Citizen Portal
Sign In

Lifetime Citizen Portal Access — AI Briefings, Alerts & Unlimited Follows

Get Lifetime Access

Oregon moves to adopt StateRAMP for cloud and vendor security vetting

2641836 · March 14, 2025

Loading...

AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

State CIO and security officials said Oregon has joined StateRAMP membership and is working with procurement and DOJ to prefer StateRAMP‑assessed vendors, with a phased approach from acceptance to preference to requirement.

State IT leaders told the legislative committee that Oregon has joined StateRAMP membership and is working to integrate StateRAMP assessments into procurement practice so agencies can rely on a vetted vendor list and reduce duplicate security assessments.

Terrence Woods described the move as part of a “better together” strategy: StateRAMP provides state‑focused, NIST‑aligned verification of vendor security posture and continuous monitoring that can reduce the time cybersecurity staff spend re‑validating vendors during procurements. Ben Goreski said Oregon’s cybersecurity office is part of StateRAMP’s council work and that vendors that opt to complete StateRAMP assessments on their own provide a documented posture states can rely on.

Goreski explained the adoption tiers the state is considering: accepting StateRAMP assessments to satisfy business‑security requirements, preferring StateRAMP vendors when feasible, and ultimately requiring StateRAMP authorization once procurement, legal and contract terms are aligned. “When that happens, our assessment becomes minimal because they already have met the criteria on their own nickel,” Goreski said of vendors that complete StateRAMP reviews.

Committee members asked whether StateRAMP participation narrows competition; presenters said StateRAMP membership currently covers hundreds of vendors and that the program has participation across roughly 30 states, providing broader vendor choice and continuous verification rather than a point‑in‑time report. Woods said the procurement office and Department of Justice are working with the security team to embed StateRAMP into standard contract terms so agencies will be guided to prefer StateRAMP assessments when appropriate.

Why it matters: StateRAMP is intended to speed procurement, create consistent security verification across states and reduce duplicative, costly security reviews of cloud and SaaS vendors. The committee was briefed that adoption is in early stages in Oregon and that the state intends to move from acceptance to preference to requirement as legal and procurement documents are updated.