The State of Colorado and StateRAMP

This program page is dedicated to informing both government agencies within and service providers serving the State of Colorado about the StateRAMP program. Here, you can find all the information you need to understand, implement, and benefit from this valuable cybersecurity framework.

About the Program

Why StateRAMP

Protecting our State’s most sensitive and critical information is a team sport in Colorado. We have cybersecurity teams working non-stop to protect and defend our networks and systems from hackers, but the threats are always changing, and we must work to stay ahead by strengthening those networks and systems.

One way we can do this is by ensuring that the vendors that touch or hold any of our critical data are meeting minimum cybersecurity standards. This is where StateRAMP comes in.

StateRAMP (State Risk and Authorization Management Program) has developed a roadmap for cloud service providers to follow to demonstrate through an externally verifiable process that they are meeting national cybersecurity standards.

Learn more about StateRAMP on stateramp.org.

Working Together

The Colorado Governor’s Office of Information and Technology (OIT) and Department of Personnel and Administration (DPA) have teamed up to implement StateRAMP in Colorado. Together, OIT and DPA have worked to update Colorado’s cybersecurity procedures and standard language to require StateRAMP authorization for service providers that touch or hold the State of Colorado’s data. Additionally, Colorado’s solicitation and contract language are being updated so that state agencies can make the process as seamless as possible.

The updated language and templates will be available here once finalized.

When is StateRAMP required?

Not every contract will require StateRAMP validation. The State of Colorado’s Office of Information Technology (OIT) will determine when StateRAMP validation is required.

For those cloud service provider products that do require StateRAMP validation, the following is a list of survey questions to help determine the appropriate impact level:

Will the vendor process, transmit, and/or store non-sensitive State data, metadata, and/or data that may be released to the public that requires no additional levels of protection?
- - If yes, StateRAMP Low is recommended.
Will the vendor process, transmit, and/or store personally identifiable information (PII) as defined by the Colorado Revised Statue 24-37.5-102?
- - If yes, StateRAMP Moderate is recommended.
Will the vendor process, transmit, and/or store protected health information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA)?
- - If yes, StateRAMP Moderate is recommended.
Will the vendor process, transmit, and/or store payment card industry (PCI) data as defined by the PCI Security Standards Council (PCI SSC)?
- - If yes, StateRAMP Moderate is recommended.
Will the loss or unavailability of the data that is processed, transmitted, and/or stored by the service provider result in a disruption to government operations?
- - If yes, StateRAMP Moderate is recommended.
Will the loss or unavailability of the data that is processed, transmitted, and/or stored by the service provider result in a loss of confidence or trust in the government?
- - If yes, StateRAMP Moderate is recommended.
Will the vendor process, transmit, and/or store criminal justice information (CJI) data?
- - If yes, StateRAMP Moderate is recommended. Note: States may add additional controls to StateRAMP Moderate to comply with the CJIS requirements.

For additional questions on identifying what qualifies for StateRAMP requirements, please contact Colorado’s Information Security team.

For additional questions and clarification of impact levels, please review our recorded data classification training here.

Please also feel free to reach out to info@stateramp.org

What is the StateRAMP process?

Navigating government security requirements can be an obstacle for service providers, costing precious time and resources. StateRAMP membership simplifies this process by allowing you to streamline compliance for your IaaS, PaaS, and SaaS offerings across multiple government contracts. Leverage your once-verified security posture to unlock doors to wider public sector opportunities.

Service providers interested in becoming a StateRAMP Member should complete the service provider membership form. Service provider membership is available for organizations offering and/or using IaaS, PaaS, and/or SaaS solutions that process, store, and/or transmit government data.

To learn more about how to obtain a StateRAMP Status, visit our Getting Started with StateRAMP Guide for Service Providers. This document provides an overview of the StateRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the StateRAMP verification process.

NEW CONTRACTS

Colorado recently adopted a new technical standard for contracts moving forward that allows for a phased approach for service providers to demonstrate StateRAMP authorization. Generally, this translates to service providers needing to submit a letter of StateRAMP authorization (Snapshot, Ready status or Authorized status) in response to a respective solicitation.

If the service provider is not already at Ready or Authorized status at the time a contract is awarded, they must submit a Progressing Snapshot score to demonstrate progress towards Ready or Authorized status.

Please review the updated technical standard here.

If a service provider is already FedRAMP compliant, there is an opportunity to take advantage of a Fast Track option. Learn more by contacting info@stateramp.org.

EXISTING CONTRACTS

The goal for existing contracts is to ensure that service providers demonstrate cybersecurity compliance before a contract renewal. The general guidance here is for service providers to begin working towards Ready or Authorized status (as determined by the general impact level) with at least 12 or 18 months respectively of the contract renewal date.

Review the updated technical standard here.

Announcements

.Please join StateRAMP staff on the first Wednesday of every month from 2:30 pm – 3:00 pm Eastern for Office Hours! This is an open forum for Service Providers, 3PAOs, State and local governments, and higher education institutions to ask questions to StateRAMP staff. For more information on office hours, please visit StateRAMP Event Information.

State Bidding Opportunities

Click below to see the list of current government solicitations for the State of Colorado.

Colorado Procurement

Click below to learn more about how to do business with the State.

Colorado Standards and Guidelines

Click below to see the State’s Standards and Guidelines.

Contact Information

For additional questions, please reach out to:

Suppliers – For any questions about StateRAMP, please email pmo@stateramp.org or visit our Service Providers page.

For questions to Colorado OIT, please email OIT_RISC@state.co.us.

Other Participating Governments

StateRAMP is accepted by Colorado and other states. Click below to see a list of StateRAMP’s participating governments.

State and Local Government

Contact us and schedule a conversation to get started. For more information about how StateRAMP works with governments, visit our Governments page.

Providers

For many service providers, meeting security standards and supplying documentation to governments can be time consuming and costly. StateRAMP allows service providers to leverage their verified IaaS, PaaS, and SaaS solutions across multiple government contracts. Learn more about the benefits and process for service providers, or contact our team to get started.