July 6, 2021

Last Updated on January 15, 2024

Are state and local government (SLED) organizations more risk averse than their larger US federal counterparts? And does this bias impact key operational areas like vendor relationships and choosing cloud services?

This line of questioning came up on a recent episode of The Virtual CISO Podcast featuring Leah McGrath, Executive Director at the new StateRAMP nonprofit. Hosting the show as always is Pivot Point Security CISO and Managing Partner, John Verry.

Are SLEDs More Concerned about Security Issues?

John observes: “The risk tolerance in state and local government is lower than the risk tolerance in the federal government, at least in my opinion. Because I’ve been part of risk assessments in major US cities. And, literally, one time when we were talking about the impact criteria we were writing, one of the highest levels was called ‘above the fold.’ [This referred to] a newspaper folded in half, and something [reported] that was above the fold was their biggest risk.”

John continues: “In another risk assessment for a small city, [where we used] dollar values for impact criteria, I asked, ‘What’s a high risk?’ [The client] said, ‘One cent.’ He was a Democrat. He said, ‘If the Republicans can find that I’m one cent off, I may lose in the next election.’ So [SLEDs] are much less risk tolerant.”

Will SLED Risk Aversion Influence StateRAMP?

How is SLED risk aversion likely to influence StateRAMP, especially in comparison to FedRAMP?

“It makes me think of the old adage, that the government closest to the people is the government closest to the people,” shares Leah. “So when the city councilman is your neighbor, there’s a different type of accountability that occurs.”

“I think states and local governments are very aware of [cybersecurity] risks and challenges,” adds Leah. “And I think that what they haven’t had until StateRAMP came along is a solution that’s viable for them.”

The StateRAMP program is an excellent way for SLED entities to reduce their cyber risk, as it is tailored to their needs and those of the cloud service providers they do business with.

What’s Next?

To find out more about how StateRAMP can help SLEDs reduce cybersecurity risk and stay out of the news, don’t miss this podcast episode with StateRAMP Executive Director Leah McGrath.

To hear this episode all the way through, subscribe to The Virtual CISO Podcast on Apple Podcasts, Spotify, or our website.

New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.