The federal government has FedRAMP to manage security authorizations for cloud service offerings. But cyber attacks don’t stop at the federal level. State and local governments are under attack too.
How can we create a process for cybersecurity verification of cloud service providers that lifts the cyber posture of state and local governments and the providers who serve them?
- What StateRAMP is
- How it works
- Improving the StateRAMP process over time
Sign up to receive updates at StateRAMP.org.
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
Narrator (Intro/Outro) (00:00):
You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
John Verry (00:25):
So hey there and welcome to another episode of the Virtual CISO Podcast. I’m your host, John Verry. And with me again is the Higgy to my cole, a very cool Yankees reference, Andrea VanSeveren. Hey, Andrew.
Andrea VanSeveren (00:38):
Hey John, how are you? How’s it going? Higashioka.
John Verry (00:42):
Wow, now you’re showing off. Yeah, I can never pronounce his name. Although I actually wish they would start him more often, lifelong Yankee fan so well done. Little tip of the hat there to the Yanks. So what do you think of my discussion with Leah?
Andrea VanSeveren (00:56):
I thought it was great. First off, I loved her appreciation for good coffee, Pinon and office space references. So now we’re friends in my head. But aside from that, I thought she was really impressive describing the StateRAMP program, non-for-profit, which was launched just a little over 18 months ago, is already bringing state and local governments together with vendors, it’s just a simple way for folks to do business in the sled space and standardize security verification while managing the risks.
John Verry (01:29):
Yeah, I definitely love the office space references, because it’s one of my favorite movies with Milton. So first off, I really enjoyed the conversation with Leah, she’s very charismatic, incredibly well-spoken, she knows her stuff. So in a very short podcast, you get an awful lot of information. And I think if you want to just get the summary StateRAMP is essentially FedRAMP for states.
John Verry (01:52):
I think it’s a really significant program and a very important program, we’ve had a number of clients that are cloud service providers that have had requests to become FedRAMP ATO’d, but they don’t provide services to the federal agencies. So they had no vehicle to get FedRAMP ATO’d, because the states can’t sponsor you. So this idea now that we’ve got a program for people that do work in the states and the educational municipality space, I think is fantastic. So much needed program.
Andrea VanSeveren (02:20):
Yep, absolutely. And to the listeners out there, I think you’ll really want to turn in, tune in oops.
John Verry (02:28):
Turn in, yeah. Turn in is good.
Andrea VanSeveren (02:30):
Don’t do that. No, no, that would be bad.
John Verry (02:33):
We’re not saying we put them to sleep are you?
Andrea VanSeveren (02:35):
Right. So if you’re a cloud service provider, or an assessment organization, this episode will help you learn about the StateRAMP program, what it is, costs and how you can become a sled selected provider through the published cybersecurity policies and standards they have. Likewise, if you’re a state or local government agency, the StateRAMP program can help you identify sled and other third party cloud providers and vendors, so you can conduct business safely and securely.
John Verry (03:05):
Yep. So in Leah’s honor, pour yourself a fine glass of Pinon, and let’s get to the episode.
Andrea VanSeveren (03:12):
John Verry (03:15):
Leah, how are you today?
Leah McGrath (03:18):
Great. Thank you, John.
John Verry (03:20):
Now that the technical problems are resolved, we got on, and you’re ready to roll.
Leah McGrath (03:23):
I’m ready to roll.
John Verry (03:25):
All right. Let’s have some fun here. Start super simple. Tell us a little bit about who you are and what you do every day.
Leah McGrath (03:31):
So Leah McGrath here and I have the privilege of serving as executive director for StateRAMP, which is a newly founded and newly launched nonprofit that is really aiming to bring states and local governments together with the vendors who serve them to simplify the cloud security verification process, and to standardize that.
John Verry (03:54):
Cool, and that’s exactly why that was a mouthful, and that’s why we’re here because we wanted… She’s going to unravel that along in a second. But first, I’m going to ask the question I ask everyone, because it gets things off on a good foot. What’s your drink of choice?
Leah McGrath (04:08):
Well, it depends on the time of day and to some degree the season of the year. No, I can’t get through a day without a good coffee and I’ll drink any kind of coffee, black.
John Verry (04:22):
Not any kind-
Leah McGrath (04:23):
With almond milk.
John Verry (04:24):
Not 7-Eleven coffee, right?
Leah McGrath (04:26):
I mean, I prefer now 7-Eleven but in a long car ride, desperate times call for desperate measures, so I will go there too. And then I also love a good glass of wine, white pinot, red I’ll take whatever.
John Verry (04:41):
It’s really funny, I’ve gotten that answer of pinot quite a bit.
Leah McGrath (04:44):
Okay, must be [crosstalk 00:04:45].
John Verry (04:45):
In fact, I just run with a guy who does IoT development. We were trying to do some testing for them. And he also mentioned pinot and what I always say to someone, and maybe you’re going to be the one who solves My problem is a good Pinot Noir is phenomenal. The problem is I can’t afford the ones that I like to drink. I mean, anything that’s under 20 bucks, at least in our area is kind of thin and it’s like I’d rather have a $13 Cab.
Leah McGrath (05:10):
John Verry (05:10):
Leah McGrath (05:11):
I actually agree with you on that. Probably at home, I’m drinking a Cab more often. But when I’m out I’m [crosstalk 00:05:17].
John Verry (05:17):
Especially yeah, if you can get through a 40, really more $50 bottle of Pinot, they all are just outstanding.
