Last Updated on June 30, 2021
If you work with a state, local and education (SLED) government entity or cloud service provider (CSP), you need to know about StateRAMP, the new nonprofit that is now managing security authorizations for cloud service offerings on behalf of SLEDs. StateRAMP is based on the US federal government’s FedRAMP program, but is fine-tuned to the differing needs of smaller state and local governments and the CSPs that serve them.
To explain how StateRAMP works and why it’s so important for the SLED security space, StateRAMP Executive Director Leah McGrath joined a recent episode of The Virtual CISO Podcast. Hosting the show as always is Pivot Point Security’s CISO and Managing Partner, John Verry.
The birth of StateRAMP
Leah explains: “StateRAMP is a nonprofit that was created over the course of the last year and a half by a series of conversations had with leaders in state government—CISOs, CIOs, procurement officials, privacy officials—coming together with private industry and subject matter experts to recognize, hey, there’s a challenge: states and local governments are under attack when it comes to cybersecurity. And they need assistance with managing third-party risk in an effective way.
“From the private sector perspective, they’re saying, ‘Hey, just don’t create 50 different FedRAMP versions.’ And how do we do this together? How do we create a process for cybersecurity verification of cloud service providers that can really help all stakeholders, and by doing so lift the cyber posture of state and local governments and the providers that are serving them?
“So it was really a discussion around… There’s a challenge, everyone’s facing it. And because everyone’s facing the same challenge, maybe there’s an opportunity to create a shared service model. So, we spent most of 2020 bringing together great minds; I just had the benefit of being a fly on the wall, facilitating conversations…
“What if we came together? What would it look like? How could it work? And what was created was the idea of StateRAMP.
“So StateRAMP really just brings state and local governments together with the cloud service providers who offer or utilize a SaaS, IaaS or PaaS solution to serve government, and it gives them a path to validate their cloud security in a standardized way.”
Building on FedRAMP and NIST 800-53
“It is based on NIST, the National Institute of Standards and Technology cybersecurity framework, specifically NIST 800-53. And it’s modeled, in part, after FedRAMP. So the steering committee did look quite a bit at FedRAMP in that process for verification, both to see how it could be leveraged, but also how it could be optimized to serve state and local government,” says Leah.
“So, if I were to oversimplify, how far off would I be if I said, ‘StateRAMP is FedRAMP for SLED’?” quips John.
“I think that’s not an oversimplification,” replies Leah. “I would add, it’s designed to be a little more user-friendly for states and local governments and cloud service providers.”
“That would be good,” John offers. “Yes, FedRAMP is a great program. I give them a lot of credit. But there is a lot of complexity. There are a lot of moving parts. It’s a very choreographed dance. … The states want secure cloud solutions, and this is a way to standardize that, which is good for business and is good for the states.”
If you’re involved with security for a CSP or SLED org, be sure to check out this podcast with StateRAMP Executive Director Leah McGrath.