Compliance crosswalk · StateRAMP
StateRAMP (US state government) - email + domain controls, mapped to Wiredepth
Framework version: Authorisation programme launched 2021, NIST 800-53 Rev. 5-based baselines updated 2023-2024
Who this is for.Cloud service providers (CSPs) selling to US state + local government agencies via the StateRAMP authorisation programme. StateRAMP mirrors FedRAMP's baselines (Low / Moderate / High impact) but is run independently by the StateRAMP Project Management Office for state, local, and education (SLED) market authorisation. Many states now require StateRAMP authorisation for cloud procurements above a dollar threshold.
Relationship to FedRAMP. The control baselines are derived from NIST SP 800-53 Rev. 5 (same source) but with state-specific parameterisation. A CSP with active FedRAMP authorisation can pursue StateRAMP equivalency through a reciprocity track. Most CSPs targeting both pursue FedRAMP first + use the StateRAMP Fast Track program for state-level authorisation.
Where email + domain controls fit. Same NIST 800-53 control families as FedRAMP. See /compliance/fedramp for the detailed control mapping; the clauses below highlight the StateRAMP-specific elements + the email-channel surfaces state agencies test most often.
Clause-by-clause mapping
Each row maps a specific StateRAMPrequirement to the Wiredepth surface that addresses it. The clause ids are the framework's own naming - verify them against the official text. We use precise language: "addresses" (the tool directly satisfies the control), "supports" (the tool contributes evidence the auditor will need), and "evidence for" (the artifact is part of the attestation package).
| Clause | Requirement | Wiredepth response |
|---|---|---|
AU-2 / AU-12 Audit + accountability (NIST 800-53 Rev. 5) Monitoring | Generate audit records for security-relevant events. Audit records must include sufficient detail for after-the-fact investigation. StateRAMP Moderate + High specify additional retention parameters. | Audit-log Merkle chain (see /docs/verify) provides tamper-evident audit records meeting the integrity property StateRAMP 3PAOs look for. The public anchor + verifier are independent-of-Wiredepth evidence. |
SC-7 Boundary protection Transport | Monitor + control communications at external system boundaries. Email is an external-boundary protocol for state-government systems. | MX + MTA-STS + DNS posture monitoring document the boundary-protection control for the email channel. Spoofability checker is the testing artefact a StateRAMP assessor expects. |
SC-8 Transmission confidentiality + integrity Transport | Protect the confidentiality + integrity of transmitted information. For email: TLS 1.2 or higher on every transit hop. StateRAMP High prefers TLS 1.3. | TLS analyser reports the negotiated protocol version + cipher per domain. Per-port testing covers submission / relay / delivery. Deprecated-algorithm detection flags TLS 1.0/1.1, RC4, 3DES that a StateRAMP assessor would treat as a finding. |
IA-2 / IA-5 Authentication + authenticator management Authentication | Authenticate users + systems before access. For email: sender-authentication controls (SPF, DKIM, DMARC) at the domain layer. | DMARC enforcement + DKIM analyser cover the per-domain authentication controls. Scorecard PDF is the per-domain artefact for the SSP (System Security Plan). |
IR-4 / IR-6 Incident response + reporting Reporting | Implement an incident-handling capability. Report incidents to designated authorities. State-level incident reporting often includes notification to the state CISO + (for serious incidents) to CISA. | Incident-readiness workpaper documents the response plan + the notification path. Webhook + SIEM forwarding routes Wiredepth detections to the state-SOC pipeline that triggers notification. |
SI-4 System monitoring Monitoring | Monitor the system to detect attacks + indicators of attack + unauthorised connections. | Continuous TLS + DMARC + DNS + threat-intel monitoring with alerting routes to the SOC pipeline. CT-log monitoring catches certificates issued for the domain that the agency did not authorise. |
SR-2 / SR-3 Supply chain risk management Inventory | Maintain a supply chain risk management plan + implement supply-chain controls. Includes vendors providing email transport, marketing automation, transactional senders. | Vendor consolidation audit enumerates every authorised email sender as a supply-chain component. Per-vendor posture grade quantifies the risk for the SCRM plan + the StateRAMP SSP supply-chain section. |
StateRAMP impact-level selection Inventory | Authorisation level (Low / Moderate / High) depends on the impact of a confidentiality / integrity / availability compromise on the state agency. Email communications to constituents are typically Moderate or higher. | Per-domain posture history + alerting cadence scale with impact level. Pro+ tier hourly scanning + Power-User-tier brand watchlist + leak-site monitoring are the StateRAMP-Moderate-and-above signal layers. |
Continuous monitoring (ConMon) deliverables Reporting | Authorised CSPs must submit monthly + quarterly continuous-monitoring deliverables to the StateRAMP PMO. Includes scan output, POA&M updates, and incident reports. | Scheduled compliance PDF delivery feeds directly into the ConMon submission cadence. Per-domain posture sampled monthly is the email-channel ConMon evidence StateRAMP examiners expect. |
What auditors actually look at
A StateRAMP 3PAO reviewing the email + domain surface would typically request:
- The SSP entries for SC-7, SC-8, SI-4, SR-2, SR-3 with implementation evidence + StateRAMP-baseline parameter values
- Sampled audit-log entries with chain verification across the assessment window
- Supply-chain register of authorised email senders + their assessed risk levels
- Continuous-monitoring submission history for the previous 12 months
- The incident-response plan + sampled state-CISO / CISA notification records
Generate a StateRAMP-tagged evidence pack (Wiredepth Prove)
Prove subscribers can generate a ZIP of all five workpapers + a StateRAMP README in one click. Single domain, single click, ready to file in your audit binder. See pricing at /pricing#prove ($499/mo standalone, bundled in Enterprise).
Other compliance crosswalks
Disclaimer. This crosswalk is provided for informational purposes. It is not legal advice, audit guidance, or a substitute for engagement with a qualified assessor (QSA for PCI, accountant or QSA for SOC 2, lawyer for HIPAA / NIS2 / SEC). Framework clause ids and language may have been updated since publication; verify against the official text. Wiredepth does not guarantee compliance based on the use of any tool or page on this site.