Criminal Justice Information Services Archives -

StateRAMP builds on the National Institute of Standards and Technology (NIST) Special Publication 800-53 standard, which underpins FedRAMP’s approach to cloud security for Federal agencies by offering a consistent framework for security assessment, authorization and continuous monitoring. Recognizing the need for a similar framework at the State and Local levels, StateRAMP has been developed to tailor these Federal standards to the unique needs of State and Local Governments.

Key to StateRAMP’s initiative is the focus on framework harmonization, which aligns State and Local regulations with broader Federal and industry standards. This harmonization includes efforts like FedRAMP/TX-RAMP reciprocity and the CJIS task force, making compliance more streamlined. By mapping more compliance frameworks to one another, StateRAMP helps Government agencies and industry players leverage existing work, avoid redundancy and facilitate smoother procurement of secure technologies. Carahsoft supports this mission by partnering with StateRAMP Authorized vendors and engaging in initiatives that promote these harmonization efforts, such as the StateRAMP Cyber Summit and Federal News Networks’ StateRAMP Exchange.

Developing Framework Harmonization

CSPs often operate across multiple sectors and industries, each regulated by distinct frameworks such as FedRAMP CJIS, IRS Publication 1075, PCI DSS, FISMA, and HIPPA. Managing compliance across multiple frameworks can lead to redundant processes, inefficiencies and complexity. These challenges have emphasized the need for framework harmonization—aligning various cybersecurity frameworks to create a more cohesive and streamlined process.

Carahsoft StateRAMP Framework Harmonization Blog Embedded Image 2024

With the FedRAMP transition to the NIST SP 800-53 Rev. 5 requirements in 2023, StateRAMP began working towards harmonization with FedRAMP across all impact levels. Through the StateRAMP Fast Track Program, CSPs pursuing FedRAMP authorization can leverage the same compliance documentation, including Plans of Actions and Milestones (POA&M), System Security Plans (SSP), security controls matrix and Third Party Assessment Organization (3PAO) audits, to achieve StateRAMP authorization.

Reciprocity between StateRAMP and TX-RAMP has been established to streamline cybersecurity compliance for CSPs working with Texas state agencies, higher education institutions and public community colleges. CSPs that achieve a StateRAMP Ready or Authorized status are eligible to attain TX-RAMP certification at the same impact level through an established process. Additionally, StateRAMP’s Progressing Security Snapshot Program offers a pathway to provisional TX-RAMP certification, enabling CSPs to engage with Texas agencies while working towards StateRAMP compliance. Once CSPs have enrolled in the Snapshot Program or have engaged with a 3PAO to conduct an audit, they are added to the Progressing Product List, a public directory of products and their cybersecurity maturity status. This reciprocity eases the burden of navigating multiple compliance frameworks and certifications.

Harmonized frameworks enable CSPs to align with the cybersecurity objectives of various organizations while simultaneously addressing a broader range of threats and vulnerabilities, improving overall security. StateRAMP’s focus is to align requirements across the Federal, State, Local and Educational sectors to reduce the cost of development and deployment through a unified set of standards. To ensure the Public and Private Sectors work in alignment, StateRAMP members have access to the same guidance, tools and resources necessary for implementing a harmonized framework. This initiative will streamline the compliance process through a unified approach to cybersecurity that ensures adherence to industry and regulatory requirements.

The Future of StateRAMP

StateRAMP has rolled out an overlay to its Moderate Impact Level baseline that maps to Criminal Justice Information Services (CJIS) Security Policy. This overlay is designed to strengthen cloud security in the law enforcement sector, helping assess a product’s potential for CJIS compliance in safeguarding critical information.

At the 2024 StateRAMP Cyber Summit, Deputy Information Security Officer Jeffrey Campbell from the FBI CJIS addressed the challenges state and local entities face when adopting cloud technologies. He explained that while state constituents frequently asked if they could use FedRAMP for cloud initiatives, the answer was often complicated because FedRAMP alone does not fully meet CJIS requirements. “You can use vendors vetted through FedRAMP, that is going to get you maybe 80% of these requirements. There’s still 20% you’re going to have to do on your own” Campbell noted. He emphasized that, through framework harmonization, StateRAMP can bridge this compliance gap, offering states a viable solution to achieve several parallel security standards.

Another initiative is the NASPO/StateRAMP Task Force, which was formed to unite procurement officials, cybersecurity experts, Government officials and industry experts together with IT professionals. The task force aims to produce tools and resources for procurement officials nationwide to make the StateRAMP adoption process more streamlined and consistent.

Though still relatively new, StateRAMP is gaining traction, with 28 participating states as of October 2024. As cyberattacks become more sophisticated, cybersecurity compliance has become a larger point of emphasis at every level of Government to protect sensitive data. StateRAMP is working to bring all stakeholders together to drive toward a common understanding and acceptance of a standardized security standard. StateRAMP’s proactive steps to embrace framework harmonization are helping CSPs and State and Local Governments move towards a more secure digital future.

