will the vendor process, transmit, and/or store criminal justice information (CJI) data?
  • • If yes, StateRAMP Moderate is recommended. Note: States may add additional controls to StateRAMP Moderate to comply with the CJIS requirements. 

If you would like assistance determining when authorization may be needed, StateRAMP has a Program Management Office (PMO) Team that is happy to review upcoming solicitations, contract renewals, and other research to help proactively identify for the State and vendors when to implement StateRAMP.

For additional information and insights in determining when StateRAMP may be required, we will have Data Classification training available here. 

Please also feel free to reach out to info@stateramp.org for additional information on Data Classification. 

Navigating government security requirements can be an obstacle for service providers, costing precious time and resources. StateRAMP membership simplifies this process by allowing you to streamline compliance for your IaaS, PaaS, and SaaS offerings across multiple government contracts. Leverage your once-verified security posture to unlock doors to wider public sector opportunities.

Service providers interested in becoming a StateRAMP Member should complete the service provider membership form. Service provider membership is available for organizations offering and/or using IaaS, PaaS, and/or SaaS solutions that process, store, and/or transmit government data.

To learn more about how to obtain a StateRAMP Status, visit our Getting Started with StateRAMP Guide for Service Providers. This document provides an overview of the StateRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the StateRAMP verification process. In the meantime, please feel free to subscribe to our mailing list at the bottom of the page to receive updates from StateRAMP.

For new contracts,

service providers needing to submit a letter of StateRAMP authorization (Snapshot, Ready status or Authorized status) in response to a respective solicitation. 

If the service provider is not already at Ready or Authorized status at the time a contract is awarded, they must submit a Progressing Snapshot score to demonstrate progress towards Ready or Authorized status. 

The Purchasing Division provides a centralized source for pricing, sourcing, quotations, order placement, vendor contact and general problem solving. 

To accomplish this, we assess the marketplace, determine the best way to acquire materials and services, and develop bid documents that are consistent with state laws, county policies and government procurement practices. Purchasing oversees all of the bid processes to ensure compliance with these standards. If you are a vendor looking to do business with the County, check out current bid opportunities or contact our office. 

If you need assistance, please visit the RMEPS website, or contact the RMEPS Vendor Support department at 1-800-835-4603, option 2.

The goal for existing contracts is to ensure that service providers demonstrate cybersecurity compliance before a contract renewal. The general guidance here is for service providers to begin working towards Ready or Authorized status (as determined by the general impact level) with at least 12 or 18 months respectively of the contract renewal date.