Last Updated on March 16, 2023
State, local and education (SLED) government agencies and cloud service providers (CSPs) need to know about StateRAMP, a new nonprofit that verifies cybersecurity for cloud service offerings specifically for SLEDs. Dubbed “a user-friendly FedRAMP for SLEDS,” StateRAMP is modeled on the US federal government’s FedRAMP program, but is tailored to the specific requirements of the state/local government sector.
To share how StateRAMP works and how it hopes to benefit SLED cybersecurity, StateRAMP Executive Director Leah McGrath joined a recent episode of The Virtual CISO Podcast. Pivot Point Security CISO and Managing Partner, John Verry, hosts the show as usual.
“We’ve had [CSP] customers come to us and say, ‘I’m being asked for a FedRAMP ATO by a state,’ says John. “And a state can’t do an agency ATO for FedRAMP.”
Likewise, a state government entity can’t provide a letter of intent for FedRAMP, so the CSP can’t participate in the FedRAMP JAB PMO process. Fortunately, StateRAMP can address this problem.
“We actually did see states and local governments saying, ‘Hey, we’re just going to require that in the RFP or the contract terms that the provider have a FedRAMP ATO,’” Leah replies. But what you just outlined is exactly why you can’t do that. If a state or local government does require that, they’re limiting the pool of opportunities, which is not the desired impact.”
“So, if we’ve got listeners who don’t know, in order to maintain or even start to maintain a FedRAMP ATO, that provider must have a minimum contract and maintain a minimum contract with a federal agency for that offering—and those can be difficult to come by,” continues Leah.
“But we know that there are many providers out there who serve state and local government, who have no intent of serving federal government, and so [StateRAMP] offers all the providers a path in the door.”
If you have a cybersecurity or business development role with a CSP that serves the SLED sector, don’t miss this podcast with Leah McGrath, StateRAMP’s Executive Director.
A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.