StateRAMP Compliance: The Definitive Guide to Cloud Security Verification for State and Local Government

Why StateRAMP Matters for Cloud Providers and Government Agencies

State and local governments collectively spend over $120 billion annually on information technology, with cloud adoption accelerating year over year. Unlike the federal government, which has a centralized authorization program through FedRAMP, state and local procurement has historically been fragmented. Each state, county, city, school district, and special-purpose district made its own determination about whether a cloud product met adequate security standards. The result was inconsistency: a CSP authorized by one state might be rejected by another for failing a different checklist, even though both were evaluating the same product against similar security concepts.

StateRAMP solves this problem by providing a uniform security verification framework grounded in NIST standards. When a cloud product achieves StateRAMP verification, participating government entities can rely on that verification rather than conducting their own assessments. This benefits both sides of the procurement equation:

• For government agencies: StateRAMP reduces the security evaluation burden on already-stretched IT teams, provides confidence that verified products meet established security baselines, and enables faster procurement timelines.
• For cloud service providers: A single StateRAMP verification replaces dozens of individual state and local security assessments, reducing sales cycle friction and opening doors to the broader public sector market.
• For taxpayers: Standardized verification eliminates redundant spending across government entities and raises the overall security posture of public sector technology infrastructure.

PTG's compliance advisory practice guides CSPs through the StateRAMP process from initial gap assessment to post-authorization continuous monitoring. Craig Petronella, a CMMC Registered Practitioner, Licensed Digital Forensic Examiner (#604180), and holder of an MIT Artificial Intelligence Certificate, leads PTG's compliance team with 23+ years of cybersecurity experience across NIST, FedRAMP, and state-level compliance frameworks.

StateRAMP Security Categories: Understanding the Three Tiers

StateRAMP organizes its security requirements into three categories based on the sensitivity of the data a cloud product processes, stores, or transmits. These categories align with the FIPS 199 categorization methodology used by NIST SP 800-53 and FedRAMP, ensuring consistency across federal and state-level cloud security programs.

Security Category	NIST 800-53 Baseline	Approximate Control Count	Typical Use Cases
Category 1 (Low Impact)	800-53 Low baseline	156 controls	Public-facing websites, non-sensitive data, informational systems
Category 2 (Moderate Impact)	800-53 Moderate baseline	325 controls	PII, tax records, student data, general government operations
Category 3 (Moderate+ Impact)	800-53 Moderate baseline + additional controls	325+ controls with enhanced parameters	Criminal justice data (CJIS), health data, financial data requiring heightened protection

Category 2 accounts for the majority of StateRAMP verifications because most state and local government cloud workloads involve personally identifiable information (PII) or other controlled data that falls within the Moderate impact level. Category 3 adds enhanced controls on top of the Moderate baseline to address workloads with heightened sensitivity, such as CJIS-regulated criminal justice information or protected health information subject to HIPAA requirements.

PTG uses its proprietary AI fleet, including on-premise large language models running on custom GPU infrastructure, to automate control mapping across StateRAMP categories. When a CSP needs to determine the correct category for its product, PTG's AI-powered tools analyze the data types processed and generate a preliminary categorization report in hours rather than weeks. This is one of the capabilities that sets PTG apart: no other firm in the Raleigh-Durham Triangle operates its own private AI infrastructure for compliance automation.

How StateRAMP Builds on NIST SP 800-53 Rev. 5

StateRAMP's technical foundation is NIST SP 800-53 Revision 5, the same master control catalog that underpins FedRAMP, FISMA, and numerous other federal and state compliance programs. This alignment is deliberate: StateRAMP was designed so that cloud providers with existing FedRAMP authorizations could leverage their investments rather than starting from scratch.

The relationship works as follows:

• Same control catalog: StateRAMP draws its control requirements from the 20 control families in NIST SP 800-53 Rev. 5, covering areas such as access control (AC), audit and accountability (AU), incident response (IR), system and communications protection (SC), and risk assessment (RA).
• Same baselines: StateRAMP's Category 1, Category 2, and Category 3 map to the Low and Moderate baselines defined in NIST SP 800-53B, which specifies control baselines for federal information systems.
• FedRAMP reciprocity: A cloud provider that already holds a FedRAMP Authorization to Operate (ATO) can achieve StateRAMP verification through an expedited process, since the FedRAMP assessment already covers the same NIST 800-53 controls at equal or higher rigor.
• StateRAMP-specific requirements: While StateRAMP uses NIST 800-53 baselines, it adds its own policies around continuous monitoring reporting frequency, snapshot assessments, and verification status transitions that are tailored to the state and local government context.