Leah McGrath (05:27):
John Verry (05:28):
I’ll have a glass of wine most nights and it’s just hard to go through a $50 bottle of wine [inaudible 00:05:33]. We’re going to have to sell a few more StateRAMP engagements or something to get there.
Leah McGrath (05:40):
Well I’m working for a nonprofit, so I’m not sure.
John Verry (05:42):
I’m surprised you even mentioned Pinot then. All right, so let’s get to what we’re here really to talk about is StateRAMP. So let’s start simple what is StateRAMP?
Leah McGrath (05:56):
So StateRAMP is a I mentioned this in my mouthful of a description as to what I do. But it is a nonprofit that was created over the course of the last year to year and a half by a series of conversations had with state leaders in state government CISOs, DIOs, procurement officials, privacy officials, coming together with private industry and subject matter experts to recognize, hey there’s a challenge, states and local governments are under attack when it comes to cybersecurity. And they need assistance with managing third party risk and managing it in an effective way.
Leah McGrath (06:36):
From the private sector perspective they’re saying, “Hey, just don’t create 50 different FedRAMP versions.” So how do we do this together? How do we create a process for cybersecurity verification of cloud service providers that can really help all stakeholders, and by doing so lift the cyber posture of state and local government and the providers who are serving them.
Leah McGrath (07:02):
And so it was really a discussion around, there’s a challenge, everyone’s facing it. And because everyone’s facing the same challenge, maybe there’s an opportunity to create a shared service model. And so we spent most of 2020 really kind of bringing together great minds, I just had the benefit of being a fly on the wall, facilitating conversations but-
John Verry (07:23):
I thought you were being a little self serving there.
Leah McGrath (07:25):
Well exactly, great mind. Not mine.
John Verry (07:31):
And cyber’s at the forefront, I was at the forefront of this group of great minds.
Leah McGrath (07:33):
Right, exactly. I had the benefit of just helping facilitate the discussions to ask what if, what if we came together? What would it look like? How could it work, and what was created was the idea of StateRAMP. And so StateRAMP really is just that it brings state and local governments together, the cloud service providers who offer or utilize a SAS, I asked her past solution to serve government. And it gives them a path to validate their cloud security in a standardized way. So it is based on NIST, the National Institute of Standards and Technology cybersecurity framework, specifically NIST 800-53.
Leah McGrath (08:14):
And it’s modeled in part after FedRAMP, so the steering committee did look quite a bit at FedRAMP in that process for verification, both to see how it could be leveraged, but also how it could be optimized to serve state and local government.
John Verry (08:28):
So if I were to oversimplify, how far off would I be if I said StateRAMP is FedRAMP for states or SLED as I think [crosstalk 00:08:40].
Leah McGrath (08:40):
I think that’s not an oversimplification. I would add, it’s designed to be a little more user-friendly for states and local governments [inaudible 00:08:51] provider.
John Verry (08:51):
That would be good. Yes, FedRAMP is a great program. I give them a lot of credit. But there is a lot of complexity. There’s a lot of moving parts. It’s a very choreographed dance. And one of the questions, so you talked about some of the drivers, and I think the drivers are great. The states want secure cloud solutions and this is a way to standardize that, which is good for business and is good for the states. I want to ask this question the other-
Leah McGrath (09:16):
You said that much better than I did by the way John.
John Verry (09:19):
You’re welcome to use my sound bite all you want. So the other thing that I wonder if this was one of your drivers, because I’ve had this complaint from customers, they’ve come to us and said, “I’m being asked for a FedRAMP ATO by a state. And a state can’t sponsor? They can’t do an agency ATO for FedRAMP. And they said that they can’t get into the FedRAMP JAB PMO process, the JAB GSA normal front door entrance, because they don’t have letters of intent from federal agencies. So is that also part of the [crosstalk 00:09:56].
Leah McGrath (09:56):
That’s really the heart of it because we actually did see states and local governments, some of them start saying, “Hey, we’re just going to require that in the RFP or the contract terms that the provider have a FedRAMP ATO.” But what you just outlined is exactly why you can’t do that. If a state or local government does require that they’re limiting the pool of opportunities, which is not the desired impact.
Leah McGrath (10:21):
And so, if we’ve got listeners who don’t know, in order to maintain or even start, as you said, to maintain a FedRAMP ATO that provider must have a minimum contract and maintain a minimum contract with a federal agency for that offering. And those can be difficult to come by. But we know that there are many providers out there who serve state and local government, who have no intent of serving federal government and so this offers all the providers a path in that door.
John Verry (10:51):
Yeah, I think that’s going to be hugely valuable. Because I have heard a number of people complain about that. So when we think about FedRAMP, the first question that I typically ask someone is, hey low moderate, or high security categorization? Do you use the same model that they use in FedRAMP?
Leah McGrath (11:11):
We do. So you can find our baseline controls, and also a data classification tool that serve like Cliff’s Note data classification categorization tool at stateramp.org/documents. But we really tried to align the impact categories. Similarly, with low, moderate and high. Now what you’ll see when you’re looking at that is we’ve also developed a category that you might see it as category two, or it’s a low plus option.
Leah McGrath (11:41):
And that’s something that we’re going to be really investigating further over the course of the next year, but trying to identify what are the needs for states and local governments? And how do we provide options that align with those needs? And so that’s what that low plus option may be, but we’re going to be doing a little more research and investigation around that.
John Verry (12:03):
So some more like Goldilocks and the three bears, low’s not quite right, moderate a little bit hard, a little bit thoughts, a little too warm, a little too cold, a little too hot, get just right in the middle. Okay. So with FedRAMP, the goal is to get what we refer to is like an ATO and we have two ways of doing that. We can go through an agency, which unfortunately right now is the way you almost need to get in because the JAB is so jammed.
