Following the trail blazed by the successful FedRAMP program, the State Risk and Authorization Management Program (StateRAMP) aims to bring standardized, streamlined cybersecurity assessments to the states. Arizona recently announced a year-long pilot of StateRAMP to test and refine the program, and momentum seems to be building toward wider adoption by other state and local governments.
What is StateRAMP?
Formally launched in early 2020, StateRAMP is a non-profit membership organization composed of government officials, cloud service providers (CSPs) and third-party assessment organizations (3PAOs). StateRAMP is modeled on the FedRAMP concept of “certify once, use many.” By providing a standardized methodology for assessing the cybersecurity posture of cloud services, StateRAMP seeks to enable state and local governments to make informed, risk-based decisions about IT vendors without having to perform their own costly, time-consuming assessments.
Similar to FedRAMP, StateRAMP assessments are based on the NIST SP 800-53 security framework. The program also emulates the FedRAMP process of requiring audits by an A2LA-accredited 3PAO and continuous monitoring reports. However, unlike FedRAMP, continuous monitoring is centralized through the StateRAMP Project Management Office, as opposed to being managed by individual agencies.
StateRAMP also offers a fast-track process that allows FedRAMP-authorized services to rapidly acquire StateRAMP authorization by submitting their federal-approved security package and 90 days of continuous monitoring documentation.
The Potential for StateRAMP
State and local governments tend to operate under tight budgets with tiny IT departments and outdated computer systems, leaving them vulnerable to ransomware. Most states allocate less than 3% of their IT budgets to cybersecurity. The federal government has allocated funds to address this shortfall in the recently passed infrastructure bill, and StateRAMP may help states stretch those dollars further. Beyond mitigating the need for state governments to perform duplicative assessments of vendors, StateRAMP’s streamlined approach to continuous monitoring makes it affordable for states, filling an important gap in their security posture. If widely adopted, StateRAMP should also raise the baseline cybersecurity standards for state and local governments, which tend to be less stringent, to align with federal requirements.
Ramping Up the Program
The StateRAMP program has notched several successes over the past year, including publishing its list of authorized vendors and starting the Arizona pilot. Additionally, Texas is kicking off its own TexRAMP program, and several other states are already participating in StateRAMP planning. Unlike FedRAMP, StateRAMP participation is voluntary, so state adoption is critical to its success. As the program continues to expand, StateRAMP authorization will likely give state contractors a competitive advantage and may become mandatory in many states.
Are you considering a FedRAMP authorization? Beyond allowing you to sell your cloud services to federal agencies—and giving you a fast track to StateRAMP authorization—a FedRAMP authorization inspires confidence in the security of your services. As a FedRAMP-certified 3PAO, MBL Technologies can guide you through every step of the authorization process. Contact us to get started!