Understanding this NIST 800-53 foundation is critical for any CSP pursuing StateRAMP. Organizations that have already implemented controls for NIST CSF 2.0, SOC 2, or other NIST-derived frameworks will find significant overlap with StateRAMP requirements. PTG's patented compliance tools automate the crosswalk between these frameworks, identifying which controls are already satisfied and which gaps remain, a process that saves weeks of manual analysis. Call 919-348-4912 to schedule a free compliance gap assessment and learn how much of the StateRAMP journey your organization has already completed.

StateRAMP Verification Statuses: Ready, Provisional, and Authorized

StateRAMP assigns verification statuses to cloud products based on their progress through the assessment process. Each status represents a different level of assurance and appears on the StateRAMP Authorized Product List, which government agencies consult during procurement.

StateRAMP Ready

A product achieves "StateRAMP Ready" status after an accredited Third-Party Assessment Organization (3PAO) completes a readiness assessment and confirms that the CSP has implemented the core security controls and has a credible plan for achieving full authorization. This status signals to government buyers that the product is on a verified path toward authorization. Many CSPs pursue Ready status as a first milestone because it provides procurement visibility while the full assessment is underway.

StateRAMP Provisional

Provisional status indicates that the 3PAO has completed the full security assessment and the CSP has demonstrated implementation of the required controls, but some Plan of Action and Milestones (POA&M) items remain open. The CSP has committed to resolving these items within defined timelines. Government agencies can procure Provisional products with the understanding that certain remediation activities are in progress.

StateRAMP Authorized

Authorized is the highest verification status. It means the 3PAO assessment is complete, all critical and high-risk POA&M items have been resolved, and the StateRAMP Approvals Committee has reviewed and approved the security package. Authorized products have met all applicable NIST 800-53 controls for their security category and demonstrated operational compliance.

PTG prepares organizations for each stage of the verification process. Our approach is to target the Authorized status from day one, building the security controls and documentation to the full standard rather than settling for interim designations. Craig Petronella's background as an Amazon #1 Best-Selling Author of 14+ cybersecurity books, combined with Cisco CCNA and CWNE certifications, ensures that PTG's guidance covers both the governance documentation and the technical infrastructure required for authorization.

The StateRAMP Authorized Product List

The StateRAMP Authorized Product List is the public registry of all cloud products that have achieved Ready, Provisional, or Authorized status. Government procurement officials consult this list to identify cloud products that meet verified security standards. The list includes the product name, the CSP, the security category, the current verification status, and the date of the most recent assessment.

For cloud providers, appearing on the Authorized Product List is the primary business outcome of the StateRAMP process. It eliminates the need to respond to individual security questionnaires from each government buyer and serves as a trusted signal that the product meets established cybersecurity standards. As more states adopt StateRAMP requirements in their procurement policies, the Authorized Product List becomes an increasingly important gateway to the state and local government market.

3PAO Assessment Requirement

StateRAMP requires that all security assessments be conducted by an accredited Third-Party Assessment Organization (3PAO). These are the same organizations that conduct FedRAMP assessments, accredited by the American Association for Laboratory Accreditation (A2LA) under ISO/IEC 17020 requirements. This shared assessor pool ensures consistency between federal and state-level cloud security evaluations.

The 3PAO assessment includes:

• Control testing: Verification that each required NIST 800-53 control is implemented and operating effectively
• Vulnerability scanning: Automated scanning of the cloud environment to identify known vulnerabilities
• Penetration testing: Simulated attacks to test the effectiveness of security controls in practice
• Documentation review: Assessment of the System Security Plan (SSP), policies, procedures, and configuration guides
• Interview validation: Conversations with key personnel to verify operational understanding and execution of security procedures

PTG is not a 3PAO, which maintains our independence and allows us to serve as an objective advisor during the assessment preparation process. Our goal is to ensure that when the 3PAO arrives, your organization achieves a clean assessment with zero or minimal findings. PTG's AI-powered tools, running on our own private GPU clusters, pre-scan your environment against the applicable StateRAMP baseline to identify gaps before the 3PAO does. This pre-assessment capability is powered by the same on-premise AI infrastructure that PTG uses for custom AI development and deployment, proving that PTG practices what it preaches about data sovereignty and private AI.

