The Broadside
RSS →

Watch hub·govramp · stateramp · tx-ramp · ny-dfs-500

State & Local

GovRAMP, state cyber and privacy laws, municipal compliance, and the patchwork below the federal line.

Updated ·RSS ↗

States and municipalities are building their own cybersecurity regimes for vendors handling state and local data. GovRAMP (formerly StateRAMP) is the dominant cross-state framework; TX-RAMP, NY DFS Part 500, and CJIS run alongside it. This hub indexes those programs, tracks alignment (and divergence) with federal frameworks, and surfaces state-level enforcement and policy movement.

What changed in the last 30 days

  • stateramp/regulator

    GovRAMP adds five 3PAOs to assessment discount program

    GovRAMP added 360 Advanced, Data Lock Consulting Group, Lunarline, Schellman, and Securisea to its 3PAO Discount Program, bringing total participating firms to ten. The program offers up to 30% off independent security assessments, but only for providers that have completed the GovRAMP Progressing Security Snapshot or achieved GovRAMP Core verification. Founding participants A-LIGN, Prescient Security, Coalfire, Fortreum, and RISCPoint remain in the program. The discount is explicitly scoped to smaller and midsize technology vendors pursuing SLED and federal government work through GovRAMP verification.

Open questions

  • 01Which states are next to mandate a vendor authorization regime?
  • 02How aligned is GovRAMP's revised baseline with FedRAMP 20x?
  • 03How do state privacy laws and CJIS interact with federal CUI handling for cross-jurisdictional vendors?

Sources we watch