John Verry (12:26):
And then you got the JAB GSA route, is your program going to work similarly, like if I’m listening to this, and I want to be… And I don’t think you use the term ATO, I think use a different term. We’ll get to that later. But if I want to be the equivalent of ATO what do I do or what’s the process?
Leah McGrath (12:40):
So we have a couple of paths, it was really important to the steering committee that there was an option that would say, “Hey yeah, I’m StateRAMP verified,” in some manner that didn’t require a government sponsor. So we have an option that is called StateRAMP Ready. And that similarly to [crosstalk 00:12:59]. It says hey, you meet the minimum requirements, you don’t have to have any kind of contract existing, or to have a government sponsor, and you can be listed and there is continuous monitoring required to maintain the authorization of StateRAMP Ready.
John Verry (13:17):
Okay, good. So to get to that ready, does that mean that I need to have… I think and I hope I’m not mistaken this, but the way I understand that it works is that I would engage a 3PAO, they would conduct the test, they assert that I’m ready. But what it means is that the government agency or the JAB GSA or in your case StateRAMP has not yet reviewed the package. Is that what that means?
Leah McGrath (13:41):
So ready would mean that there is a 3PAO, who’s conducted a StateRAMP readiness assessment report, a RAR [crosstalk 00:13:50]-
John Verry (13:50):
Leah McGrath (13:51):
… the readiness, so we are using very similar.
John Verry (13:53):
You guy’s using the same.
Leah McGrath (13:53):
Yep. Yep. Now [crosstalk 00:13:55].
John Verry (13:55):
A RAR is readiness assessment report.
Leah McGrath (14:00):
Readiness assessment report, the RAR is. And so in our case, the PMO would review that documentation to ensure that yep, they comply with the requirements and our requirements, to be ready, you can read if you go to stateramp.org/documents, there’s a document there, that’s called the Minimum Mandatory Requirements for ready and it’s really specific. So one of the things, this is I think a good example of a document that really showcases one of the ways that we’re going to try to be a little bit different than FedRAMP in our documentation is to try to take out guesswork where there’s ambiguity and be really clear about the requirements.
Leah McGrath (14:35):
But to allow for flexibility and how provider may demonstrate compliance with those controls. And so you can see a little bit of guidance given in that document and we’ll be iterating that over time to provide more guidance, but that document really stipulates, hey, here’s what’s required to meet the minimum mandatory requirements. And those are the same for every impact level.
Leah McGrath (14:57):
So across impact levels, these are the requirements and so you can be listed StateRAMP ready once you’ve had that 3PAO’s RAR report, the PMO has reviewed it, and you’re listed as ready. Now to be authorized, that status does require a government sponsor. But it works a little bit differently in StateRAMP than it does for FedRAMP. So the difference is that we have a program management office, our PMO is really that centralized single source for the service providers.
Leah McGrath (15:29):
So we’ll have a secure portal, they would upload their documentation, the PMO would do that initial review, and then provide kind of the PMOs recommendations to the government sponsor, who would also do a review and kind of sign off, say, “Yep, we accept the PMOs recommendation, or we reject it, or we may have recommendations for modification.”
Leah McGrath (15:54):
The reason to have that PMO review, initially is to ensure there’s a consistent application of standards. And that was something that was important to the steering committee, when you’re thinking about how do we validate security for all states, who and different states, just like different agencies have different level of maturity around cloud security, and third party management, but they also have different appetites for risk.
Leah McGrath (16:22):
And so having the PMO is kind of consistent review and that is important, or the steering committee felt that it was important to give assurances to other states and local governments who want to leverage that validation.
John Verry (16:36):
So question for you. So one of the things you hear through the grapevine is that the JAB GSA route of going right the front door is a more challenging route to go. And the reason is that they I think have a higher degree in their minds of accountability because once they approve somebody and put them on the shelf, there’s a presumption that when somebody goes to that shelf that they’ve been vetted for broad use cases, right?
Leah McGrath (17:02):
John Verry (17:02):
So will you have the same challenge with a central PMO? So does your PMO look at this and say, “Yes, they meet this standard.” And then should any state entity or local entity, lead entity be able to go and look at that and say, “Yep, we can trust that?” Or is it more like an agency ATO where in an agency ATO you’re kind of on the shelf, but another agency that pulls it off the shelf, there’s sort of a caveat emptor to it. And there’s an expectation that they’re going to look at their specific requirements and make sure it works. They’re not going to initially trust the other one.
Leah McGrath (17:35):
I think the answer is yes to both scenarios. I think you will see states and local governments utilize that validation in different ways. But the goal with StateRAMP is that we’re going to be able to make visible the cyber posture of these different offerings for states and local governments, so that they can make risk-based decisions that are right for them.
John Verry (17:57):
Okay. So the goal is that you’ve standardized them to a certain level or validated them to level X-
Leah McGrath (18:03):
To a base baseline.
John Verry (18:04):
Baseline. Okay, good. And then the expectation is that the agency is going to review the PMOs recommendations based on their unique context to determine whether or not there’s anything additional that might be required.
Leah McGrath (18:18):
That would be the goal.
John Verry (18:19):
That means it’s ideal.
Leah McGrath (18:20):
That’s ideal, right? And if there are additional requirements, we’re in a position where we’re going to be saying, Okay, why? Because we’d like to be able to document that so that as if we start seeing, hey, there’s a cluster every time, states are utilizing this system for fill in the blank. Purpose, maybe that’s something we could standardize as well. So we’re going to be gathering data, when there are those differences or unique requirements, so that over the course of time we can find where there’s commonality across states and local governments.
