Your IT department now requires that your agency use FedRAMP. And your RFPs ask private sector vendors to explain how their services follow FedRAMP standards. But what is FedRAMP? And why are state licensing agencies choosing this for regulatory requirements? What is...
Is your state a member of StateRAMP? Why should a state join StateRAMP?
“State participation in StateRAMP is essential for safeguarding sensitive cloud-based data, given the heightened risk of cyberattacks on cloud applications,” according to Jessica Kashary, StateRAMP Chief of Operations. “By requiring cloud vendors to be StateRAMP authorized, agencies can be confident that their data is being stored and processed in a secure environment. This can help to protect the privacy of citizens, the integrity of government operations, and the financial security of the government.”
Get all of your StateRAMP questions answered from a member of StateRAMP’s Provider Leadership Council. In our interview, Bill Moseley, a member of the council and the CEO of GL Solutions, explains the importance of StateRAMP for ensuring state security standards. He also shares the ways StateRAMP simplifies security and saves time for states.
Bill Moseley: StateRAMP provides a more comprehensive and consistent security assessment of their vendors. Right now, states are establishing or attempting to establish security standards for all their vendors to make sure that when they host state data that it’s secure and being stored properly and is less susceptible to cyber threats and attack.
State security is a hot sector right now, so they have an especially hard time retaining talent. StateRAMP can simplify this by basically establishing a comprehensive standard that states can adopt as their standardized approach. And then they take care of the auditing and verifying that a third-party, independent audit has been conducted. Instead of having state staff verify that you’re compliant, they would say no, it’s up to the vendor to go to an accounting firm to become audited according to these standards. And so StateRAMP has an approved list of auditing firms that can audit for StateRAMP compliance.
Some states are going further now. These states are saying, if you have a StateRAMP certification, you don’t have to comply with our specific state requirements. Some of them, like Colorado, are moving in a direction to where you can’t even bid on new contracts and RFP proposals unless you’re StateRAMP certified.
In the very beginning, most states didn’t have any standards at all—really no one was monitoring this. When they started developing standards there was voluminous documentation on those standards, but they wouldn’t verify that anyone complied. And then the states moved towards auditing vendors. But most states really struggled with that. They didn’t have the technical ability, nor the resources to audit all the software vendors that their state was using.
The security standards in the United States are mostly a subset of a US standard called NIST 800-53. StateRAMP is a subset of NIST 800-53. NIST 800-53 has like 1,000 controls; a control, for example, might be that you require multi factor authentication. So basically, the states were saying, well, we think this one, this one, or these 23 or 80 or so are important. They tried to establish independent standards and then they were asking vendors to submit all of this information. They really struggled with trying to get private sector vendors that really wanted to be authorized in a single state. And then they struggled, just examining it.
Bill Moseley: The StateRAMP Security Snapshot is intended for use by vendors who are considering becoming StateRAMP certified. It’s a set of requirements that they suggest you look for and you can essentially obtain what they call provisional status. Why would a government agency look at that list? Even if your state doesn’t use StateRAMP, those might be the minimum requirements that you really want for your software vendors to protect against cyber attacks. It’s a quick checklist.
It’s a good starting point to quickly vet a vendor or for state agencies or for vendors who are considering becoming StateRAMP certified. It would be a good checklist to start out with and you can apply for provisional status with StateRAMP.
Bill Moseley: The StateRAMP website shows all the states working with StateRAMP. A map marks all the participating states in blue. It might give you a good shortcut to know how your state participates in StateRAMP.
Bill Moseley: There were about 35 or so vendors that were there at our inaugural meeting on August 8 for the council. J.R. Sloan, who’s the CIO for the state of Arizona, said that the Provider Leadership Council, or PLC is the “voice for providers within StateRAMP.”
The StateRAMP leaders also want to learn from previous experiences with programs like FedRAMP; FedRAMP is like the same thing, but for the federal government. But there were a lot of missteps with FedRAMP, and they hope to avoid those with StateRAMP. So StateRAMP is really to help them understand what do providers need? What do agencies need to hear? What would be beneficial for both sides? And they also provide information and knowledge about security requirements. So if you’re a SaaS solutions vendor like ours, you can ask them questions, and they’ll provide you with technical assistance to mitigate security risks.
