Trying to grasp the basics of StateRAMP? A member of the StateRAMP Provider Leadership Council tackles your frequently asked questions. Bill Moseley, a member of the council and CEO of GL Solutions, sheds light on StateRAMP FAQs—from the many benefits to the technical aspects.
StateRAMP provides states with a comprehensive and consistent security assessment of their vendors, explains Moseley. “States are establishing or attempting to establish security standards for all of their vendors to make sure that when they host state data that it’s secure and being stored properly and is less susceptible to cyber threats and attack.”
StateRAMP addresses the FAQ by explaining that the StateRAMP program “works to bring together service providers, policy makers, industry experts, and government officials to drive the future of cybersecurity. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.”
“States have a really hard time ascertaining the security of vendors. And they are increasingly having them go through some kind of third-party audit or compliance check to make sure that the services and cloud products that they’re selling to state governments are secure. And so, this makes it a lot easier for them,” says Moseley.
Instead of setting up separate offices in each state to examine the security of vendors, StateRAMP provides regulatory agencies with that one standardized approach to use. Some states, he explains, require vendors to receive StateRAMP certification through their state standards—Texas uses TXRAMP and Arizona AZRAMP, for example.
“StateRAMP simplifies the work and cuts costs for states,” Moseley explains. By using one standard set by StateRAMP, instead of their state security standard, they skip the cost of auditing every single vendor they work with.
StateRAMP not only simplifies the process for state agencies, but for vendors as well. From the vendor perspective, instead of complying with 50 different standards, the vendor performs a single security audit with StateRAMP.
“From the vendor’s perspective,” explains Moseley, “it helps us to comply with many different states at the same time, so it’s more efficient.”
States, Moseley explains, enter into agreements with StateRAMP and adopt StateRAMP’s standards. The StateRAMP website displays a map, offering a quick visual of the participating governments and public educational institutions.
These states, he says, “recognize StateRAMP as a form of security audit,” eventually requiring their vendors to be StateRAMP certified.
StateRAMP provides a step-by-step description of the process on their website.
Moseley also points to the relationship between NIST 800-53 and StateRAMP. He explains that NIST 800-53 offers “an overall security set of controls established by the US government.” According to the StateRAMP website, “StateRAMP is built on the National Institute of Standards and Technology Special Publication 800-53 Rev. 4 framework, modeled in part after FedRAMP, and based on a ‘complete once, use many’ concept that saves time and reduces costs for both service providers and governments.”
“SOC 2 is not nearly as thorough as StateRAMP,” states Moseley. He explains that SOC 2, also an audit and based on the NIST 800-53, includes a much smaller set of security controls than StateRAMP.
SOC 2 covers a small portion of the security controls, while StateRAMP covers about 380 of the main controls out of 420 or so, he explains. “The SOC 2 audit barely assures you that your vendor is being serious about security,” Moseley says.
Both StateRAMP and FedRAMP help to standardize approaches to cybersecurity for cloud service providers, with each serving different levels of government within the United States. While FedRAMP focuses on the federal level, StateRAMP focuses on state and local governments. Some of the key differences between StateRAMP and FedRAMP include: authorization process, target audience and security requirements.
Moseley cites other differences, including states generally not recognizing StateRAMP. In addition, he explains, that while getting FedRAMP compliant takes a long time, StateRAMP authorization goes much faster. “They’re more efficient,” he says.
While not currently mandatory, Moseley says “I wouldn’t be surprised if someday in the next three to five years that states will require StateRAMP in order to bid on work with state government agencies.”
And the StateRAMP website explains that at any time “state and local governments may require service providers to engage with StateRAMP and obtain a StateRAMP security status.”
Moseley points to states increasingly adopting better security standards over time. He recalls a client, a state regulatory agency, sending GL Solutions sensitive unencrypted information via FedEx 25 years ago when he first started the company. The package contained names, along with all the medications taken by those individuals. He contrasts that to now, with states requiring some minimum security requirements, such as SOC 2 audits—and now StateRAMP as well.
StateRAMP provides a handy list, along with a color-coded map of the United States, for a quick view of the participating governments and public education institutions.
While not every state participates in StateRAMP right now, Moseley explains that state CIOs and security officers across the U.S. know about StateRAMP. “Sometimes, because of their own state laws and other things they are not able to move as quickly to adopt it,” he says.
Whether a state requires StateRAMP or not, he says, StateRAMP-certified vendors show a state that they take compliance seriously.
StateRAMP low and moderate refers to the type of data you house, according to Moseley. StateRAMP outlines four different impact levels for data classification and categorization, from StateRAMP low to StateRAMP high. According to StateRAMP, “StateRAMP low baseline controls align with NIST and generally map to data or systems that involve publicly available data.” And StateRAMP moderate baseline controls “align with NIST and generally map to data or systems that involve confidential data or high criticality to the continuity of government.”
Moseley says most of the regulatory agencies that he works with have at least StateRAMP moderate requirements.
Bill Moseley, CEO of GL Solutions, serves on the StateRAMP Provider Leadership Council. As a member of the council, Moseley explains he provides advice to StateRAMP on vendor challenges. He suggested, for example, that StateRAMP work more closely with the Criminal Justice Information System standard (CJIS), especially related to gathering background check information.
In addition, StateRAMP informs the council of changes in StateRAMP requirements. “StateRAMP provides guidance to the vendors to help us prepare for those changes,” Moseley explains.
“Your ability to become StateRAMP compliant is a testimony to an organization’s commitment to keeping very sensitive state government information protected. It’s not only the initial audit fee of $125,000, but must have a lot of process maturity within your organization, your personnel policies and your procurement policies. You have to be a pretty organized company to become StateRAMP ‘Ready’ to meet those requirements. More than half the requirements are about your policies and procedures, and when you train employees and how you go about running your business, that can keep things safe.”
GL Solutions joined StateRAMP as a member in 2023. According to Moseley, the company remains on track to obtain a “Ready” status—a StateRAMP verified status—by the end of the year.
To read even more frequently asked questions, head to StateRAMP Frequently Asked Questions.
Join our mailing list to receive the latest news and solutions for regulatory agencies.
