If you work for a state or local government agency, a cloud service provider (CSP), or in the cybersecurity industry, you should be familiar with StateRAMP. StateRAMP is modeled on the FedRAMP program of the United States federal government but tailored to the needs of smaller state and local governments and the CSPs that serve them. On behalf of SLEDs, StateRAMP has established a common standard for cloud service providers to attest their offerings against.
We’ll break down the foundations of StateRAMP, how it works, and why it matters for both CSPs and the SLED sector.
The Precursor to StateRAMP: What is FedRAMP?
FedRAMP was established in 2011 to assist government departments and agencies with a cost-effective and risk-based strategy to cloud adoption. FedRAMP allows federal agencies to evaluate and approve cloud service providers. The FedRAMP security assessment methodology was developed using the Risk Management Framework, which implements FISMA (a.k.a. The Federal Information Security Modernization Act) regulations and NIST SP 800-53.
The FedRAMP marketplace is now home to hundreds of cloud service providers who have successfully demonstrated the effectiveness of their security controls to receive an authority to operate (ATO). Furthermore, these CSPs have maintained these ATOs by fulfilling the continuous monitoring requirements of FedRAMP.
Federal agencies can now buy products faster and with confidence, knowing that the CSP’s government services must attest to a common framework that is continuously monitored for compliance.
What is StateRAMP?
StateRAMP, or the State Risk and Authorization Management Program, established a common standard for states to verify that their cloud-based service providers’ cybersecurity is up to par. StateRAMP approval aids in advancing cybersecurity standards for state government operations and the protection of personal data. The framework is a simplified version of FedRAMP. When it comes to cloud security and cybersecurity, the initiative aims to help bring state and local governments together to build that common strategy and aid state and local governments in controlling third-party service providers.
A small board of directors governs StateRAMP, and a broader steering group comprises leaders from the cybersecurity industry and state and local government officials. NASCIO, the National Association of State Chief Information Officers, also contributes to the development of technical policies and standards for StateRAMP.
StateRAMP has established templates that third-party assessment companies can use to examine IaaS, PaaS, and SaaS vendor’s security and award such cloud-based vendors the StateRAMP authorization. As a result, state and local government CIOs and procurement officials can be more confident that the technology suppliers will meet specific security standards.
Differences Between StateRAMP and FedRAMP
For CSP’s that have a pre-existing FedRAMP ATO, the good news is that many of the foundational constructs of FedRAMP have been embraced by StateRAMP. As shown in the table below, the foundational control framework, 3 PAO assessment process, impact levels, and CONMON requirements are similar.
The distinctions between FedRAMP and StateRAMP are minor and have little to do with the authorization process. The authorization process works slightly differently because state governments are independent and not subject to a centralized federal mandate.
StateRAMP
- States / Locals have visibility into ConMon
- PMO Support for Government and Service Providers
- Ready Status does not expire (ConMon required)
- Provisional Status awarded by government sponsor
- Fast Track option for products with FedRAMP.
Both
- Built on NIST 800-53 Rev. 4
- Requires 3PAO Audit
- Impact Levels Low, Moderate and High
- Require ConMon
- Verified Statuses of Ready and Authorized
FedRAMP
- Must do business with federal government
- Federal have visibility in ConMon
- Provisional Status awarded by Joint Authorized Board (JAB) v. Agency
For more details on the difference between FedRAMP and StateRAMP, please reference this article.
Why Was StateRAMP Created?
It’s no secret that government organizations are constantly under attack from cybercriminals. In 2020, 79 ransomware attacks on municipal, state, and federal governments caused an estimated $18.88 billion in damage, affecting 71 million people. The situation did not improve in 2021 or the first quarter of 2022. According to the 2022 Cyber Threat Report, ransomware attacks increased by 1,885% worldwide in 2021, with the healthcare business experiencing a 755% surge. According to the report, ransomware increased by 104% in North America, just slightly less than the global average of 105%.
While the FedRAMP authorization program was developed to create security requirements for cloud suppliers working with the government, it only applies to the federal government. As a result, state and local governments lacked their own norms.
How Does StateRAMP Work?
