StateRAMP Procurement Trends

As governments are now functioning with more digital data and systems than ever before, they are at an increasing risk for cybersecurity attacks from groups and individuals. State government websites and data are the target of hackers and bad actors. States have responded by bolstering their cybersecurity defense systems and establishing specialized cybersecurity offices to guide and implement cyber strategy. With cyber threats only escalating, StateRAMP may be an asset to a government’s cyber defense strategy.

What is StateRAMP?

StateRAMP is a 501(c)6 non-profit member organization that provides a standardized approach to security criteria and best practices for cybersecurity compliance. Modeled after the federal program FedRAMP, StateRAMP was established in 2021 to provide standards and controls for SLED governments and service providers. StateRAMP utilizes the NIST 800-53 framework established by the National Institute of Standards in Technology as the basis for its requirements. This framework is continuously updated to provide security guidelines for cloud computing to reduce the risk of cyber-attacks on critical infrastructure.

The member organization is quickly growing as its mission gains traction. StateRAMP currently has 350 government individual members, 150 provider members, and 25 participating government members. Due to the relative newness of the organization, the data is limited. However, the data is anticipated to grow as the organization gains popularity.

If you are interested in learning more about StateRAMP, visit here.

Market Analysis:

The Market Analysis team has conducted research utilizing GovWin IQ bid volumes from 2021 through Q1 2023 to measure the distribution of bids among states using the keywords “StateRAMP,” “FedRAMP,” and “NIST 800-53.”

As mentioned previously, the StateRAMP program is relatively new and still growing, therefore the data is limited. As we can see from the data, the program is gaining momentum. In 2021, a mere 24 bids were released with the keyword “StateRAMP.” In 2022, over one-hundred bids were released, more than four times the previous year. As of Q1-2023, 76 bids have been released, with three quarters left in the year the count has already far exceeded 2021 levels and nearly matched 2022. The states with the greatest number of bids were Texas, Arizona, and California, respectively.

The distribution of bids released since 2008 with the keyword “NIST 800-53” can be seen in the graph below. California had the greatest number of bids, with a total of 414 bids all time.  North Carolina and Minnesota followed close behind with 395 and 328 bids, subsequently.  

Additionally, we can see from the data below that SLED bids with the keyword “FedRAMP” have steadily increased since 2012. In 2022, 1,412 bids were released with this keyword. Since 2012, Texas has released 791 bids, with California, North Carolina, and Minnesota trailing closely behind.

Overall, bid volumes with the keywords, “StateRAMP,” NIST 800-53,” and “FedRAMP” have demonstrated progressive growth since 2014.  The data below combines all three keywords to amplify the increasing necessity of cybersecurity controls and standards for cloud service providers doing business with government entities. 

As data breaches continue to rise, protecting sensitive information is at the top of the agenda for SLED governments. As states' desire to strengthen their cybersecurity defenses and systems accelerate, StateRAMP authorization will likely become increasingly attractive for SLED governments purchasing cloud services.