Learn how to get started with StateRAMP dba GovRAMP and strengthen cybersecurity at your regulatory agency. GL Solutions interviews Leah McGrath, Executive Director of GovRAMP, who shares how the organization transforms cybersecurity for state and local governments, offering a streamlined process for validating cloud service providers’ security postures.
“GovRAMP’s mission,” says McGrath, “is to drive best practices in cybersecurity, and to do so by really bringing all of the stakeholders together to recognize a common framework so that we can have a common method to validate and verify the cyber posture of the cloud products and technologies that government is leveraging.”
Listen to our full conversation with Leah McGrath on our Talkin’ SaaS podcast.
Leah McGrath: GovRAMP’s mission is to drive best practices in cybersecurity, and to do so by really bringing all of the stakeholders together to recognize a common framework so that we can have a common method to validate and verify the cyber posture of the cloud products and technologies that governments are leveraging. And in doing that, we’re able to have a security program that really is a shared service where providers can verify their cloud products at one time in one place. Then they’re able to provision access to those insights to their government customers, so they report once to serve the many. Our participating governments and agency partners are able to access those insights so they don’t have to do that assessment or that validation on their own. They’re able to instead leverage the insights so that they can make risk-based decisions that are right for them.
Leah McGrath:
I think it’s that balance of, how do I innovate and bring innovation to government faster while not sacrificing security. I think that’s the biggest challenge; it’s why we have developed our Snapshot program. Why we developed this new Core Status that we have is because we want to enable that trust sharing sooner in the process. There are absolutely circumstances where the risk is great enough, and that is valid to say we will not use you until you are GovRAMP authorized—fully authorized. But there are circumstances where it is valid to say, as long as you have a Snapshot, as long as you are in the Progressing Program, and I know you’re working towards something, or as long as you’ve got that Core Status as a starting point, then let’s jump in and see how this works.
I think the other challenge is that you can’t just stop doing business. If I’m a government, I’ve already signed a lot of contracts. If I’m an education agency, I have a lot of contracts underway with technology providers that we rely on heavily. We’re transmitting really sensitive data, perhaps. But I can’t just unwind that. I can’t turn the lights off. So, I think that’s a big risk that we see out there. And so, which is why, I’ve always taken the approach of, in whatever I’m doing, stop the bleeding now. Start as you mean to go. And you really need to dig into those renewal periods when you have them for contracts, to make those updates while you can. And then there are some as you evaluate, if it’s high enough risk, I would do a contract amendment. I would, at the very least, want a Snapshot to know where I am.
So, it’s, how do we go forward, innovating together quickly and efficiently. And then how do we deal with the legacy risk that we may already have?
Leah McGrath:
If a provider wanted to start, they could go to our website, certainly join as a member. And by joining, they’re going to get follow up. And we’re going to help them through the process. They can also email info@govramp.org or stateramp.org. We have a membership engagement team, and they would be assigned a dedicated person who can really be their liaison and walk them right through the process. So, depending on where they are and where they want to start, we can get them plugged in and ready to roll.
We have a government engagement team. So, they can email info (info@govramp.org or stateramp.org) or email the government engagement team: get@govramp.org, for government; that’s going to connect directly with our government engagement directors. All of us come from government on that side, and so they’re going to be working with someone who really gets it and understands where they are and what they’ve gone through. They’ll be the liaison to walk them through and meet them where they are.
Leah McGrath: FedRAMP is a federal program that is run out of the GSA in the federal government, and it is codified in the NDAA. It’s a government program that is run by the federal government, for the federal government. And so, one of the things that we learned along the way is that those insights from a continuous monitoring perspective are not shared outside of the federal agencies, because it’s a program designed to serve the federal agencies. And so that really left states, local governments, education, on their own to figure it out.
So, the number one difference—GovRAMP is a nonprofit. We are a 501(c)(6) organization. StateRAMP is the entity. We just recently updated to doing business as GovRAMP. That’s to better reflect our mission and those that we serve, because we don’t just serve states. We serve local governments, K-12 schools, higher ed. So that is the reason for the name change to GovRAMP. But as a nonprofit, we’re managed differently; so that’s the first difference.
