Ramping Up for StateRAMP
It is a challenging task staying up to date in the ever evolving realm of cybersecurity compliance. There is a sea of documentation that needs to be read, which is riddled with acronym alphabet-soup and complex technological methodologies and concepts. Occasionally, we will see a new security or regulatory framework rise and take the industry by storm, which brings us to our topic at hand. Today we will be exploring StateRAMP, which is one of the newcomers in the cloud risk management category.
StateRAMP is a 2020 steering committee’s solution for bringing industry best practices and the federal caliber of availability, integrity, and confidentiality to local and state governments alike. StateRAMP was built utilizing the same standards that can be found at the core of our old friend, FedRAMP and those standards are the National Institute of Science and Technology’s (NIST) Special Publication 800-53.
Join us in peering into what StateRAMP is, how it is like FedRAMP, and what you can achieve from being StateRAMP Authorized.
What is StateRAMP?
StateRAMP is a not-for-profit (501C6) that brings cloud service providers (CSPs) together with state and local governments, as well as educational institutions, through a set of common security criteria the same way that FedRAMP prepares and authorizes CSPs to work with our Federal Government. One of the goals of StateRAMP is to assist in streamlining the authorization process for products.
The process is as follows:
- Become a StateRAMP Member.
- Complete a StateRAMP Security Snapshot.
- Familiarize your team with the StateRAMP requirements.
- Identify the Impact Level and Desired Status to be pursued.
- Engage with a third-party assessment organization (3PAO).
- Start the documentation development process, such as policies and procedures.
- Obtain your Government Sponsor or choose to pursue your status through the Approvals Committee.
- Submit your Security Review Request
- Obtain your StateRAMP Verified Status
One difference between StateRAMP and FedRAMP is the degree of involvement – the FedRAMP PMO is solely a reviewing body, whereas StateRAMP was conceived and designed with the idea of being a shared resource between CSP’s and government entities.
Through StateRAMP, if you cannot get a government sponsor, there is another option – the StateRAMP Approvals Committee. This committee comprises five government members and serves as Government Sponsorship for StateRAMP Authorized and provisional statues. Once a product has completed the StateRAMP PMO Authorization Review, and awarded a temporary “Ready” status, the product can be submitted to the Approvals Committee for review.
As of writing this, the Approval Committee is comprised of the following members:
- Antoine Charles:
- Third Party Risk Analyst
- Oklahoma Office of Management and Enterprise Technology
- Ken Weeks:
- Chief Information Security Officer
- New Hampshire Department of Information Technology
- Todd Ryan:
- Chief Technology Officer
- Fulton County
- Andrea Mikeal:
- Director of IT Policy, Risk, Identity, and Data Management
- Texas A&M University Division of IT
- Josh Kadrmas:
- Governance, Risk, and Compliance Team Lead
- North Dakota Information Technology
The StateRAMP verification process is similar to FedRAMP’s, with a few variances, and still follows the “verify once, and use many” methodology. StateRAMP uses FedRAMP 3PAO’s to assess prospective solutions. Knowing this, you should be well prepared for your assessment because it will be conducted under the same stringent processes a FedRAMP assessment entails.
Currently, there are three impact levels, which do align to various FedRAMP baselines:
- “Low” – This is the base level of requirements that must be met and aligns with FedRAMP’s Low Baseline. At the time of writing this level includes 117 controls.
- “Low+” – This impact level aligns with FedRAMP’s Low baseline, with select FedRAMP Moderate baseline controls. At the time of writing, there are currently 179 controls in this level.
- “Moderate” – This impact level aligns fully with FedRAMP Moderate baseline controls, which at the time of writing, there are 325 controls.
Although there is not a fourth impact level, if an organization or agency needs additional security controls, those parameters can be sourced from the FedRAMP High baseline.
Now, you may be asking yourself, “What are the security statuses of StateRAMP”?
There is “Progressing,” which include the following statuses:
- “Active”: The organization Is proactively working towards a “Ready” status.
- “In Process”: The organization is working towards achieving a “Authorized” status.
- “Pending”: A security package has been submitted to the Approval Committee, and the CSP is awaiting determination for a “Verified” status.
Then there is “Verified” where you have the following delineations:
- “Ready”: The solution meets the minimum requirements; however, you must still adhere to additional system and security validation.
- “Provisional”: The solution’s capabilities exceed the minimum requirements. Additionally, the organization has obtained a government sponsor.
- “Authorized”: All requirements are met, and the StateRAMP Approval Committee has accepted the organization’s security package.
There is also a “StateRAMP Fast Track” option CSP’s can choose to undergo, for those who already have achieved their FedRAMP ATO, or Ready status.
A difference to be aware of is that StateRAMP Ready statuses do not expire, like FedRAMP statuses do after 12 months. Additionally, CSP’s do not have to have a contract with a government agency to achieve Ready or Authorized statuses.
Another major similarity, and difference, between the two is Continuous Monitoring or “ConMon” for short. ConMon is essential for defensive security measures, and to that end it is necessary for any CSP going through either StateRAMP or FedRAMP processes so that the CSP can demonstrate an acceptable security posture. There is a difference however, StateRAMP provides access to CSP’s ConMon results for government entity review, along with their entire documentation package.
As StateRAMP evolves and settles into the industry, local and state government entities will align themselves with StateRAMP as their security standard. However, you can rest a little easier now that you understand what StateRAMP is, how it works, and how it compares to FedRAMP.
They both share many of the same requirements and are structured similarly, so it really would not be a far leap in achieving a StateRAMP “Authorized” status if you are already in the FedRAMP Marketplace.