John Verry (18:57):
Yeah, like one place, I think it’s logical to assume that you’re going to start to see those would be personally identifiable information. Like the PI laws you got VPC now in Virginia, CCPA, CPRA. I think that’s likely the place where you’re going to see it, because that’s where the I think there’s going to be some unique requirements. If we get lucky, we’ll get a federal reg, before we have 50 state regs, which would be miserable for all of us.
Leah McGrath (19:23):
I know that’s desired by many to see the more standardized, I think the other area where we hope to see some commonalities is in CJIS where there are CJIS requirements. Right now you see some variances between states and different agencies and how they’re kind of interpreting or passing down those requirements. So we’ll be looking at that as well.
John Verry (19:48):
Right. And just to make sure I and whoever else is listening is following along CJIS is Criminal Justice Information Systems.
Leah McGrath (19:55):
Yes. That’s it.
John Verry (19:57):
So that is data that goes across all of the court systems, the law enforcement, the penal, the prisons. In a previous life I did work in the criminal justice system. So I know a little bit more than I want to know about.
Leah McGrath (20:12):
So you’re familiar?
John Verry (20:13):
Leah McGrath (20:14):
Familiar not be dangerous.
John Verry (20:15):
Yes. You just described me in every subject that I talk about, including Pinot Noirs by the way.
Leah McGrath (20:22):
There you go.
John Verry (20:24):
All right. Cool. So we talked about the process. So would it look the same… If I’m out there, and I want to become, we might as well jump to. You’re not using the term ATO, you’re using the term AVL. Correct? What does that stand for?
Leah McGrath (20:39):
Oh, sure. So our authorized vendor list is very similar to if you’ve seen FedRAMP’s marketplace, our authorized vendor list will be something similar, where we plan to publish our first authorized vendor list this summer. And it will be a listing of the different companies and their offerings and the impact level, those that are either in the process to be authorized or have some kind of security status. So we do tend to refer to them as security statuses of StateRAMP ready, or StateRAMP authorized for example, so that’ll be a list, that will be public.
John Verry (21:16):
Okay. And is there any use of that ATO authorized operator or is it a just AVL?
Leah McGrath (21:19):
We tend to just say AVL are authorized. So a letter of authorization. The ATO is really and the reason I can kind of talk a little bit about that is because the PMO is saying, “Hey, we’re going to say verify, that this provider is at this security status, we would consider them authorized.” That ATO to operate is really up to the state [crosstalk 00:21:42].
John Verry (21:44):
That’s actually a really good way to do it. It is a better differentiation, because it makes, if you go back to NIST SP 800-37, which is really the SCNA process, all this is theoretically following, that the authorizing agent should be the final person to sign off who’s the person who’s date is actually is. So technically I actually like your model-
Leah McGrath (22:05):
John Verry (22:05):
AVL is you’re approved-
Leah McGrath (22:08):
We’re going to say you’re authorized, we’ve said you comply with all of these requirements, and then it’s up to you-
John Verry (22:13):
Up to you to authorize them to operate. Well done. I like that.
Leah McGrath (22:17):
John Verry (22:18):
That is cool.
Leah McGrath (22:19):
I cannot take credit for it. Again [crosstalk 00:22:22].
John Verry (22:29):
I just want to know where my invite was.
Leah McGrath (22:30):
I know. Now that we know one another.
John Verry (22:39):
So the process is, so let’s say I’m sitting there and I say okay, I want to be AVL. What do I do? Who do I contact? What does that process look like to get there? Do they call you?
Leah McGrath (22:48):
They’re going to go to stateramp.org. And next week, so it’ll be mid May for those who are listening, it’s in mid May of 2021, we will be opening up our provider membership applications. And so, StateRAMP as I mentioned is a nonprofit, we’re organizing as a 501 C (6) organization, that means we’re a membership organization. And so we have a couple different membership categories, one is for government, and the other is for the service providers.
Leah McGrath (23:21):
And so the first step to be able to be listed on the authorized vendor list is to join StateRAMP as a member, it is $500 for the provider, for the organization, so if you have multiple offerings, you’re going to join as an organization. And then once you join as a member, it’s going to give you access to education and resources. And that’s a library that we’re going to be building over time. I’m excited about where we’re starting, but it’s just going to get better.
Leah McGrath (23:50):
And then also access to those security templates, and so once you are a member, then you’re going to want to engage a third party assessing organization. And those are 3PAOs. The steering committee really wanted to leverage the 3PAO community that FedRAMP already recognizes so to be a StateRAMP 3PAO, you just have to be a FedRAMP 3PAO and then register on our site, so we know it.
Leah McGrath (24:17):
And so we actually have listed, if you go to stateramp.org you’ll see a list of assessors who are already registered to be StateRAMP 3PAO’s. So you’re going to want to contact a StateRAMP 3PAO and think about at what impact level and where you want to start in the process. You don’t have to be StateRAMP ready before your StateRAMP authorized. If you’re ready to go for the full security assessment, that security assessment report or SAR, you can do that. If you’d like to step into it, that’s what StateRAMP Ready is for.
John Verry (24:49):
That makes sense. And thanks for covering the whole 3PAO issues.
Leah McGrath (24:52):
John Verry (24:52):
One of the questions that I was going to ask you. You are one of those great minds clearly.
Leah McGrath (25:00):
There you go.