Continuous Monitoring Requirements

StateRAMP verification is not a one-time event. After achieving Authorized status, CSPs must maintain an ongoing continuous monitoring program that includes:

• Monthly vulnerability scanning with results reported to StateRAMP
• Annual security assessments conducted by an accredited 3PAO
• Ongoing POA&M management with defined timelines for remediating identified vulnerabilities
• Significant change reporting when major changes to the cloud environment affect the security posture
• Snapshot assessments triggered by StateRAMP when new critical vulnerabilities or security events require immediate evaluation

Failure to maintain continuous monitoring requirements can result in suspension or revocation of the verification status, removing the product from the Authorized Product List. PTG provides ongoing continuous monitoring support, using our patented technology stack to automate vulnerability tracking, POA&M management, and compliance reporting. This automation reduces the operational burden on CSP teams while ensuring that reporting deadlines and remediation timelines are consistently met.

Which States Have Adopted StateRAMP

StateRAMP adoption continues to grow as more states recognize the value of standardized cloud security verification. As of March 2026, more than 30 states have formally adopted or recognized StateRAMP in some capacity. Key adoption milestones include:

• Arizona: One of the earliest adopters, formally requiring StateRAMP verification for cloud procurements
• Indiana: Integrated StateRAMP into its state procurement process
• Minnesota: Accepted StateRAMP verification as evidence of cloud security compliance
• Georgia: Adopted StateRAMP requirements for state agency cloud purchases
• Connecticut: Recognized StateRAMP as part of its cybersecurity procurement standards
• Virginia: Incorporated StateRAMP into cloud vendor security evaluations
• Texas: Operates its own program (TX-RAMP) but recognizes StateRAMP reciprocity for certain categories

The trend is clear: state governments are moving toward standardized cloud security verification, and StateRAMP is the leading framework for this shift. CSPs that achieve StateRAMP authorization today position themselves ahead of the compliance curve as adoption expands to additional states and local government entities.

TX-RAMP: Texas Risk and Authorization Management Program

Texas operates its own state-specific cloud security program called TX-RAMP, managed by the Texas Department of Information Resources (DIR). Established under Texas Government Code Chapter 2054, TX-RAMP requires all cloud computing services used by Texas state agencies to achieve TX-RAMP certification at Level 1 or Level 2, depending on the confidentiality of the data involved.

Attribute	TX-RAMP Level 1	TX-RAMP Level 2
Data Sensitivity	Non-confidential data	Confidential data
Assessment Basis	Self-certification questionnaire	Independent assessment against NIST 800-53 Moderate baseline
FedRAMP/StateRAMP Reciprocity	Not directly applicable	FedRAMP Moderate or High ATO accepted; StateRAMP Category 2 or 3 recognized

CSPs that already hold FedRAMP or StateRAMP authorizations at the Moderate level or higher can leverage that authorization toward TX-RAMP Level 2 certification, avoiding redundant assessment work. PTG helps organizations navigate the overlap between StateRAMP, TX-RAMP, and FedRAMP to maximize the return on their compliance investment. If your organization sells cloud services to Texas state agencies, understanding the TX-RAMP requirements alongside StateRAMP is essential for efficient market access.

StateRAMP vs. FedRAMP vs. TX-RAMP vs. SOC 2: Comparison Table

Attribute	StateRAMP	FedRAMP	TX-RAMP	SOC 2
Governing Body	StateRAMP (nonprofit)	GSA / FedRAMP PMO	Texas DIR	AICPA
Scope	State and local government cloud	Federal government cloud	Texas state agencies cloud	Any organization (private sector focus)
Control Framework	NIST SP 800-53 Rev. 5	NIST SP 800-53 Rev. 5 + FedRAMP parameters	NIST SP 800-53 (Level 2)	AICPA Trust Services Criteria (maps to 800-53)
Security Tiers	Category 1, 2, 3	Low, Moderate, High	Level 1, Level 2	Type I, Type II
3PAO/Auditor Required	Yes (A2LA-accredited 3PAO)	Yes (A2LA-accredited 3PAO)	Yes (Level 2 only)	Yes (CPA firm)
FedRAMP Reciprocity	Yes, FedRAMP ATO accepted	N/A (is FedRAMP)	Yes, FedRAMP Moderate+ accepted	No direct reciprocity
Continuous Monitoring	Monthly scans, annual assessment	Monthly scans, annual assessment	Annual recertification	Audit period (typically 12 months)
Approximate Cost	$50,000 to $500,000+	$500,000 to $3,000,000+	$10,000 to $250,000	$30,000 to $200,000
Typical Timeline	4 to 12 months	12 to 18 months	2 to 6 months	3 to 9 months
Market Access	30+ states, thousands of local entities	100+ federal agencies	Texas state agencies only	Private sector, some government

