June 28, 2021

Last Updated on January 19, 2024

If you’re a security or IT leader at a cloud service provider, you probably know about the US federal government’s FedRAMP program to manage security authorizations for cloud service offerings (SaaS, PaaS, IaaS, etc.). But have you heard about StateRAMP, the newly launched nonprofit that is vetting the security of cloud services for state, local and education (SLED) government entities?

StateRAMP is a comprehensive program right out of the gate, and one of its many advantages is “reciprocity” for services that have earned a FedRAMP Authority to Operate (ATO).

To share everything you need to know about StateRAMP, Leah McGrath, StateRAMP’s Executive Director, joined a recent episode of The Virtual CISO Podcast. Hosting the show as usual is John Verry, Pivot Point Security CISO and Managing Partner.

How StateRAMP/FedRAMP reciprocity works

“So there’s a StateRAMP fast-track for FedRAMP ATOs,” Leah explains. “For providers that already have a FedRAMP Ready or ATO or PATO status, joining StateRAMP as a member is the first step. The second step, instead of calling a 3PAO [third-party auditor], is to schedule a call with our PMO Office. And that involves… talking about the boundary, your data architecture, and then sharing the FedRAMP security package and your most recent continuous monitoring report.”

“There’s an opportunity to redact, of course,” continues Leah. “If there’s federally protected information that’s really specific to an agency or an agency ATO, you’re going to redact that information. And there’s a secure portal that you can upload [documents] into for the PMO review. That’s the process—there’s no new audit required.”

Adapting to StateRAMP templates

If you’re familiar with the FedRAMP authorization process, you’ll recall that FedRAMP has about 13 core documents based on templates, which applicants need to populate. StateRAMP uses a very similar model because, like FedRAMP, it’s based on NIST 800-53. StateRAMP’s “new and improved” templates are very similar to FedRAMP’s, but rightsized for SLED entities and the smaller CSPs that will serve them.

“For the StateRAMP fast-track option for those who have a FedRAMP ATO, they can provide their existing [FedRAMP] documentation without having to translate it to StateRAMP templates,” Leah notes. “However, at the time of the annual audit, we are going to ask … you to please provide that in the StateRAMP templates, and there will be different options to help translate and help facilitate that process.”

There’s also a StateRAMP “appeals committee” in place to weigh in on questions, disagreements, and exception requests from CSPs.

“So yes, it’s going to look familiar,” reassures Leah. “We are working on pulling together… so when we publish the templates and resources, you will see sample policy documents, sample procedure documents… We’re really trying to help meet the service providers where they are, to help get that process started.”

What’s Next?

If your cloud service company is ready to do business with SLED agencies, or if you’re looking to make your SLED environment more secure, you’ll love this podcast with StateRAMP Executive Director Leah McGrath.

To hear this episode all the way through, subscribe to The Virtual CISO Podcast on Apple Podcasts, Spotify, or our website.