John Verry (25:00):
Thinking ahead. So with regards to FedRAMP, if I’m already FedRAMP ATO’d is there any type of a reciprocity because in theory, these programs are super close to each other?
Leah McGrath (25:10):
Yeah, so I’ve started calling it John the FedRAMP fast track.
John Verry (25:15):
Leah McGrath (25:15):
Thought that sounded, yeah.
John Verry (25:17):
StateRAMP fast track.
Leah McGrath (25:18):
Well it’s a FedRAMP fast track in-
John Verry (25:20):
To StateRAMP, okay there you go.
Leah McGrath (25:22):
There you go. I got to finish that statement, don’t I? So it’s StateRAMP fast track for FedRAMP ATO
John Verry (25:28):
There you go. [crosstalk 00:25:29]. I like that better.
Leah McGrath (25:31):
I like that.
John Verry (25:31):
But I’m not a marketing person. I’m not great mind, or else I would have been at your meeting.
Leah McGrath (25:38):
So there is a process for that. And for providers who already have a FedRAMP Ready or ATO or PATO status, there is a process in join StateRAMP as a member is the first step. And then the second step, instead of calling it 3PAO, you’re going to schedule a call with our PMO office. And that involves you’re going to participate in a video call with the PMO, you’re going to talk about the boundary, your data architecture, and then you’re going to share the FedRAMP security package and your most recent continuous monitoring reporting, in that call with the StateRAMP PMO.
Leah McGrath (26:21):
And there’s an opportunity to redact, of course, if there’s federally protected information that’s really specific to an agency or an agency ATO, you’re going to redact that information. And then there’s a secure portal that, that can be uploaded into, for the PMO review. And that’s the process so that there’s no new audit required, but that video call and that kind of process and conversation and redaction really is what allows the PMO to authenticate the documentation and also make sure that it’s usable by states and local governments or educational agencies.
John Verry (26:59):
And I’m assuming that in order for reciprocity, we’d have to have identical scope, basically. It’s got to be the same-
Leah McGrath (27:06):
It’s got to be relevant to yes. And when I say usable, it could be usable or relevant or applicable to that same scope.
John Verry (27:13):
Okay, good. And then just circling back on one quick thing. So within FedRAMP, we’ve got the 13 or so core documents that somebody has to populate. And there’s a requirement to use the templates that are provided by them. Are you using the same model, are you using… I did look at some of your documentation, it looks new and improved. And-
Leah McGrath (27:36):
Thank you. You know what I cannot wait for you to see is we’ll be publishing this at the same time we open membership. So here in the next few days, you’ll be able to see a matrix that is it’s kind of a smart Excel spreadsheet, but it is very nice for especially I think the smaller to medium sized DSPs is their [crosstalk 00:27:58].
John Verry (27:59):
Because they struggle with the language of NIST 853. I think he used the term ambiguous before. And I would say that, yes, there’s some ambiguity that if you could reduce that even moderately, it would be very helpful.
Leah McGrath (28:14):
And that’s the goal. And I will say, the PMO, and our steering committee aren’t doing it alone, we have a couple of standing committees that are comprised of a majority of state and local government officials, as well as subject matter experts in the private industry and assessing organizations. And so one is our standards and technical committee, and our standards and technical committee is chaired by Maria, I’m sorry, Dan Lorman, who is the former state security officer and technical officer for the state of Michigan, and was with the state of Michigan for I think, almost 20 years.
Leah McGrath (28:49):
And now he’s with security mentor and he was a member of our steering committee. And then the vice chair is Maria Thompson, who is the state risk officer for the state of North Carolina. But they’re joined by a number of other individuals. And you can see everyone who’s involved on our website. But that committee, the standards and technical committee is really responsible for reviewing our policies, reviewing that documentation, seeing how it can be improved, as you mentioned, it can… Are there areas where we can further define or give guidance.
Leah McGrath (29:20):
And so we have just had tremendous support and advisement from some really great individuals. And then we have an appeal’s committee. And that appeal’s committee is also made up of a majority of state and local government officials with minority representation from the private sector, but that appeals committee is acting as the adjudication board. So if we do get into a question where a CSP says, “Hey, can I have an exception to this process requirement,” then here’s my justification for it. Or maybe there’s a disagreement about a status recommended that appeals committee will be the adjudication board to make the recommendation. So we’ve brought a lot of great minds together to help-
John Verry (30:02):
You keep going to that and you keep insulting me, you just-
Leah McGrath (30:05):
No. And John [crosstalk 00:30:06]
John Verry (30:07):
Just bang me over the head. How many times are we gonna go there with that? Enough with the great minds and not including me in the list okay? So question for you. Is your SSP conceptually very similar? And if I’m going to do StateRAMP, do I have to use your SSP template?
Leah McGrath (30:26):
So yes, there is a requirement-
John Verry (30:27):
I think it’s a good idea, I just want to make sure-
Leah McGrath (30:34):
It’s part of that allows the-
John Verry (30:34):
Leah McGrath (30:36):
… the automation and the standardization and so that’s really important. Now for the StateRAMP fast track option for those who have a FedRAMP ATO they can provide their existing documentation without having to translate it to StateRAMP templates. However, at time of annual audit, we are going to ask, “Hey, can you give it to…” Now that you know, you can plan ahead, please provide that into the StateRAMP templates and there’ll be different options to help translate and to help facilitate that process.
John Verry (31:03):
Got you. And similar other documentation requirements, the rules of behavior in response plan configuration management, same general-
Leah McGrath (31:10):
John Verry (31:10):
… at the end it’s the same concept.
Leah McGrath (31:13):
It’s based on the same framework.