The comparison reveals an important strategic insight: organizations that invest in FedRAMP authorization gain the broadest coverage, since both StateRAMP and TX-RAMP offer reciprocity for FedRAMP-authorized products. However, for CSPs that primarily serve state and local government and do not need federal market access, StateRAMP provides a more cost-effective and faster path to verified security status. SOC 2 remains valuable as a private-sector credential but does not provide direct reciprocity with government cloud programs.

How Cloud Service Providers Can Leverage FedRAMP for StateRAMP

One of StateRAMP's most practical features is its recognition of existing FedRAMP authorizations. Cloud providers that already hold a FedRAMP ATO at the Moderate or High impact level can achieve StateRAMP verification through a streamlined process that avoids redundant assessment work.

The reciprocity process works as follows:

1. Submit existing FedRAMP package: The CSP provides its current FedRAMP authorization documentation, including the SSP, SAR, and POA&M, to StateRAMP.
2. StateRAMP review: The StateRAMP Approvals Committee reviews the FedRAMP package to confirm it meets StateRAMP requirements for the corresponding security category.
3. Gap remediation (if any): If StateRAMP identifies any gaps between FedRAMP requirements and StateRAMP-specific policies (primarily related to continuous monitoring reporting), the CSP addresses those gaps.
4. Verification granted: Upon approval, the product is listed on the StateRAMP Authorized Product List with the appropriate verification status.

This reciprocity path typically takes 4 to 8 weeks rather than the 4 to 12 months required for a full StateRAMP authorization from scratch. PTG advises CSPs on the optimal sequencing of FedRAMP, StateRAMP, and state-specific programs to minimize total compliance investment while maximizing market coverage.

Cost and Timeline for StateRAMP Authorization

The cost and timeline for StateRAMP authorization vary significantly based on the security category, the CSP's current security posture, and whether the organization holds existing certifications that provide reciprocity.

Cost Estimates

• Category 1 (Low): $50,000 to $150,000, including 3PAO assessment fees, documentation preparation, and remediation
• Category 2 (Moderate): $150,000 to $400,000, reflecting the broader control set and more rigorous assessment
• Category 3 (Moderate+): $250,000 to $500,000+, due to enhanced controls and additional testing requirements
• FedRAMP reciprocity path: $20,000 to $75,000, primarily covering the StateRAMP review and gap remediation

Timeline Estimates

• Category 1: 4 to 6 months from gap assessment to Authorized status
• Category 2: 6 to 12 months, depending on the number of controls requiring implementation or enhancement
• Category 3: 8 to 14 months, reflecting the additional control requirements
• FedRAMP reciprocity: 4 to 8 weeks

PTG's AI-powered compliance tools compress these timelines by automating the most labor-intensive phases: control mapping, documentation generation, and evidence collection. Our on-premise AI infrastructure processes your existing security documentation, identifies implemented controls, maps them to StateRAMP requirements, and generates gap analysis reports in a fraction of the time traditional consulting firms require. View PTG's compliance service packages for transparent pricing on StateRAMP readiness engagements.