StateRAMP was formed in the same way that FedRAMP was designed to provide a standardized method to security assessment, authorization, and continuous monitoring for cloud products and services that store, process, and transport federal information.
The Security Assessment Framework procedure in StateRAMP is based on the Risk Management Framework of the National Institute of Standards and Technology (commonly known as NIST). The following are the primary requirements for CSPs requesting authorization:
- Compliance with the NIST Special Publication 800-53 Rev. 5 security standards.
- A partnership with a Third-Party Assessment Organization acts as a facilitator and educator throughout the process.
- In partnership with a 3PAO, create an in-depth security report that demonstrates the organization has all required controls in place and meets all permission criteria.
- Participating in ongoing monitoring to demonstrate that the company is still in compliance with StateRAMP.
- CSPs must collaborate with their 3PAO to determine their impact level category based on the sort of government data they manage and the implications of a breach to have a cloud offering or product become StateRAMP authorized.
Each of the four categories is associated with a specific set of security controls that correspond to FedRAMP effect levels:
- Category 1 – This is the minimum standard that any CSP must meet. It corresponds to systems that involve publicly available data. Category 1 corresponds to FedRAMP’s “low” impact level.
- Category 2 – This category includes data that is not accessible to the general public, such as personally identifiable information. Category 2 corresponds to FedRAMP’s “low” impact level and consists of some control baselines from the “moderate” impact level. This year, Category 2 will continue to be developed and validated.
- Category 3 – This category includes sensitive data and systems vital to the government’s ability to function. FedRAMP’s “moderate” effect level corresponds to Category 3.
- Category 4 – For StateRAMP reciprocity, this category is intended for FedRAMP High authorized systems.
StateRAMP also offers an official data classification tool and a short survey to assist government agencies in determining which StateRAMP security category requirements they should include in their RFPs. This tool can also assist CSP in better comprehending the StateRAMP security categories and what they imply.
Do We Need StateRAMP?
In short– yes. StateRAMP is quite beneficial.
StateRAMP allows service providers to standardize and assess their security posture, giving clients the certainty of a predetermined level of compliance. Establishing a third-party objective, unbiased study, and systematic confirmation of any solution’s capabilities improves this assurance.
StateRAMP has developed a viable validation system, allowing its members to be assured that cloud providers meet strict cybersecurity requirements, including implementing published best practices, guides, and policies, by collaborating with service providers and third-party assessment groups. The validation approach, as specified by StateRAMP, consists of the following steps:
- Like FedRAMP, StateRAMP recognizes offerings working towards receiving their authority to operate. The progressing offering statuses are Active, In Process, and Pending.
- For an offering to be recognized as in progress, the supplier must work with a third-party assessing organization (3 PAO) for an impartial audit.
- When an offering has a current status of “Active,” it meets the minimum requirements and is considered “Ready.”
- Once the offering exceeds these minimum requirements and has a government sponsor, the offering moves to the Provisional state. The offering status moves from “Ready” to “In Process.”
- When the supplier officially submits their security package to the Program Management Office (PMO) for authorization, the status is elevated to “Pending.”
- Once the PMO verifies the supplier offering, the offering status is changed to “Authorized.”
- To retain a verified security status, suppliers must adhere to continuous monitoring criteria to ensure continuing security compliance and risk reduction.
StateRAMP also provides several tools and resources to its members to assist them in achieving greater cyber resilience. The StateRAMP Authorized Vendor list is the most important of them. It lists verified products and those in the process of being approved.
Cloud-based technology providers will continue to be embraced by state and municipal governments. Many will benefit from cloud-based services as the expenses are lower, the implementation is simpler, and the technology outperforms what most government agencies could design and operate independently.
The difficulty is reconciling this rise in IT adoption with the previously mentioned proliferation of cybersecurity dangers. State and municipal IT departments may find evaluating the security of each cloud-based vendor an arduous undertaking; thus, depending on StateRAMP provides them with a level of assurance they could not otherwise attain.
How was our guide to StateRAMP? Tell us what you think of this new regulatory requirement for cybersecurity in U.S. states in the comments section below.