FedRAMP, a program that standardizes the federal government’s approach to security and risk assessment across cloud technologies, has been a success for both government agencies and technology providers. A team of state executives saw the need for a FedRAMP-style option for state and local governments to verify cybersecurity and manage third-party risk. In 2020, they created StateRAMP (State Risk and Authorization Management Program) so the “verify once, use many” approach can benefit state and local governments.
StateRAMP, which is not affiliated with FedRAMP, is an independent not-for-profit organization providing an efficient and cost-effective solution for verifying the cybersecurity of cloud service providers for state and local governments. The organization’s goal is to create a framework for continuous improvement in cybersecurity for governments, providers, and the constituents they serve.
While StateRAMP’s Marketplace is modeled after FedRAMP, StateRAMP’s mission is education. StateRAMP will provide proactive education, sample policies, resources, and templates for its members. The goal with this documentation is to provide clear guidance with a focus on intent and purpose.
The StateRAMP Process
State and local governments will have the option of adopting a cyber policy requiring independent verification—via StateRAMP—of their vendors’ cyber posture. Because states have adopted a cybersecurity framework based on National Institute of Standards and Technology (NIST), that is also the basis for the StateRAMP verification requirements.
Providers who wish to do business with that state or local government would need to engage a third party assessment organization (3PAO) for the required assessments. Any FedRAMP 3PAO is eligible to become a StateRAMP 3PAO, letting StateRAMP leverage the marketplace that already exists. FedRAMP 3PAOs are American Association for Laboratory Accreditation certified and know how to verify for NIST controls.
The 3PAO conduct the readiness or security assessment report and submit that security package to StateRAMP—which manages the program management office (PMO) that reviews the security package and verifies security status. StateRAMP also maintains responsibility for continuous monitoring and maintains updates to the StateRAMP Marketplace.
StateRAMP’s Marketplace is a public website (stateramp.org) that will include information about the service provider’s products, including impact level, provider type, and security status.
StateRAMP is organized as a membership organization. Providers that wish to list products on the StateRAMP Marketplace must join as a subscriber member for an annual fee; government agencies can join for free. In addition to listing products, subscriber members are eligible for education, templates, and resources provided by StateRAMP.
Security Impact Levels
Once a provider has decided to list a product on the StateRAMP Marketplace, they will need to identify their impact level. The higher the impact level, the more sensitive or critical the data or the system will be. For example, FedRAMP has three levels, including low, moderate, and high impact. Low is for less sensitive and generally publicly available data, and high impact typically involves data and systems at the highest security, including national security.
StateRAMP also offers three security impact levels, including category one, which will align with FedRAMP low. Category three aligns with FedRAMP moderate and maps to confidential data or highly critical systems.
The StateRAMP committee learned of interest in a low-plus option for systems that transmit processors store less-sensitive PII, such as emails, or systems that store public data and may interface with a more sensitive system. In these examples, the state may wish to require a low-plus option—which is what led to the concept of a category two. It includes control and sub-controls of low impact with select additional controls.
Provider Path and Minimum Mandatory Requirements
There are three milestone statuses: Ready, Authorized, and Provisional. Ready does not require government sponsor, but authorized and provisional do. The Ready status is attained by meeting the minimum mandatory requirements—demonstrated by a readiness assessment report conducted by a 3PAO. A provider that is StateRAMP Ready indicates its product meets the minimum requirements and is well-positioned to comply with the full authorization requirements.
Authorized indicates the product meets all required NIST controls by impact level and the provider has completed the necessary documentation, including a 3PAO security assessment report. To be Authorized, both the StateRAMP PMO and the sponsoring government must agree that the product meets the requirements.
If a provider meets the minimum requirements and most, but not all, critical controls, a sponsoring government might list their status as Provisional while the provider works towards becoming Authorized. State and local governments perceived a need to give providers an on-ramp to attain a listing of Ready or Authorized.
If you would like to learn more about StateRAMP, join their briefing on Friday, April 30th.