Benefits of StateRAMP Verification

StateRAMP verification delivers measurable business and operational benefits for cloud service providers targeting the public sector:

• Reduced procurement friction: A single verification replaces dozens of individual security questionnaires, shortening sales cycles by weeks or months.
• Expanded market access: The state and local government market includes more than 90,000 entities, from state agencies to school districts to county health departments. StateRAMP verification opens the door to all participating entities simultaneously.
• Competitive advantage: As more states adopt StateRAMP requirements, CSPs without verification face increasing barriers to government contracts. Early adopters gain market share before verification becomes table stakes.
• Strengthened security posture: The NIST 800-53 controls required for StateRAMP improve overall security, reducing the risk of breaches that damage reputation and revenue.
• Framework stacking: StateRAMP controls overlap significantly with FedRAMP, SOC 2, ISO 27001, and NIST CSF 2.0. Achieving StateRAMP verification accelerates compliance with these additional frameworks.
• Ongoing compliance assurance: StateRAMP's continuous monitoring requirements ensure that security controls remain effective over time, not just at the point of initial assessment.

How StateRAMP Differs from FedRAMP in Scope and Governance

While StateRAMP was modeled after FedRAMP and shares its NIST 800-53 foundation, several key differences distinguish the two programs:

Dimension	StateRAMP	FedRAMP
Governing Authority	Nonprofit organization (StateRAMP, Inc.)	Federal agency (GSA, codified by the FedRAMP Authorization Act)
Legal Mandate	Voluntary for states; adopted by individual state legislation or policy	Required for all cloud services processing federal data
Target Market	State and local government (90,000+ entities)	Federal government (100+ agencies)
Authorization Authority	StateRAMP Approvals Committee	JAB or individual agency Authorizing Official
Cost Range	$50,000 to $500,000	$500,000 to $3,000,000+
Highest Security Tier	Category 3 (Moderate+)	High (421 controls)

The most significant practical difference is cost and complexity. StateRAMP was intentionally designed to be more accessible than FedRAMP, recognizing that many CSPs serving state and local government are small and mid-size businesses that cannot absorb the cost and timeline of a full FedRAMP authorization. This aligns directly with PTG's mission to make enterprise-grade cybersecurity and compliance accessible to SMBs. PTG's patented tools and AI-powered workflows bring FedRAMP-level rigor to the StateRAMP process at a fraction of the cost traditional consulting firms charge.

PTG's Approach to StateRAMP Readiness

Petronella Technology Group provides end-to-end StateRAMP readiness services designed specifically for small and mid-size cloud providers. PTG's approach combines deep NIST expertise with AI-powered automation to deliver faster, more cost-effective compliance outcomes.

Phase 1: Gap Assessment and Categorization

PTG begins every StateRAMP engagement with a comprehensive gap assessment. Our team evaluates your current security posture against the applicable StateRAMP category, identifies existing controls that satisfy StateRAMP requirements, and maps the gaps that need to be addressed. PTG's AI tools automate the control mapping process, cross-referencing your existing NIST, SOC 2, or ISO 27001 documentation against StateRAMP baselines.

Phase 2: Remediation and Documentation

Based on the gap assessment, PTG develops a remediation roadmap that prioritizes the highest-risk gaps while maintaining cost efficiency. Our team assists with implementing technical controls, developing required policies and procedures, and preparing the System Security Plan (SSP) that forms the centerpiece of the 3PAO assessment package. PTG's patented documentation tools generate SSP sections from structured data inputs, ensuring consistency and completeness while eliminating the manual drafting effort that traditionally consumes hundreds of hours.

Phase 3: 3PAO Assessment Preparation

PTG conducts a pre-assessment review that simulates the 3PAO evaluation, testing every control in the applicable baseline and identifying findings before the assessor does. This preparation phase is where PTG's Licensed Digital Forensic Examiner expertise proves especially valuable: when assessment findings involve incident response, evidence handling, or forensic readiness, PTG brings specialized capabilities that most compliance firms lack.

Phase 4: Continuous Monitoring Support

After achieving StateRAMP authorization, PTG provides ongoing continuous monitoring support. Our tools automate monthly vulnerability scanning, POA&M tracking, and compliance reporting, ensuring that your verification status remains active and your product stays on the Authorized Product List. PTG's fleet infrastructure, including on-premise GPU clusters and private cloud environments, powers the continuous monitoring automation while keeping your compliance data within controlled environments.

Ready to begin your StateRAMP journey? Call 919-348-4912 or explore PTG's compliance service packages to schedule a free StateRAMP readiness assessment.

StateRAMP Compliance Checklist and Resources

PTG maintains a public StateRAMP compliance checklist on GitHub to help organizations prepare for the verification process. The checklist covers every phase of the StateRAMP journey, from initial categorization through continuous monitoring, with practical guidance for each control family.