John Verry (31:14):
Leah McGrath (31:16):
And so yes you’re going to see, it’s going to look familiar, I hope that as you evaluate these, you’ll see them new and improved as well, like you’ll have that feeling. But generally, they’re very similar. We are working on pulling together, so when we publish the templates and resources, you will see sample policy documents, sample procedure documents, really trying to help meet the service providers where they are, to help get that process started.
John Verry (31:41):
And I think it’s going to be more necessary as well, because I think a lot of the service providers that’s service led are not as large and as significant, they’re not the Fortune 500 firms of the world-
Leah McGrath (31:55):
Every meeting we had discussed that very point, how do we… And it’s truly about, how do you balance, I’m going to say business-friendly, or user-friendly with the integrity of the security validations.
John Verry (32:11):
Leah McGrath (32:11):
It’s a balance, and we’re going to have to work, there’s going to have to be, I think, a lot of patience on all party’s side, as we get started. I think we have a good framework, there’s been a lot of thought and intentionality around developing for state and local governments and for the providers, you just described, something that’s attainable, but we’re at version one. And I think as we get started, we’re going to see what works, we’re gonna see where we need to improve, and we’ll keep iterating to get it right and to serve all the stakeholders.
John Verry (32:45):
The challenge you’re going to run into is that you want to be business friendly. And I think that’s great that you say that, and we don’t want to wipe out small business. But the flip side is we need this data to be held to us.
Leah McGrath (32:59):
We need to be secure.
John Verry (33:00):
Right. We need to be held to a higher standard. And I know so many clients that service the… Not necessarily the state level. But we do business with, I don’t know, maybe 190 Municipal entities. And I look at the way that like where I pay my taxes for the website, I know the company behind it, and I dread going on there and putting in my information, because I know enough to know, I don’t think that they know what they’re doing. And I know the people that do for like 100, New Jersey municipalities, they do payroll, and I know through some stuff that they might not be as secure as we would ideally like them to be. And so they’re going to struggle with this but the flip side is, we need them to get more secure.
Leah McGrath (33:45):
We need them to get more secure. And would you go to a doctor who didn’t graduate from medical school? And I think that-
John Verry (33:51):
Hold on a second, you realize 50% of the doctors graduate in the bottom half their class, right?
Leah McGrath (33:56):
Okay, fair enough but at least they passed the exam. And there’s continuing Ed requirements.
John Verry (34:02):
And they weren’t great minds, the ones at the bottom half, I’m going to tell you that.
Leah McGrath (34:05):
We don’t know that. I’ve got three kids and I like to have one of each kind. I think that’s a shift when it comes to policymaking and having to say, it’s the balance that states and local governments are having to balance to, is that question of what’s more important. And when you think about a data categorization tool, or a data classification tool, I remember during, as we were working on developing this questionnaire that helps point you to different impact levels. I was listening to the conversation, and I remember someone saying, really what you’re asking yourself is that as a government official is how embarrassed will you be, if there’s a breach? How embarrassed will you be? What is the harm it will do to the integrity of your agency or of your state or of your local government?
Leah McGrath (35:04):
Because that’s really what we’re talking about and so if it’s a system that, maybe you won’t be very embarrassed, then that’s where you might start kind of bringing in these kind of smaller companies and helping them mature. But I think if you’ve got confidential data and you’ve got PII, or what you’re talking about with financial transactions occurring, then I don’t think we should trust just anyone with our systems and I think that’s the shift.
John Verry (35:35):
You just made me think of something which I never thought of before, that the risk tolerance in state and local government is lower than the risk tolerance in the federal government, at least in my opinion. Because I’ve been part of risk assessments in major US cities. And literally, when we were talking about the impact criteria, we were writing, one of the highest level was called above the fold.
John Verry (36:04):
And it was the, and I won’t say the city, but it was the major paper in the city and like it was a paper that folded in half, and something that was above the fold that would end up [inaudible 00:36:13] above the fold was their biggest risk. That’s exactly right. And another risk assessment for a small city, we were using dollar, I tried to get them to use dollar values for impact criteria. And the guy said, I said, “What’s a high risk?” He says, “One cent?”
John Verry (36:27):
I said, “No, no, your budget is…” I don’t know what the budget was $100 million or something like that. I said, “One cent is not material?” He says it sure as hell is. He was a Democrat. He says if the Republicans can find that I’m one cent off, I may lose in my next election term. So they are so much more risk tolerant. That’s a really interesting thing. I wonder how that will influence StateRAMP-
Leah McGrath (36:51):
That’s really interesting.
John Verry (36:52):
… where you don’t see that same issue with FedRAMP?
Leah McGrath (36:53):
Well, I think that’s true. It makes me think of the old adage, when you were talking like the government closest to the people is the government closest to the people. And so when your neighbor is the city councilman, there’s a different type of accountability that occurs. And so I think that that can go both ways. But I think states and local governments are very aware of the risks and the challenges. And I think that what they haven’t had until StateRAMP came along is a solution that’s viable for them.
John Verry (37:29):
I agree. Listen, when I saw what you guys were doing, that was why I reached out, I said, “This is exciting. Somebody gets it. I’ve heard about this problem.” I mean, you’re solving a massive problem in my opinion. So I think this is awesome. You’ve done a really good job of getting through my questions. No, this is good, not bad. So once I achieve my StateRAMP AVL, is there a continuous monitoring annual 3PAO review, like, like there is in FedRAMP?
