July 1, 2021

Last Updated on January 19, 2024

State, local and education (SLED) government entities and the cloud service providers (CSPs) that serve them should all be aware of StateRAMP, a new nonprofit that validates the cybersecurity postures of SaaS, PaaS and IaaS offerings expressly for SLEDs. Based on the US federal government’s FedRAMP program, StateRAMP functions similarly but targets the unique security verification needs of state and local governments.

To overview the StateRAMP program and its many security and business benefits for SLEDs and CSPs alike, a recent episode of The Virtual CISO Podcast features StateRAMP Executive Director Leah McGrath. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show as always.

As Leah explains, StateRAMP has initially rolled out a “low/moderate/high” security categorization or impact level model, but with a SLED-specific twist that they plan to refine over time.

StateRAMP Impact Criteria

“You can find our baseline controls, and also a data classification/categorization tool that serves like Cliff Notes, at stateramp.org/documents,” Leah notes. “We really tried to align the impact categories [with SLED needs]. Similarly, with low, moderate, and high… what you’ll see when you’re looking at that is we’ve also developed a category that you might see as ‘Category 2,’ or as a ‘Low-plus’ option.”

As the simple Data Classification Tool document explains, due to the level of reciprocity between StateRAMP and FedRAMP, a StateRAMP Category 1 requirement is equivalent to a FedRAMP Low Impact, while a StateRAMP Category 3 requirement corresponds to the FedRAMP Moderate Impact criteria. Above that (e.g., for services that process, store and/or transmit criminal justice information, global trade data, federal critical infrastructure data, etc.), a FedRAMP High Impact verification is required.

StateRAMP Category 2

StateRAMP’s Category 2 is defined as “Aligned with FedRAMP Low Impact Control Baselines, with additional Moderate Impact Control Baselines for added security.” Further, “Category 2 is in development stages and is intended to provide flexibility for state and local governments.”

“[Category 2] is something that we’re going to be really investigating further over the course of the next year, in trying to identify what are the needs for state and local governments? And how do we provide options that align with those needs?” acknowledges Leah. “That’s what that ‘Low-plus’ option may be, but we’re going to be doing a little more research and investigation around that.”

If you’re a business or technical leader in the SLED sector, be sure to catch this podcast episode with Leah McGrath, StateRAMP Executive Director.

To hear this episode all the way through, subscribe to The Virtual CISO Podcast on Apple Podcasts, Spotify, or our website.

New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.