You know of FedRamp but did you know that there are state level ramps on top of the federal one? The “RAMP” landscape has shifted from a federal-only domain into a multi-layered ecosystem. If you are a technology provider, the map of the United States is no longer just 50 states—it’s a patchwork of security jurisdictions. This is similar to the privacy landscape where 20 states have 20 different privacy laws and requirements to comply with and the fines for not complying can get really expensive as we’ve covered the multi-million dollar fines and lawsuits.
The transition from the monolithic FedRAMP to state-specific programs like TX-RAMP and the consortium-led GovRAMP (formerly StateRAMP) represents the most significant shift in public-sector procurement in a decade.
The “Balkanization” of Cloud Security
For years, the federal government had a monopoly on cloud security standards. If you were “FedRAMP Authorized,” you were considered safe enough for everyone. But as we enter 2026, that “one size fits all” era is dead.
The Rise of the Sovereign State
States like Texas and California realized that waiting for federal authorization—which can take years and cost millions—wasn’t just a bottleneck for vendors; it was a risk to the state. When a school district or a state health agency needs a new AI tool or data platform, they can’t wait two years for a federal “Authority to Operate” (ATO).
This led to the “Sovereign RAMP” movement. Texas’s TX-RAMP was the first major shot across the bow. By creating their own statutory requirement, Texas effectively said, “We trust our own auditors more than the federal ones.” ### The GovRAMP Consolidation
The industry’s greatest fear was a 50-state nightmare where every capital had its own unique checklist. This fear gave birth to GovRAMP. By 2025, the organization (formerly StateRAMP) rebranded to reflect its new status as the “State and Local” standard.
GovRAMP acts as a clearinghouse. It allows a vendor to undergo one audit and then “passport” that security badge to over 25 participating states and hundreds of local governments. It is the middle ground between the extreme rigor of FedRAMP and the localized control of TX-RAMP.
25 State GoRamp Requirements
We are now in the age of Continuous Compliance. Compliance is no longer a “one and done” certificate you hang on the wall. With the integration of AI-driven monitoring required by most state RAMPs, vendors must prove their security posture every single day. The “compliance tax” is real, but it has created a floor for cybersecurity that has significantly reduced successful ransomware attacks against state agencies this year.
The Master List: Every “RAMP” and State Standard (2026)
As of early 2026, here is the breakdown of the formal programs you must navigate.
1. The Federal “Gold Standard”
-
FedRAMP: Controlled by the GSA. Mandatory for all Executive Branch federal agencies. It remains the most expensive and time-consuming but offers the highest level of reciprocity for all other programs.
2. The “Sovereign” State Programs (Unique Requirements)
These states operate their own distinct portals or legislative frameworks.
-
TX-RAMP (Texas): Mandatory for all Texas state agencies and higher education.
-
Level 1: Low risk/Public data.
-
Level 2: Confidential/Regulated data.
-
-
CA-RAMP / CalSecure (California): Managed by the California Department of Technology (CDT). While they work closely with GovRAMP, California maintains a unique “Cloud Services Assessment” (SIMM 141) that is required for any new state cloud project.
-
AZRAMP (Arizona): Currently in a transition phase. Arizona was the first to have its own program, but as of July 2026, all new and renewal contracts in Arizona must align with GovRAMP or FedRAMP standards.
3. The GovRAMP Consortium (Standardized States)
These states do not have their own unique “RAMP” name (e.g., they don’t call it “NC-RAMP”). Instead, they have officially adopted GovRAMP as their mandatory or preferred verification standard.
| Region | States Officially Using GovRAMP/StateRAMP Standards (2026) |
| Newest Members | North Carolina (Mandatory by April 2027), Arizona (Full transition), Maryland |
| South | Georgia, Florida, Arkansas, Alabama, Oklahoma |
| Midwest | Indiana, Michigan, Illinois (Comptroller), Ohio, Missouri |
| West | Utah, Colorado, Washington (Pilot), Alaska |
| Northeast | Massachusetts, Connecticut, Maine, Vermont |
4. States with “RAMP-Equivalent” Policies
These states haven’t joined a consortium but have passed laws requiring NIST 800-53 or FedRAMP-level security for cloud vendors:
-
New York: Follows NYS-P03-002; essentially requires a RAMP-like audit for high-impact systems.
-
Virginia: Heavily reliant on the VITA (Virginia IT Agency) security framework, which mirrors many GovRAMP controls.
