Last Updated on July 2, 2021
For state, local and education (SLED) government organizations and the cloud service providers (CSPs) that want to serve them, the new StateRAMP program meets a huge need for trusted security verification of cloud-based offerings.
To share everything that CSPs and SLED orgs need to know to take advantage of StateRAMP, we invited StateRAMP Executive Director Leah McGrath to join a recent episode of The Virtual CISO Podcast. Hosting the show as always is John Verry, Pivot Point Security CISO and Managing Partner.
Like the US federal government’s FedRAMP program, StateRAMP offers a choice of paths for CSPs to achieve verification.
Becoming StateRAMP Ready
Leah explains: “We have a couple of paths. It was really important to the steering committee that there was an option that would say, ‘Hey, yeah, I’m StateRAMP Verified,’ in some manner that didn’t require a government sponsor. So, we have an option that is called StateRAMP Ready. And that’s similar to FedRAMP Ready. It says you meet the minimum requirements. You don’t have to have any kind of contract existing, or have a government sponsor, and you can be listed. And there is continuous monitoring required to maintain the authorization of StateRAMP Ready.”
The key to the StateRAMP Ready process for CSPs is to have their offering reviewed by a third-party assessment organization (3PAO), which will issue a StateRAMP Readiness Assessment Report (RAR). StateRAMP’s Program Management Office (PMO) then reviews that documentation to ensure that the offering meets the program’s specific minimum mandatory requirements, which are the same for all the StateRAMP impact levels.
“This is a good example of … one of the ways that we’re trying to be a little bit different than FedRAMP in our documentation, to take out guesswork where there’s ambiguity and be really clear about the requirements,” Leah notes.
Becoming StateRAMP Verified
To move up from StateRAMP Ready to StateRAMP Verified, a SLED sponsor is required.
“We’ll have a secure portal where [the CSP] would upload their documentation,” says Leah. “The PMO would do that initial review, and then provide recommendations to the government sponsor, who would also do a review and sign off, saying ‘Yep, we accept the PMO’s recommendation.’ Or they reject it, or they may have recommendations for modification.”
“The reason to have that PMO review initially is to ensure that there’s a consistent application of standards,” continues Leah. “When you’re thinking about how to validate security for all states… which just like different [federal] agencies have different levels of maturity around security and third-party management, but also different appetites for risk. So the PMO’s consistent review is important to give assurances to other states and local governments that want to leverage that validation.”
Trust but Verify
But is that validation specific to the sponsoring entity’s use case? Or, like a FedRAMP JAB GSA authorization, does it denote a robust cybersecurity posture across broad use cases? Is there a “trust but verify” expectation that other SLEDs will analyze the PMO’s validation in relation to their specific requirements?
“I think the answer is yes to both scenarios,” Leah offers. “I think you will see states and local governments utilize that validation in different ways. But the goal with StateRAMP is that we’re going to be able to make visible the cyber posture of these different offerings for states and local governments, so that they can make risk-based decisions that are right for them.”
“If there are additional requirements, we’re in a position where we can say, ‘Okay, why?’ adds Leah. “Because we’d like to be able to document that so that if we start seeing, hey, there’s a cluster [of additional requirements] every time states are utilizing this system for ‘fill-in-the-blank’ purpose, maybe that’s something we could standardize as well. We’re going to be gathering data, when there are those differences or unique requirements, so that over the course of time we can find where there’s commonality across states and local governments.”
Some areas where state-specific requirements are likely include privacy/personal data and criminal justice information system (CJIS) requirements.
Once a cloud offering is StateRAMP Verified or StateRAMP Ready, it appears on StateRAMP’s Authorized Vendor List (AVL), which is similar to the FedRAMP Marketplace. But, as Leah points out, “The PMO is saying, ‘Hey, we’re going to verify that this provider is at this security status.’ But that authorization to operate is really up to the [SLED].”
Getting Started with StateRAMP
How do you get started with StateRAMP verification? First, go to stateramp.org for a membership application. StateRAMP is a 501(c)(6) nonprofit, which means it’s a membership organization. There are different membership categories for government entities and service providers.
The cost is just $500 for a provider organization, even if you intend to verify multiple offerings. This gives you access to a growing library of educational materials and other resources, including security templates to help with gap assessment.
You don’t have to become StateRAMP Ready before you start your StateRAMP Verified process. If you’re ready for the full Security Assessment Report (SAR), you can move ahead and contact an authorized 3PAO.
Becoming a StateRAMP 3PAO
How do assessment organizations become authorized to serve as StateRAMP 3PAOs?
“The steering committee really wanted to leverage the 3PAO community that FedRAMP already recognizes,” Leah relates. “To be a StateRAMP 3PAO, you just have to be a FedRAMP 3PAO and then register on our site, so we know it. If you go to stateramp.org you’ll see a list of assessors who are already registered to be StateRAMP 3PAOs.”
Business and security leaders in the SLED and CSP sectors should put this podcast episode with Leah McGrath, StateRAMP Executive Director, on their must-watch list.