The State Risk and Authorization Management Program (StateRAMP) provides state and local governments with a comprehensive security framework designed to improve their cloud security. The continued rise in threat actors targeting critical U.S. infrastructure has led the StateRAMP program to gain momentum over the past year. In fact, 10 states and counting have now adopted this new standard.
Cloud service providers (CSPs) that wish to sell a cloud service offering (CSO) to one or more of these states should achieve StateRAMP authorization — and the list of states that have adopted this program will only continue to grow.
StateRAMP is voluntary and allows CSPs to benefit from a “do once, use many” approach. This means they can reuse their authorization package across multiple states rather than going through mandatory multiple state assessments.
How Does StateRAMP Differ from FedRAMP?
If StateRAMP sounds familiar, you may have heard mention of the similarly titled FedRAMP (the Federal Risk and Authorization Management Program).
Created in 2011, this framework was designed to provide a standardized approach to the security assessment, authorization, and continuous monitoring of cloud products and services. By promoting the adoption of secure cloud services across the Federal government, FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information.
StateRAMP can be thought of as FedRAMP for state and local governments, and it has a Security Assessment Framework that is based on the National Institute of Standards and Technology Risk Management Framework (NIST RMF).
However, whereas FedRAMP has a notoriously difficult authorization process, CSPs can expect a more business friendly process for StateRAMP. There is even a fast track to StateRAMP authorization for FedRAMP authorized services.
Requirements for StateRAMP Authorization
CSPs seeking StateRAMP authorization must comply with four primary requirements. These include:
- Compliance with the security standards listed in NIST Special Publication 800-53 Rev 4, and soon 800-53 Rev 5.
- A relationship with a Third-Party Assessment Organization (3PAO) that serves as a partner and educator throughout the entire process.
- Producing an in-depth security report in collaboration with a 3PAO that proves the organization has all the necessary controls in place and meets all requirements for authorization.
- Participating in continuous monitoring to demonstrate that the organization continues to maintain StateRAMP compliance.
How Organizations Can Prepare:
For CSPs in the process of acquiring StateRAMP authorization, as well as those still determining their next move, there are four steps that can be taken now to ensure your transition process is as smooth as possible.
1. Adhere to the StateRAMP Implementation Checklist
StateRAMP has created its own detailed implementation checklist. From identifying stakeholders and determining a governance process, to identifying continuous monitoring and reporting requirements, this guide provides CSPs with a solid “at-a-glance” checklist.
Each step of the process is broken down into smaller sections, allowing CSPs to understand the government’s reasoning for the required action and who is involved with each component.
2. Address Gaps Against the StateRAMP Control Baseline
In addition to the implementation checklist, StateRAMP also has a baseline summary of their security controls.
All of the security controls are listed in the annually updated table, and are outlined in NIST 800-53 Rev. 4, which, as a reminder, is required for FedRAMP.
- StateRAMP Category 1 aligns with the controls required for FedRAMP Low Impact.
- StateRAMP Category 3 aligns with the controls required for FedRAMP Moderate Impact.
- StateRAMP Category 2 is in development. It is intended to provide flexibility for state and local governments.
3. Follow the StateRAMP Guide for Continuous Monitoring and Improvement
Monitoring security controls is a critical part of the overall risk management framework for information security. Service providers are required to maintain a security authorization that specifically meets StateRAMP requirements.
An easy method for ensuring CSPs continue to routinely examine the proper areas is to follow StateRAMP’s official guide for continuous monitoring and improvement. Ongoing due diligence and review will enable you to make informed risk management decisions regarding the security of your cloud solutions.
4. Leverage Control Inheritance from a StateRAMP-Authorized Infrastructure Provider
StateRAMP routinely updates its Authorized Vendor List (AVL), which lists products that achieved a security status along with products actively going through the process. Working with these vendors can help streamline your own authorization journey.
Now Is the Time to Act
The rate of StateRAMP adoption by state and local governments will only continue to increase. StateRAMP allows CSPs to maintain a single authorization standard rather than the multiple variants from state to state. If your organization can benefit from reusing their authorization package across multiple states rather than going through mandatory multiple state assessments, A-LIGN’s experts can help you begin preparing.
Achieve StateRAMP authorized status from A-LIGN, one of the only StateRAMP-registered assessors on the market today.
