Watch hub·stateramp · tx-ramp · ny-dfs-500 · cjis

State Programs Index

StateRAMP, TX-RAMP, NY DFS Part 500, CJIS, and the patchwork of state cyber compliance programs.

Updated TODAY·RSS ↗

Beyond CMMC, individual states are establishing their own cybersecurity assessment regimes for vendors handling state and municipal data. This hub indexes those programs, tracks the slow convergence with federal frameworks, and surfaces enforcement and policy movement.

What changed in the last 30 days

stateramp/regulator
GovRAMP Policy Papers Push OMB-Led Reciprocity for Cybersecurity Frameworks
GovRAMP released two publications on April 16 calling for harmonization of overlapping federal and state cybersecurity frameworks built on NIST SP 800-53. The policy white paper identifies OMB-led reciprocity anchored in shared baselines as the highest-impact near-term action. State, local, tribal, and territorial governments are most affected by duplicated compliance efforts and delayed procurement. No rulemaking is proposed; the publications are recommendations intended to support coordinated execution under existing authority.
TODAY
stateramp/regulator
11 states adopt GovRAMP to cut redundant vendor security reviews
Arizona, Indiana, Massachusetts, Minnesota, Nevada, New Hampshire, North Carolina, North Dakota, Oregon, Texas, and Utah are using GovRAMP to streamline vendor security assessments and reduce duplicative reviews in cloud procurement, according to an April 22 GovRAMP roundup. Nevada will require GovRAMP-based vendor security evaluations beginning July 1, 2026. The program gives state CIOs and CISOs a single, nationally aligned framework for third-party risk management, replacing state-specific assessment programs such as Arizona's AZRAMP.
TODAY
stateramp/regulator
GovRAMP working group maps StateRAMP controls to CMMC Levels 1 and 2
GovRAMP's Framework Harmonization Working Group met April 13 to align GovRAMP requirements with CMMC Levels 1 and 2, identifying shared foundational controls and a new federal overlay for low, moderate, and high impact levels. Providers operating across federal, defense, and state/local markets would be affected by any resulting mutual-recognition pathways. GovRAMP said it will next examine how its authorization can satisfy the FedRAMP Equivalency provision for CMMC and plans to address FedRAMP 20x alignment at a future working group session.
TODAY
stateramp/regulator
GovRAMP membership required for cloud providers seeking public-sector entry
GovRAMP membership is the mandatory entry point for cloud service providers, 3PAOs, and consultants that want to participate in the GovRAMP authorization program. According to GovRAMP program data cited in the blog, providers that remain engaged for at least four quarters see higher security outcomes and improve control performance by 40. 60% within the first year. Organizations that wait for a procurement to require GovRAMP risk delays; membership allows teams to access program guidance and structured pathways before formal assessments begin.
TODAY
stateramp/regulator
North Carolina adopts GovRAMP cloud security framework for state vendors
North Carolina will align its cloud product security requirements with the GovRAMP framework, standardizing expectations for providers and reducing duplicative security reviews. The updated requirements take effect April 1, 2026, and apply to all vendors selling cloud services to state agencies. GovRAMP and North Carolina plan educational webinars for providers ahead of the effective date.
TODAY
stateramp/regulator
Nevada adopts GovRAMP as statewide cloud security standard
Nevada announced it will adopt GovRAMP as the state's standard framework for cloud security verification across executive branch agencies. The new requirements take effect July 1, 2026, and apply to cloud service providers doing business with Nevada state agencies. Vendors will undergo independent assessment and continuous monitoring through GovRAMP rather than duplicative reviews by individual agencies. GovRAMP and Nevada plan to host webinars ahead of the effective date to walk vendors through the updated requirements.
TODAY
nist-800-171/standards
CIS warns of authentication bypass in pac4j-jwt JWT library
CIS published an advisory about a vulnerability in pac4j-jwt (JwtAuthenticator) that could allow an unauthenticated remote attacker to bypass authentication and impersonate any user, including an administrator. The flaw affects Java applications using the pac4j security framework for JSON Web Token validation. Organizations using pac4j-jwt should review the CIS advisory and assess impact on their systems, particularly where JWT-based authentication supports compliance with NIST SP 800-171 access control and authentication requirements.
TODAY
nist-800-171/standards
Fortinet vulnerabilities allow arbitrary code execution across 16 products
CIS published an advisory on multiple vulnerabilities in Fortinet products including FortiOS, FortiManager, FortiAnalyzer, and FortiClientEMS. The most severe could let an attacker execute arbitrary code under the affected service account. Organizations covered under NIST SP 800-171 and 800-172 that use these products should apply patches and validate that affected systems are not out of compliance with security control requirements. CIS did not publish a specific CVE list or patch timeline in this advisory; further review of Fortinet security bulletins is advised.
TODAY

Open questions

01Which states are next to mandate a CSP authorization regime?
02How aligned is StateRAMP's revised baseline with FedRAMP 20x?
03When does TX-RAMP's next program update land?

Sources we watch

StateRAMP blog
regulator·last fetched TODAY
live
CIS Center for Internet Security advisories
standards·last fetched TODAY
live