Leah McGrath (37:58):
There is. And I think the continuous monitoring is a real difference maker when we talk to states and local governments. I’ll talk on that side for a moment and then I can talk about what the [inaudible 00:38:06] looks like for providers. But what we’ve seen and heard, as we’ve had these discussions from states and local governments is a lot of them are trying to figure out how to manage risk now.
Leah McGrath (38:18):
And so they will require, have one off procurement requirements or during contract negotiations they’re saying, “Hey, I need your SOC 2 report,” or whatever the validation measurement or metric is that they can attain or they can reach toward, but there’s a recognition, especially when we’re talking about cloud security, that those reports or audits they’re receiving are one moment in time. They’re a one moment in time look, and we know that digital offerings and cloud is dynamic. It’s being iterated every single day with [crosstalk 00:38:55] SAS especially I mean, that is just…
Leah McGrath (39:00):
And so the shift, we talk a lot about this, the heart of StateRAMP is education. And so the shift that we’re talking about is this shift in mindset around state and local government, especially to shift to a mindset around cybersecurity that’s one of continuous improvement, and continuous monitoring. It’s fluid. You’ve got to manage that day by day. And so I think there’s been that recognition.
Leah McGrath (39:25):
But when you talk about the continuous monitoring, that’s the real difference maker for states and local governments to say, “Aha not only do I have this audit, this one moment in time, but there’s continuous monitoring required to maintain that status in StateRAMP just like there is FedRAMP.” And so the continuous monitoring reporting is similar. It goes through the PMO. And then those activities, if there’s a situation are going to be remediated at the PMO level, they can be raised to the appeal’s committee if needed. Again, if there’s some kind of disagreement or a situation that merits it. But then there is an annual audit required similarly to FedRAMP.
John Verry (40:06):
Okay, one of the questions I was going to ask you with regard to that, so in FedRAMP, the audits cost a little bit less, and as to the initial certification or if somebody is already living in a FedRAMP ATO’d environment. So like you absorb the controls from-
Leah McGrath (40:25):
You inherit the controls based on your… Yes, exactly. That is [crosstalk 00:40:30].
John Verry (40:31):
I was just going to ask you have you also gone to Amazon, and have you also gone to Microsoft, are they going to have their like, normally with FedRAMP, you can grab their copy of the FedRAMP SSP, because it already has their ATO listed in those… Same concept?
Leah McGrath (40:46):
John Verry (40:47):
Leah McGrath (40:48):
As we get started, there may be and we have had conversations with all of those that you would think of. So what you may see if they are kind of in process, so let’s say we have a SAS who kind of gets in front of before, maybe they’re on an Azure environment, then what could happen is they may be given what’s called a provisional status with a note that way they don’t have to go through that, right? Until [crosstalk 00:41:14].
John Verry (41:15):
… you should be able to map the FedRAMP control to the StateRAMP control, and know it’s actually there. Okay, until you have that formal agreement in place.
Leah McGrath (41:22):
Until we have the formal agreement.
John Verry (41:26):
That’s good, that’s really good. Because that is a significant value prop to using one of the ATO’d environments is that you absorb depending upon which like on a moderate security categorization might be like 17 to 20% or so of the controls, which is-
Leah McGrath (41:42):
And we note that too in our documentation, and I think it’s also in the matrix of controls that you’ll see. So it’s helpful, I think for providers here [inaudible 00:41:51] into this, to understand that, especially the SAS providers that are getting into that.
John Verry (41:58):
So you mentioned that there’s a $500 fee to join. Other costs that are in play?
Leah McGrath (42:03):
There are. So it’s $500 to join StateRAMP the nonprofit and then as a member of the organization, and then there are PMO review fees that are paid by the service provider. And it’s really depending on the activity level, so if you are requesting a review of a ready packet to become StateRAMP ready, that’s a little less than the full security packet. So that’s $2500, that the service provider pays to the PMO.
John Verry (42:31):
Leah McGrath (42:33):
If it’s full authorization, that’s $5,000. And then ongoing annually, so every year when you’re submitting that annual audit, you would pay $5,000 for that continuous monitoring activity and that annual authorization.
John Verry (42:45):
Got you. And does it differ if it’s low moderate, or low, what was your… Low medium low [crosstalk 00:42:50].
Leah McGrath (42:50):
That’s a really good question. So not at this time and we’ve had a lot of discussion around that [crosstalk 00:42:55].
John Verry (42:56):
To be honest you should. I mean a high security categorization.
Leah McGrath (43:00):
We talked about that.
John Verry (43:00):
I don’t know where you’re going to land but on FedRAMP, it’s 425 controls versus 325 of moderate, versus what is it 110? I can’t remember how many is it low, but either way, it’s three and a half times the level of work to look at a high than it is a low. So charging more for that makes total sense to me.
Leah McGrath (43:21):
It does. One of the things that we’ll be doing this year, and we’re very transparent, these are… We kind of put our best foot forward with these fees [crosstalk 00:43:31] and then we will, yeah I think we’re going to know more in a year from now than we do to… Actually, in every meeting I’ve had I started saying, “We know more today than we did yesterday.”
John Verry (43:46):
And the day you stopped doing that is the day that we throw dirt on your coffin.
Leah McGrath (43:48):
John Verry (43:50):
Exactly. All right, so you did a fantastic job. And I think you covered all the things on my list. Anything we missed from your perspective, any last points to add?
Leah McGrath (43:58):
I don’t think so, we’ve covered so much. But I will say if you’ve not signed up to receive-
John Verry (44:16):
In a short period of time, by the way, you were very efficient.
