What Is FedRAMP?
FedRAMP - the Federal Risk and Authorization Management Program - is the U.S. federal government's standardized program for authorizing cloud products to handle federal data. Established in 2011 and managed by GSA in partnership with CISA, NIST, DHS, and OMB, FedRAMP's job is to make sure agencies don't each have to run their own from-scratch security assessment every time they want to buy a cloud service.
A FedRAMP authorization says: this cloud product has been assessed against NIST 800-53 security controls at a defined impact level (Low, Moderate, or High), and a federal sponsor has accepted the risk of using it. Other federal agencies can then reuse that authorization package rather than reassessing the same product from scratch.
The FedRAMP authorized product list (often called the "FedRAMP Marketplace") is publicly searchable. Every federal buyer knows to check it. Increasingly, state and local buyers check it too.
What Is StateRAMP (and GovRAMP)?
StateRAMP - the State Risk and Authorization Management Program - is the state-and-local-government equivalent of FedRAMP. Launched in 2020 as a 501(c)(6) non-profit, StateRAMP took FedRAMP's NIST 800-53 control baselines, adapted them for state and local government buyers, and stood up its own authorized product list, standards, audit methodology, and membership program.
As of 2026, StateRAMP is rebranding to GovRAMP to better reflect its expanded scope across state, local, tribal, and educational government buyers. The authorization levels, control baselines, authorized product list, and procurement reciprocity are substantively the same - only the branding is changing, and StateRAMP-authorized products remain recognized under GovRAMP post-rebrand. Buyers and vendors can treat "StateRAMP" and "GovRAMP" as interchangeable during the transition period.
Some key differences from FedRAMP:
- Member-driven governance. StateRAMP is governed by its member states, cities, universities, and participating vendors. FedRAMP is governed by a federal board (the FedRAMP Joint Authorization Board and PMO).
- Two-tier authorization status. StateRAMP recognizes "Ready" (initial progress, not fully authorized) and "Authorized" (full authorization). FedRAMP is similar with "In Process" and "Authorized" but the audit paths differ.
- Faster for already-FedRAMP vendors. A product with FedRAMP Moderate or High authorization can get into StateRAMP's authorized product list via the StateRAMP Fast Track, without a separate full audit - a reciprocity path that is explicitly designed to avoid duplicate work.
StateRAMP vs. FedRAMP: Side by Side
At the ten-thousand-foot level, the two programs are aligned by design. Where they differ is audience, governance, and the specifics of how reciprocity works.
| Dimension | FedRAMP | StateRAMP (GovRAMP) |
|---|---|---|
| Audience | Federal agencies | State, local, tribal, educational (SLED) |
| Governance | Federal (GSA, JAB, PMO) | Member-driven non-profit 501(c)(6) |
| Control baseline | NIST SP 800-53 | NIST SP 800-53 (aligned, slight variations) |
| Impact levels | Low, Moderate, High | Low, Moderate, High (+ Category 1/2/3 tiering) |
| Authorization status | In Process / Authorized | Ready / Authorized |
| Authorized list | FedRAMP Marketplace (public) | StateRAMP Authorized Product List (public) |
| Audit firm (3PAO) | FedRAMP-accredited 3PAO | StateRAMP-recognized 3PAO (overlapping) |
| Reciprocity | DoD ATOs, select others | FedRAMP Mod/High โ StateRAMP Fast Track |
| Annual continuous monitoring | Required | Required |
| Cost to vendor | $400K-$1M+ for Mod; $1M-$2M+ for High | Lower than FedRAMP, varies by path |
| Timeline to authorization | 9-24 months | 6-15 months (longer for new-to-cloud vendors) |
The structural takeaway: if you're a state agency, StateRAMP (GovRAMP) is designed for you, but any product already FedRAMP-authorized at Moderate or higher should clear your StateRAMP bar too through reciprocity.
Impact Levels: Low, Moderate, High
Both programs use the same FIPS 199 impact model - confidentiality, integrity, and availability scored as Low, Moderate, or High based on what happens if the system is compromised.
Low
Systems where a breach would result in limited adverse effect on agency operations. Very few AI tools operate at Low because AI systems almost always handle PII, PHI, or government-sensitive data that pushes them to Moderate minimum.
Moderate
The sweet spot for AI voice agents handling PII/PHI, tax data, health data, Medicaid member records, or other sensitive-but-not-classified information. FedRAMP Moderate requires implementing ~325 NIST 800-53 controls plus continuous monitoring. StateRAMP Moderate ("StateRAMP Moderate controls") aligns with the FedRAMP Moderate baseline.
High
For systems handling national security information, law enforcement operational data, or life-safety-critical workloads. FedRAMP High requires ~420 NIST 800-53 controls. Required for some VA workloads, federal law enforcement AI, and certain CJIS-overlapping deployments.
For most state agency AI deployments - Medicaid, unemployment, DMV, constituent services, behavioral health - Moderate is the right target. High is overkill and typically reserved for federal contexts.