Bill Moseley:
They go through revisions of the NIST 800-53 requirements. And their current one is revision four, but they just released revision five. And so that’s going to require vendors and hosting providers and others to make modifications to some of their security standards. And so StateRAMP is developing draft templates to share with vendors on how they can become compliant. They’ll make those available by the beginning of January. And then to maintain your StateRAMP compliance, they’ll require them to be in place by October 24. And they’re also going to provide some technical guidance on comparing the differences between revision four and revision five because there are 2,000 standards. So people can be more focused on specific changes rather than going through this giant document trying to figure out what to change.
And then they talked about progressive security assessments for vendors and offering technical guidance to help achieve StateRAMP authorization. That relates to the StateRAMP Security Assessment where they’re trying to help smaller vendors maintain compliance.
They talked about all the states that they’re adding. They’re basically rolling out StateRAMP across the U.S. And sometimes it takes legislative changes to allow StateRAMP to be authorized.
They talked about an article from the Center for Digital Government, and how states can integrate StateRAMP into their state cybersecurity requirements and simplified vendor assessments.
And then the last thing that they addressed was, they’re trying to integrate with other authorities that overlap. One that they’re working on right now, for example, is CJIS. CJIS is the FBI’s requirements. It’s one of the few that are more stringent than NIST 800-53. And so what they’re going to do is identify for vendors, all of the StateRAMP requirements that are also CJIS requirements, and then tell you a few other ones that you have to meet in order to become CJIS. So that would be beneficial to vendors who want to maintain both sets of compliance.
Bill Moseley: I decided to become a part of the council to help participate in the overall vendor community to ensure that there’s good cooperation between the public sector and software companies. Both companies and state agencies have an interest in securing critical data, but we need to make it as efficient as we possibly can in validating that the environments are secure. And so, I wanted to be able to have an avenue to participate in the development of future requirements with StateRAMP. And then I also wanted to receive information on what’s going on within the state governments, from a security perspective.
Bill Moseley: When we were approached by StateRAMP to join the Provider Leadership Council, I showed him an example of the kind of compliance information we had, and talked about the breadth of states that we worked in. They thought we’d be a good fit for the council because we work with so many different states, and we’re fairly mature on the security controls side of things. They recommended that we participate in the council.
Bill Moseley: If you’re an agency that is not yet a part of StateRAMP, I would suggest visiting their website. They have a wide variety of resources that are available to government agencies. They have specific sections for government agencies, and I think they can really help states to navigate their cybersecurity posture, which is really a very complicated topic for government to navigate.
Bill Moseley: The requirements are really extensive to ensure that an environment has a reduced risk mitigation effort around security. They just aren’t in a position to understand the rules. And they don’t have the people to do it. And then a given state might use 1,000 software applications. So how do you verify that all your vendors are actually certified? It’s a huge undertaking to do that. And so, they just aren’t well suited to do it. Even the biggest states like Texas are starting to adopt StateRAMP instead of adopting their own.
According to their website, “StateRAMP represents the shared interests of state and local governments, third party assessment organizations, and service providers with IaaS, SaaS, and PaaS solutions. We believe in the values of transparency, standardization, and community. As an advocate for strong but fair cybersecurity standards, StateRAMP works to bring together service providers, policy makers, industry experts, and government officials to drive the future of cybersecurity. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.
StateRAMP is built on the National Institute of Standards and Technology Special Publication 800-53 Rev. 4 framework, modeled in part after FedRAMP, and based on a “complete once, use many” concept that saves time and reduces costs for both service providers and governments. Like FedRAMP, StateRAMP relies on FedRAMP Authorized 3PAOs to conduct assessments.
StateRAMP puts cybersecurity first. As a 501(c)6 nonprofit, our mission is to promote cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve.”
Jessica Kashary, StateRAMP Chief of Operations, notes that “individual government membership is free & those that wish to register can do so here – Government – Single Membership – StateRAMP.”
Kashary adds that the “Government Engagement Team is dedicated to helping governments navigate the implementation of StateRAMP. For more information, contact get@stateramp.org.”
For more information, go to their registration page: https://stateramp.org/register/.
These state have engaged StateRAMP to recognize and adopt standards that provide cloud security solutions for their organizations and vendor communities.
https://stateramp.org/participating-governments/
According to StateRAMP, the “Provider Leadership Council’s founding purpose is to provide expertise and advice regarding provider challenges, and to foster conversations with governments that result in efficient and effective cyber practices. The Provider Leadership Council (PLC) gives all service providers a voice in ensuring StateRAMP fulfills its mission.”
https://stateramp.org/about-us/leadership/plc-directory/
Join our mailing list to receive the latest news and solutions for regulatory agencies.