- April 11, 2022
- Tag: SLED
In the United States, local and state governments are integral in managing critical infrastructures that power the U.S. economy and the lives of millions of citizens. Unfortunately, cyber threat actors continue to target local and state government agencies at an alarming rate. Due to cyberattack attempts on state and local government infrastructures, government agencies desperately need ways to modernize their cybersecurity practices.
As a result, the new State Risk and Authorization Management Program (StateRAMP) was introduced in 2021. StateRAMP offers an all-inclusive security structure designed to improve the cloud security framework for state and local governments. It provides a standard approach by which local and state governments can verify that cloud service providers (CSPs) are meeting the required standards and regulations to conduct business. In addition, StateRAMP signifies the collective interests of service providers, third-party assessment establishments, and local governments with SaaS, PaaS, and IaaS solutions.
Furthermore, as an advocate for robust but reasonable cybersecurity standards, StateRAMP brings together government officials, policymakers, service providers, and industry experts to actuate the future of cybersecurity. Prototyped in part after the FedRAMP framework, StateRAMP was developed on the National Institute of Standards and Technology (NIST) Special Publication 800-53 [Rev. 5] framework. This article explains everything you need to know about the new StateRAMP framework, why it matters, how it differs from the already established framework, and how to achieve certification.
About the StateRAMP Framework
StateRAMP, launched in 2021, is a nonprofit organization that brings state and local governments together with the providers who help them identify best practices in cloud security and provide a standard approach to cloud cybersecurity verification. StateRAMP aids state and local governments and benefits service providers in limiting cyber risks from unsecured cloud solutions by using a “verify once, use many” concept for risk assessment and cloud security.
StateRAMP asserts an authorized vendor list (AVL). This list contains products that have reached a security status and those going through the process. The StateRAMP AVL is a list of service providers available on the StateRAMP website who have a StateRAMP security status of Authorized, Active, Pending, In-Process, Provisional, or Ready.
The purpose of the StateRAMP program is to:
- Aid state and local governments in guarding citizen data.
- Reduce the burdens on the government.
- Save service provider and taxpayer money with a “verify once, serve many” framework.
- Promote cybersecurity education and best practices among those it serves in government communities and industries.
Statuses within the StateRAMP Framework
In the StateRAMP framework, there are two statuses that service providers must achieve before proceeding to conduct business with the state or local government: a ‘Ready’ status and an ‘Authorized’ status. An ‘Authorized’ status means that service providers have a local or state government agency sponsor. StateRAMP prioritizes building an ecosystem of providers; therefore, contracts will not expire because of the lack of a sponsoring agency.
Furthermore, StateRAMP’s “Provisional” status is given by a local or state government agency sponsor, and it indicates how the service provider progresses throughout the security assessment requirements process. On the other hand, a ‘Ready’ status means that service providers have been approved to join in the running to meet minimum specific government requirements before conducting business with local or state agencies.
Understanding the Differences between StateRAMP and FedRAMP
In many ways, the new StateRAMP was actively modeled after the FedRAMP framework, one of the requirements for doing business with the U.S. federal government. However, how are the frameworks different? Read below to find out:
- The StateRAMP framework promotes cybersecurity best practices and enhances the cybersecurity posture of state and local governments and the people they serve. In addition, the framework prioritizes assisting service providers by providing technical resources and security templates, removing obstacles to accessing security verification, and reducing the time to market for many companies looking to do business with local and state governments.
- On the other hand, the FedRAMP framework mainly focuses on conducting security assessments and providing a risk-based and cost-effective approach for implementing and utilizing cloud services across infrastructures owned by the U.S. federal government.
- StateRAMP’s Project Management Office (PMO) is a shared resource between government agencies and providers. Therefore, StateRAMP allows state and local governments to monitor their vendors’ reports and security posture—granting states and local governments access to a safe repository guarantees reliability in applying and enforcing cybersecurity policies and standards.
- The FedRAMP PMO is only a reviewing body. As a result, FedRAMP documentation can only be viewed by federal agencies working with service providers. Therefore, in the FedRAMP framework, most security documentation and verified products are inaccessible to states and local government entities.
- In the StateRAMP framework, ‘Ready’ statuses do not expire. Also, service providers do not need a contract with local or state governments to get an ‘Authorized’ or ‘Ready’ status. However, For FedRAMP, once a service provider achieves a ‘Ready’ status, they have only 12 months to find an agency sponsor to achieve an ‘Authorized’ status.
Due to the growing sophistication of threat actors, the public and private sectors have understood the importance of collaborative efforts. However, in a period where emerging technologies, such as cloud storage and computing, are leveraged to meet the marketplace’s demand, local and state government agencies still lack the visibility and capability to defend and protect their critical assets across different environments. Therefore, StateRAMP is a significant milestone for community, standardization, and transparency in the cybersecurity industry.
As a service provider with FedRAMP status, should you consider StateRAMP? StateRAMP certification helps your organization manage multiple security documentation instances while offering individual security reporting to each state. In addition, by granting states the right to monitor security documentation, they receive the visibility needed to manage risk, thus reducing the heavy load of consistent updates.
Eventually, more state and local governments will demand access to their PaaS, SaaS, and IaaS providers’ security documentation and reporting to ensure their systems are as secure as claimed. Therefore, collaborating with the readiness assessment professionals at GoldSky allows our experts to evaluate and retrofit your organization with all of the requirements needed to manage and pass the StateRAMP certification process.