To learn more about the advantages the StateRAMP program offers State Governments and technology suppliers watch the Federal News Network’s StateRAMP Exchange, presented by Carahsoft.

To learn more about framework harmonization and gain valuable insights into others, such as cloud security, risk management and procurement best practices, watch the StateRAMP Cyber Summit, presented by Carahsoft.

Securing Sensitive Law Enforcement Data

A reoccurring challenge for law enforcement is an increase in ransomware attacks against them. Agencies reported a significant jump in attacks in the last two years, from 34% of departments reporting a ransomware hack in 2021, to nearly 69% in 2023. The average ransomware payment increased 500% in 2023 to over $1 million and over 25% of these attacks began with a phishing or malicious email. To combat this, agencies and departments must strengthen their cybersecurity postures and align with the NIST Cybersecurity Framework. Speakers at IACP provided five themes of questions agencies should ask to evaluate their cyber readiness:

Identify: Is our agency able to find weak spots, prioritize our response to them and track them? Have we done asset management, risk assessments and supply chain risk management?

Protect: Is our “front door” locked? Are we taking proactive measures to protect our data today? Have we implemented identity and access management (IAM), awareness and training and overall data security procedures?

Detect: Can we tell when something goes wrong? Can we identify issues confidently and quickly in the case of an anomaly?

Respond: How do we respond when bad things happen? Have we instituted clear communication, analysis, mitigation and response planning?

Recover: Are we ready to recover and learn from an incident and make the necessary changes to ensure it does not happen again?

Carahsoft IACP 2023 Law Enforcement Tradeshow Recap Blog Embedded Image 2024

Addressing these questions and acting on them means committing to fostering a culture of security and secure best practices. There are many technologies that can aid in this endeavor including artificial intelligence (AI) Ops, which assesses system patterns and behaviors to identify and surface anomalies; IAM, which provides an extra layer of authentication through biometrics and contextual authorization; and cloud and virtual environments, which agencies can employ in combination with infrastructure-as-a-service to enhance security.

The Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) has released two new updates to its security policy, Versions 5.9.1 and 5.9.2, based on the key pillars of data confidentiality, integrity and availability. These policies now require initial security training for personnel who need access to Department of Justice (DOJ) materials as well as the completion of yearly training for the extent of their access time. In conjunction with these policies are key technologies to safeguard data such as IAM, multi-factor authentication (MFA), system monitoring and others. Employing these solutions and safety measures boost community trust in law enforcement and the security of digital evidence. CJIS policies also reiterate to law enforcement officers the importance of doing their due diligence in securing both the data and their vital tools that otherwise could be rendered obsolete in the event of an attack. The Cybersecurity and Infrastructure Security Agency (CISA) has dedicated funding for state agencies to help with this endeavor of protecting the LE cyber space.

Rising Innovative Technologies for Law Enforcement Agencies

Implementation of body worn cameras (BWC) has been a growing initiative for law enforcement (LE) agencies for the last several years. With the Bureau of Justice Assistance’s Body Worn Camera Policy and Implementation Program (BWCPIP) more departments are able to receive grant funding and training for BWCs allowing more widespread usage of the technology especially in small, rural or tribal LE agencies. So far, this program has provided over $180 million in funding towards this effort. To support these BWC data advancements and further the technology benefits, LE agencies are looking for cloud storage and organization solutions, interoperability for data sharing, AI algorithms to efficiently tag videos and analytics software to pull relevant insights.

AI in the law enforcement field also provides many other time saving benefits including automating some procedures and everyday tasks like report writing. Before implementing AI, agencies must audit their current processes to assess the specific use cases and preemptively address any challenges. Establishing guidelines for AI usage by law enforcement, not only assists internally with governance and accountability, but also helps build public trust by delineating the technology capabilities.

Drones are another up-and-coming technology displaying value across public safety and emergency response. In the aftermath of Hurricane Ian in 2022, LE agencies deployed unmanned aircraft systems (UAS) and, through these drones, were able to conduct situation assessments, wide area searches, mapping of critical roadways to expedite the movement of resources and more. This UAS teaming approach has increased the speed and efficiency of first responders, as well as the ability to easily share the information with other agencies.

Whether it is body worn cameras and drones, or AI, cloud and other solutions, security must be baked into the technology and operational processes. As partners in this current landscape, every party involved both in law enforcement and industry has the responsibility to educate themselves and maximize collaboration and the technologies available to continue to make the United States a safe place.

To learn more about Carahsoft’s Law Enforcement Technology Solutions, visit our vertical portfolio and start your journey to enabling a safer tomorrow.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at the IACP Annual Conference and Exposition 2023.*