StateRAMP: The “easy button” is now a reality

James Masella 70px jpg

James Masella

Managing Principal, FedRAMP, StateRAMP, NIST Advisory Services

Blog Images 2022 State RAMP blog tile

For CSPs who do business with state and local agencies, the StateRAMP framework provides a rigorous cybersecurity framework for providers to meet and for agencies to secure their cloud.

Key takaways:

  • New StateRAMP framework is active and helps standardize what cloud security looks like at the state and local levels
  • The framework leverages an existing model which sets a high bar and creates consistency
  • More than 20% of states have already approved the framework for use

When StateRAMP was announced last year, I was excited! Finally, they have put together a program that will enforce rigorous cloud security standards, while reducing the burden on state and local governments, which are flexible and eliminate repetitive and costly authorization and accreditation processes. They, of course, are the folks over at the StateRAMP Program Management Office (PMO). They have come up with a very viable solution to assure secure cloud services are available for state and local government use.

Ushering in a new era of streamlined cybersecurity

With StateRAMP, we could potentially see the end of the need for state and local governments to run their own customized compliance programs with all the overhead that it entails simply for their states and localities to procure sorely needed modern and secure cloud services. In an industry already lacking enough cyber professionals, local governments are at a disadvantage in hiring, competing against the tech industry and the federal government for highly skilled talent. StateRAMP reduces the need to replicate that resourcing at their level on severely constrained budgets by leveraging third-party assessment organizations and the StateRAMP PMO to conduct risk management activities and reviews for them, for all of them all of the interested state and local buyers. What’s left is a relatively small level of effort to conduct a final review of security packages and have an official sign off on an authorization to operate memo. States are no longer on the hook to create their own programs (like Virginia’s SEC 525) from scratch or borrow some ill-fitting security standard. Conceivably, all a state agency would need to do is put out a solicitation, require some level of StateRAMP status, authorize the service, and then start using it. Easy!

Leveraging an existing security model creates consistency

More importantly, these services will likely be more secure. By borrowing from the FedRAMP program, StateRAMP has employed the high bar in cloud security compliance. FedRAMP is the gold standard for cloud security — one that most commercial offerings struggle to meet. Currently, many state and local governments allow for multiple possible compliance frameworks such as ISO, SOC, and various forms of NIST SP 800-53. All three of these are different in their goals and level of rigor, and, quite simply, tend to not be very prescriptive. Compare this to the rigor of the FedRAMP standard, as close to 400 cloud service providers can attest, and you can see why StateRAMP follows the FedRAMP model. StateRAMP takes the security of cloud services to the next level by specifying standards for encryption and multi-factor authentication, areas where current standards used by state entities are usually vague and undefined.

What does this mean for CSPs?

The StateRAMP market launch is not just a huge load off of local governments, it is equally impactful for cloud service providers (CSPs). Up until now, getting cyber technology to all 50 states and hundreds of local governments for everything from healthcare solutions to law enforcement meant navigating a daunting maze of conflicting standards and inconsistent security control interpretations. It makes the services more complicated and, quite frankly, less secure. With one standard that can be assessed once and leveraged many times, cloud service providers can now build their cloud architectures with security baked in, for everyone. And they only have to pay once for an initial assessment, build their security documentation package once, and remediate their gaps once. Just once — not 50 times or 500 times. Sure, there are costs for continuous monitoring, documentation updates to account for new technologies, and annual assessments, but again, only one standard and one authoritative review body. So much better than the hodgepodge that existed before now. And bonus points for cloud service providers already in the federal market with FedRAMP authorized services; StateRAMP has a low-cost fast track program that eases the path to authorization. For cloud service providers looking to support state and local governments, this really is the more efficient approach for a go-to-market strategy.

Given Coalfire’s membership on the StateRAMP steering committee and the standards and technical committee, I’m often asked by colleagues, peers, and associates if StateRAMP is real; is it going to take off? Many are surprised to hear me say, “Yes, absolutely!” As of this writing 20% of states from California to Vermont and Texas to Michigan have already bought in and agreed to adopt StateRAMP. With increased attacks on our critical infrastructure at the state and local level by nation states, hacktivists, and criminals, the patchwork approach to cybersecurity can no longer be tolerated. The StateRAMP PMO is doing their part by making it easier for governments to procure secure cloud services, standardizing what cloud security looks like for non-federal government use. It is really the “easy button” for compliance and, if StateRAMP makes security compliance better, easier, and more standardized…well, that has to be a recipe for success!