July 7, 2021

Last Updated on January 15, 2024

The new, nonprofit-based StateRAMP program offers state, local and education (SLED) government organizations and the cloud vendors (CSPs) looking to do business with them a standardized, streamlined path to cybersecurity verification for cloud-based offerings.

To unveil everything that SLEDs and CSPs need to know about StateRAMP, Executive Director Leah McGrath joined a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show as usual.

Leah explains that StateRAMP Verified offerings need to undergo continuous monitoring in addition to an annual third-party audit, similar to the US federal government’s FedRAMP program.

Why Continuous Monitoring is Key for SLEDs

“I think the continuous monitoring is a real difference maker when we talk to states and local governments,” Leah comments. “What we’ve seen and heard as we’ve had discussions with state and local governments is a lot of them are trying to figure out how to manage risk now.”

Leah continues: “So during contract negotiations they’re saying [to CSPs], ‘Hey, I need your SOC 2 report,’ or whatever the validation measurement or metric is. But there’s a recognition, especially when we’re talking about cloud security, that those reports or audits they’re receiving are a ‘one moment in time’ look. And we know that digital offerings and cloud is dynamic. It’s being iterated every single day—with SaaS especially…

“The heart of StateRAMP is education. The shift that we talk about a lot is this shift in mindset around state and local government cybersecurity to one of continuous improvement and continuous monitoring. It’s fluid. You’ve got to manage that day by day. And so I think there’s been that recognition.

“When you talk about continuous monitoring, that’s the real difference maker for states and local governments. To say, ‘Aha! Not only do I have this audit, this one moment in time, but also there’s continuous monitoring required to maintain that StateRAMP [Verified] status just like there is in FedRAMP.

“And so the continuous monitoring reporting is similar [to FedRAMP]. It goes through the [StateRAMP] Program Management Office (PMO). Then these activities, if there’s a situation, are going to be remediated at the PMO level. They can be raised to the appeals committee if needed; if there’s some kind of disagreement or a situation that merits it. But then there is also an annual audit requirement similar to FedRAMP,” Leah clarifies.

What’s Next?

Security and business leaders with SLEDs and CSPs can quickly get up to speed on “all things StateRAMP” by listening to this show with Leah McGrath, StateRAMP Executive Director.

To hear this episode all the way through, subscribe to The Virtual CISO Podcast on Apple Podcasts, Spotify, or our website.