FedRAMP for AI: What's Different
AI voice agents introduce compliance considerations that were not designed into FedRAMP's original control set. The community has been actively addressing this, and there's now a specific track for AI:
- FedRAMP AI prioritization. FedRAMP has established a prioritization framework for AI tools to accelerate authorization for high-demand AI capabilities (LLMs, voice agents, code generation, document processing). This is the fastest path for AI-specific products.
- OMB M-24-10 and successors. OMB guidance on federal AI use - including requirements for AI risk management, impact assessments, and pre-deployment review - layers on top of FedRAMP authorization. Agencies increasingly require both FedRAMP authorization AND a documented AI impact assessment before deployment.
- NIST AI Risk Management Framework (AI RMF). Not technically required for FedRAMP, but commonly referenced in AI-specific RFPs. Vendors that document their controls against NIST AI RMF alongside FedRAMP controls are better positioned.
- Model supply chain. For AI voice agents that rely on foundation models (OpenAI, Anthropic, Google, etc.), the model provider's own authorization matters. Several foundation model providers have achieved FedRAMP High or are in process. Vendors selling into federal/state need to disclose their model supply chain and the authorization posture of each sub-processor.
- Data residency for training and inference. FedRAMP-authorized AI products must keep inference data (the actual caller conversations) inside FedRAMP-authorized boundaries. Training data is a separate question - but at minimum, inference boundaries are enforced and audited.
- Audit and explainability controls. AI-specific controls for decision logging, prompt/response capture, and human-in-the-loop oversight are increasingly built into FedRAMP authorization packages for AI products.
Buyers searching "fedramp ai tools," "fedramp authorized ai," "fedramp ai models," or "fedramp approved ai tools" are typically trying to answer one practical question: can I buy this today without separate ATO work? The answer is yes for FedRAMP-authorized products, usually with a sponsor agency still performing a lightweight ATO inheritance step.
Reciprocity: How StateRAMP Recognizes FedRAMP
This is the single most important operational fact for state buyers. A FedRAMP Moderate or High-authorized product can be placed on the StateRAMP Authorized Product List via the StateRAMP Fast Track. No separate full audit. The vendor submits its FedRAMP authorization package, StateRAMP performs a delta review, and the product enters the StateRAMP list.
Practical implications:
- If your state RFP requires StateRAMP and a vendor responds with "FedRAMP Moderate Authorized," that vendor is substantively compliant with your requirement through the Fast Track path. Your procurement should accept FedRAMP authorization as equivalent unless your state has specifically carved out a StateRAMP-only requirement.
- If your RFP requires FedRAMP and a vendor responds with "StateRAMP Authorized only," that is not reciprocity in the other direction. FedRAMP does not accept StateRAMP authorization as a substitute. State-only-authorized products need a separate FedRAMP path.
- Vendors with both (common for enterprise AI platforms) cover the broadest buyer universe with the least friction.
- Other adjacent authorizations - DoD IL4/IL5, TxRAMP (Texas), AzRAMP (Arizona) - exist and have their own reciprocity paths. When in doubt, ask the state CISO or procurement office which authorizations they recognize.
The Authorization Process
Here's what "how to get FedRAMP authorized" actually looks like end to end. The StateRAMP process is parallel and slightly faster on the audit side.
Step 1: Identify a Sponsor
FedRAMP authorization starts with a federal agency sponsor. The agency's CISO or ATO authorizing official agrees to sponsor the authorization, accepting risk on behalf of the federal enterprise. Without a sponsor, the authorization cannot proceed.
Step 2: Select Impact Level and 3PAO
Vendor and sponsor agree on the FedRAMP impact level (Moderate is most common for AI). The vendor engages a FedRAMP-accredited Third Party Assessment Organization (3PAO) to perform the independent assessment.
Step 3: Implement and Document Controls
The vendor implements the NIST 800-53 controls at the chosen baseline and produces the System Security Plan (SSP) - a several-hundred-page document describing how each control is implemented.
Step 4: 3PAO Assessment
The 3PAO independently tests the control implementations, produces a Security Assessment Report (SAR), and identifies any residual risks as Plan of Action and Milestones (POA&M) items.
Step 5: Authorization Package Review
FedRAMP PMO and the sponsoring agency review the full authorization package (SSP + SAR + POA&M + supporting artifacts) and issue an Authority to Operate (ATO) if risks are acceptable.
Step 6: Continuous Monitoring (ConMon)
After authorization, the vendor operates in continuous monitoring mode - monthly scans, quarterly reporting, annual reassessments. This is the phase that never ends.
Total timeline for a new cloud product pursuing FedRAMP Moderate: 12โ24 months. StateRAMP Moderate tends to run 6-15 months depending on path and whether FedRAMP reciprocity is in play.
What State Buyers Should Actually Require
The practical procurement guidance for a state agency CIO or procurement officer considering AI voice agents:
- Require at minimum StateRAMP Moderate or FedRAMP Moderate for any AI handling PHI, PII, Medicaid data, UI claimant data, or other sensitive state records.