When you get into our security programs, there are a few differences in the requirements and the way that we work. Our founding steering committee and our standards and technical committee have continued to really have a goal to align our frameworks with FedRAMP, and that’s because of the ecosystem; we’re all connected. It’s based really brilliantly on the National Institute of Standards and Technology’s Special Publication 800-53 (NIST SP 800-53) now rev five; that really speaks to the best practices in cloud security. And so, because we have similar baseline standards, it does allow us to continue to align, which is really helpful so that we have a Fast Track program; for example, for providers, if they have had an audit, an assessment for a FedRAMP authorization or FedRAMP ready status, they can actually bring that same audit and same package through our program because of the alignment. And so that’s really important, because it streamlines the process for the providers. We’ve really designed some great efficiencies, and it allows them to go through our program and really get that feedback, while maybe they’re waiting to go through the federal program.
We do not require a sponsor to become GovRAMP authorized. That’s a big deal. If you’ve ever talked to anyone who’s tried to achieve a FedRAMP authorization, a barrier is finding a federal agency willing to sponsor. That’s a big lift for those agencies. What we have is a centralized program management office. So rather than every agency or government being that sponsoring organization, we have a centralized program management office, and that was very important in the very beginning, and continues to be, because we wanted to make sure that the standards were applied consistently; so if it says GovRAMP Ready, or GovRAMP Authorized, or GovRAMP Core, it’s the same every time. If you are a government trying to trust that validation, you want to know there’s consistency in application.
A key difference would be that we have a centralized program management office that is really validating and doing the initial assessment. Now we don’t need an agency sponsor, because we handle that differently. We have an approvals committee that meets monthly; they’re made up of about 10 different government officials who’ve got technical expertise, who volunteer their time. And every month they do reviews. Our program management office will give them executive summary recommendations, and they do the reviews to be able to be that final authorizing body to give that GovRAMP authorization. The way we operate allows us to have a more efficient cadence and more consistent expectations as to what that process looks like with us.
The other difference, and I kind of alluded to it, is, while our GovRAMP Ready and Authorized statuses and requirements very much mirror the requirements and processes as FedRAMP, we also have some other programs that provide a step-by-step approach into becoming Ready and Authorized. And that’s because when we launched this program, we realized and heard from many of our provider members that they just weren’t quite ready for that full assessment. Or maybe they didn’t need it, right? Because, again, when you’re thinking about risk, we want to make sure that the requirements match the needs for risk.
If I’m counting trout, for example, I might not need the full GovRAMP authorization, but there’s still a potential data or security impact. So, we want to make sure that there are some best practices in place. And so, for that reason, we have kind of an earlier stage. I always say, start with Snapshot. We have an earlier stage program that’s our government progressing program, Progressing Snapshot Program. And what that does is allow a provider to start. It’s like a mini audit. They’re able to assess where they are in just those basic kind of the base 40 NIST controls. And in doing that, it’s very simple. It’s low cost. It allows them to see where they are, so they know how far they have to go.
And then our PMO advisors wrap around support every month. They have meetings to help advise them on how to most efficiently go forward. Where do you get the greatest bang for your buck when it comes to security outcomes? Because it’s what we really try to drive toward, right? These are the things that, based on the MITRE Attack Framework study, tell us have the greatest impact on risk. So, we look at those controls with the higher risk protection values and start there. And it’s so brilliant, because then also the providers can go back to their leadership and say, here’s how I’m helping improve security. So, we have some earlier stage statuses like I mentioned, that lead up to ready and authorized that I think are so important in helping ensure providers have a path in and that our participating governments have visibility along that journey. So, it’s not a binary, are you authorized or not decision. It’s a where are you in your journey, and is this risk okay to accept?
Editor’s note: Answers edited for clarity and brevity. To hear the entire interview, listen to our interview with Leah McGrath on our Talkin’ SaaS podcast.