Leah McGrath (44:16):
Well, yes, I appreciate that. I pride myself in that. I was sort of chuckling as you said that. If you’ve not signed up to receive updates, that’s the best way to do it, go to stateramp.org and there’s a place where you can sign up to receive updates-
John Verry (44:23):
I got to go there now.
Leah McGrath (44:23):
… or yo can email me directly at Leah@stateramp.org or email@example.com. I’ll probably see that too. But reach out, I mentioned that I’m really proud of the work that’s gone on with those supporting it, with individuals like you John, I’ll throw you into the mix of great minds, but all of those board members, our steering committee-
John Verry (44:44):
Oh, you shouldn’t have.
Leah McGrath (44:45):
… our standing committee, John. Every call we have I walk away with a new nugget that I take back to the team and I think that I’m really excited with how we’re starting. But I get even more excited when I think about where we can go. And I think I would just ask for everyone’s input. Don’t hesitate. If you get into this and you see an opportunity to improve something, we want to hear it, if you like the way something works, I want to hear that too. But be engaged. And we’ll have lots of opportunities for member engagement and feedback sessions. And so I hope that individual support and help make this what I think it can be.
John Verry (45:27):
I think it’s a fantastic program that is definitely needed. And I think it’s going to be a huge success. And I’m amazed at what you guys have accomplished in a short period of time. I mean, to go from a thought in someone’s mind to an actionable program in 18 months is remarkable. So congratulations on your success.
Leah McGrath (45:45):
John Verry (45:46):
All right, so I hope you prepared because I’ve had some horrible experiences with this question.
Leah McGrath (45:51):
John Verry (45:53):
I’m going to ask it. So give me a fictional character, or could be a real person that you think would make an amazing or horrible CISO, and why do you think so?
Leah McGrath (46:00):
So the first thing that came to mind when you asked that question, or you mentioned it before, for me was a horrible person. And it was the manager in the old movie Office Space-
John Verry (46:13):
One of my favorites.
Leah McGrath (46:13):
… who asked for the TPS report. [crosstalk 00:46:16] I haven’t seen it in years [crosstalk 00:46:18].
John Verry (46:18):
Leah McGrath (46:24):
Did that really well.
John Verry (46:27):
I literally just watched that… God is my judge. What is today, we’re recording on a Monday. I think it was last like Thursday night, my wife is a voracious reader and very rarely does she not have a book she’s in the middle of and she’s like, “I can’t find a book.” And Office Space was on and she’s like, “I think we’re watching this.” And I watched Office Space last Thursday night with Milton and a young Jennifer Aniston. It’s one of my favorite movies.
Leah McGrath (46:57):
I know man. It’s great. But-
John Verry (46:59):
I’m trying remember his name, though.
Leah McGrath (47:01):
It’s just the manager [crosstalk 00:47:02]-
John Verry (47:01):
I just watched it.
Leah McGrath (47:05):
… report manager. But I think he’s just be horrible in all sorts of situations. But I think especially as a chief security officer, because it he was just so rigid in the way things had been done. And I think chief security officers have to have, oh, gosh, they’ve got to have the technology acumen, the business acumen and then be great communicators, and be adaptable to the new situations that are coming at them every single day. It’s a hard, hard job, and he seems like the anti [inaudible 00:47:39].
John Verry (47:39):
By the way-
Leah McGrath (47:42):
Did you find his name?
John Verry (47:43):
Yeah, I did. You could tell I was looking at him, couldn’t you?
Leah McGrath (47:44):
Oh my God.
John Verry (47:44):
Because he was driving me crazy. Bill Lumbergh.
Leah McGrath (47:48):
There you go. That’s it.
John Verry (47:49):
Because you remember like he gets bumped down when he finds out that Jennifer Aniston slept with Lumbergh but it was actually a different Lumbergh.
Leah McGrath (47:58):
I didn’t remember that exact scene, but now I do. No, I do.
John Verry (48:02):
Yeah. Listen, I love that one. That was one of the better ones. I’ll remember that.
Leah McGrath (48:07):
Oh good Lumbergh.
John Verry (48:09):
Leah McGrath (48:09):
Got it. We could make that a verb. Don’t be a Lumbergh or don’t pull a Lumbergh.
John Verry (48:18):
Would he have been invited to the Great Minds Meeting?
Leah McGrath (48:20):
John Verry (48:20):
Leah McGrath (48:21):
John Verry (48:22):
Just checking. So we’ll say our farewells here. You already mentioned how people get in touch with you and StateRAMP so any other ways of doing that or are those the best ways?
Leah McGrath (48:33):
You can follow us on LinkedIn, we’ll be starting a Twitter handle soon. So kind of find us there. But if you go to stateramp.org that’s probably the best kind of one stop to get connected place and then reach out.
John Verry (48:45):
Well, this was awesome. Thank you so much for coming on.
Leah McGrath (48:48):
John Verry (48:48):
I really, really appreciate it.
Leah McGrath (48:52):
That was a lot fun.
John Verry (48:53):
That’s only because you got to bust my chops for 35 minutes or whatever it was.
Leah McGrath (48:57):
John Verry (48:57):
Do you want to remind me one more time, I wasn’t invited to the Great Minds Meeting just before we get…
Leah McGrath (49:03):
Maybe next time John, maybe next time.
John Verry (49:06):
I won’t wait for the invitation let’s just say that.
Leah McGrath (49:08):
There you go.
John Verry (49:09):
Leah McGrath (49:10):
Narrator (Intro/Outro) (49:11):
You’ve been listening to the Virtual CISO Podcast. As you probably figured out we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at firstname.lastname@example.org. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.