- Accept reciprocity. Write your RFP so that FedRAMP Moderate satisfies the StateRAMP Moderate requirement. Do not force duplicate authorization unless your state has a specific legal/regulatory carve-out that requires it.
- Require a current Authorization-to-Operate letter. Not "in process," not "plan to be authorized by Q3." Current. Verify the vendor appears on the FedRAMP Marketplace or StateRAMP Authorized Product List as "Authorized" (not "Ready" or "In Process").
- Require continuous monitoring artifacts. Annual reassessment reports, monthly scan summaries, POA&M closeout evidence. An authorization without active ConMon is a stale authorization.
- Ask for the NIST AI RMF overlay. Require vendors to document controls against the NIST AI RMF in addition to NIST 800-53. This catches AI-specific risks that 800-53 was not designed for.
- Require sub-processor disclosure. Every cloud provider, LLM provider, transcription service, SMS provider, and payment processor in the data path. Each of these is a potential weak link; each should have its own authorization posture.
- Require BAAs for any workload handling PHI. BAA must cover AI platform and all sub-processors. No exceptions.
- Insist on US-only data residency. Inference data (call content, transcripts, customer data) stored and processed only inside FedRAMP/StateRAMP-authorized boundaries in the US.
- Require audit log access. Your agency's security team should be able to query AI call logs, decision logs, and access logs for audit purposes with full granularity.
Vendor Evaluation Checklist
When an AI vendor responds to your RFP, this is what to verify line by line:
- โ Listed on FedRAMP Marketplace as "Authorized" at Moderate or higher (link and package ID)
- โ Listed on StateRAMP Authorized Product List (if required) with status "Authorized"
- โ Current 3PAO annual assessment report (dated within last 12 months)
- โ Documented alignment with NIST AI RMF (Map, Measure, Manage, Govern)
- โ Sub-processor list with each sub-processor's authorization posture
- โ Executed BAA covering AI platform + all sub-processors
- โ Written data residency commitment (US-only, specific regions)
- โ Incident response SLA and breach notification process
- โ ADA / Section 508 accessibility documentation
- โ Section 1557 language access plan (if healthcare)
- โ Escalation and human-in-the-loop controls documented
- โ Audit log export capability with your agency's SIEM
- โ Exit and data-portability provisions in the contract
Frequently Asked Questions
What is the difference between StateRAMP and FedRAMP?
FedRAMP (Federal Risk and Authorization Management Program) is the U.S. federal government's standardized security authorization program for cloud products. StateRAMP is the state-and-local equivalent - a non-profit membership organization that adapts FedRAMP's NIST 800-53 control baselines for state, local, and education buyers. Both programs run Low, Moderate, and High impact levels. Both produce authorized product lists. StateRAMP recognizes FedRAMP Moderate/High authorizations through the StateRAMP Fast Track, so a vendor already FedRAMP-authorized does not typically need a separate StateRAMP audit.
Is StateRAMP the same as GovRAMP?
As of 2026, StateRAMP is in the process of rebranding to GovRAMP to better reflect its scope across state, local, tribal, and educational government buyers. The authorization process, control baselines, and authorized product list are substantively the same - only the branding is changing. StateRAMP-authorized products remain recognized under GovRAMP post-rebrand.
Do AI voice agents need FedRAMP or StateRAMP authorization?
It depends on the buyer. Federal agencies procuring AI voice agents that handle federal data typically require FedRAMP Moderate authorization at minimum (FedRAMP High for sensitive workloads). State agencies increasingly require StateRAMP Moderate for AI deployments handling state data or PHI, though many still accept FedRAMP Moderate under reciprocity. Local and educational buyers vary, with some requiring StateRAMP Ready at a minimum for cloud-based AI tools. Most enterprise-grade AI platforms (including BetaQuick) build to the FedRAMP Moderate baseline and pursue both authorizations through the Joint Authorization Board (FedRAMP) and StateRAMP Fast Track.
Can we accept a FedRAMP-authorized AI in a StateRAMP-required RFP?
Yes. StateRAMP's Fast Track explicitly recognizes FedRAMP Moderate and High authorizations. A product listed on the FedRAMP Marketplace as "Authorized" at Moderate or higher can be accepted as satisfying a StateRAMP requirement, provided the vendor is also listed on the StateRAMP Authorized Product List via Fast Track or has submitted for Fast Track acceptance.
How long does FedRAMP authorization take, and how much does it cost?
New cloud products typically take 12-24 months to achieve FedRAMP Moderate authorization. Costs run $400K-$1M+ for Moderate and $1M-$2M+ for High, including 3PAO fees, staff time, and control implementation. StateRAMP tends to run 6-15 months and lower cost, especially when FedRAMP reciprocity is in play. These are ballpark industry figures; actual numbers vary significantly by product complexity and prior security maturity.
Procuring AI for Your State Agency?
BetaQuick deploys AI voice agents aligned to FedRAMP Moderate control baselines with sub-processor disclosure, BAAs in place, and state cooperative procurement through Texas DIR DIR-CPO-6057. If you're scoping a StateRAMP-required RFP, we can provide compliance documentation for evaluation.