Access the checklist: StateRAMP Compliance Checklist on GitHub

Additional StateRAMP resources:

• StateRAMP Official Website - Program information, membership, and governance details
• StateRAMP Authorized Product List - Searchable directory of verified cloud products
• NIST SP 800-53 Rev. 5 - The master control catalog underlying StateRAMP requirements
• NIST SP 800-53B - Control baselines used by StateRAMP categories
• FedRAMP Official Website - Federal program that provides reciprocity with StateRAMP

Frequently Asked Questions About StateRAMP Compliance

What is StateRAMP, and who runs it?

StateRAMP is a nonprofit organization that provides standardized cybersecurity verification for cloud products and services used by state and local governments. It is governed by a board of directors that includes state CISOs, government IT leaders, and industry representatives. StateRAMP is not a government agency; it is an independent nonprofit that state governments voluntarily adopt into their procurement processes.

Is StateRAMP required by law?

StateRAMP is not universally mandated by federal law. However, individual states have adopted StateRAMP requirements through legislation, executive orders, or procurement policy. As of March 2026, more than 30 states have formally incorporated StateRAMP into their cloud procurement processes. For CSPs selling to these states, StateRAMP verification is effectively mandatory.

How does StateRAMP relate to FedRAMP?

StateRAMP was modeled after FedRAMP and uses the same NIST SP 800-53 Rev. 5 control framework. The key difference is scope: FedRAMP covers federal agencies, while StateRAMP covers state and local government. Cloud providers with existing FedRAMP authorizations can achieve StateRAMP verification through an expedited reciprocity process that typically takes 4 to 8 weeks.

What is the difference between StateRAMP Category 1, 2, and 3?

Category 1 (Low Impact) covers non-sensitive data and requires approximately 156 NIST 800-53 controls. Category 2 (Moderate Impact) covers PII and controlled data with approximately 325 controls. Category 3 (Moderate+) adds enhanced controls on top of the Moderate baseline for data requiring heightened protection, such as criminal justice or health information. Most CSPs pursue Category 2 verification.

How long does StateRAMP authorization take?

The timeline varies by security category and current security posture. Category 1 typically takes 4 to 6 months. Category 2 takes 6 to 12 months. Category 3 takes 8 to 14 months. CSPs with existing FedRAMP authorization can achieve StateRAMP verification in 4 to 8 weeks through the reciprocity process. PTG's AI-powered tools can compress these timelines significantly.

How much does StateRAMP authorization cost?

Costs range from $50,000 to $150,000 for Category 1, $150,000 to $400,000 for Category 2, and $250,000 to $500,000+ for Category 3. These figures include 3PAO assessment fees, documentation preparation, and remediation costs. The FedRAMP reciprocity path costs $20,000 to $75,000. PTG's compliance service packages provide transparent pricing for StateRAMP readiness engagements.

Can a SOC 2 report substitute for StateRAMP verification?

No. While SOC 2 and StateRAMP share some underlying control concepts (both map to NIST 800-53), they are separate programs with different governance, assessment methodologies, and reporting structures. A SOC 2 report does not provide direct reciprocity with StateRAMP. However, organizations with SOC 2 reports will find significant control overlap that reduces the effort required for StateRAMP verification.

What happens if we fail to maintain continuous monitoring after StateRAMP authorization?

StateRAMP can suspend or revoke a product's verification status if the CSP fails to meet continuous monitoring requirements, including monthly vulnerability scanning, annual assessments, and POA&M remediation timelines. Revocation removes the product from the Authorized Product List, which can disrupt existing government contracts and prevent new procurements. PTG's continuous monitoring support services prevent this outcome by automating compliance reporting and remediation tracking.

Does StateRAMP verification help with other compliance frameworks?

Yes. Because StateRAMP is built on NIST SP 800-53 Rev. 5, the controls implemented for StateRAMP map directly to FedRAMP, FISMA, and CJIS requirements. There is also significant overlap with NIST CSF 2.0, ISO 27001, and SOC 2. PTG's control mapping tools quantify this overlap so organizations can plan a multi-framework compliance strategy that maximizes efficiency.

Petronella Technology Group, Inc. is located at 5540 Centerview Dr. Suite 200, Raleigh, NC 27606. Call 919-348-4912 or visit our compliance packages page to start your StateRAMP readiness assessment today.