Tag Archives: StateRAMP

Breaking Down Barriers: How SAS and Carahsoft Are Making Trustworthy AI More Accessible to Government Agencies

Posted on by
Reply

Government agencies face a unique challenge when it comes to adopting new technologies: they need cutting-edge capabilities, but they also need absolute certainty that those tools meet the highest security and compliance standards. For AI and analytics, this balance has historically been difficult to achieve—until now.

A Major Milestone for Government AI Access

Data and AI leader SAS has achieved FedRAMP® and GovRAMP (formerly StateRAMP®) authorization for SAS® AI and Analytics for Government. Alongside its partner Carahsoft, SAS empowers Government agencies to improve efficiency, reduce risk and enhance data security with SAS® Viya®, its cloud-native data and AI platform.

Enhanced Access to Dependable AI in the Cloud

FedRAMP is a Government-wide program that establishes a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services to ensure the protection of Federal information. GovRAMP, a nationally recognized risk authorization management program, provides a standardized approach to assessing cloud products. With these authorizations, even more Government agencies can use SAS Viya in the cloud operationalize predictive analytics and AI regardless of whether code is developed in SAS or open source. SAS has served as a trusted Government technology provider for nearly five decades and is used in all 15 executive departments of the US Federal Government and all 50 states.

Trust and Transparency at the Core

SAS Viya incorporates trustworthy AI capabilities such as bias detection, explainability, decision auditability and model monitoring, governance and accountability, boosting confidence in Government agencies’ responsible AI initiatives.

This accomplishment demonstrates SAS’ steadfast commitment to providing a secure and reliable solution that Government agencies can rely on to safeguard their data and operations.

“SAS understands that security is table stakes for being a government partner. Security and trust always come first, followed closely by value, innovation and the ability to solve the most pressing problems. That’s what SAS has helped governments with for nearly 50 years” said Ben Stuart, Vice President, US Public Sector at SAS. “These certifications are further evidence of this commitment, and we’re looking forward to bringing SAS Viya to even more Government customers to help them reach their goals and make an impact.”

SAS and Carahsoft’s Partnership Delivers Advanced Software to Government Agencies

The strategic agreement between the two technology leaders designates Carahsoft as a SAS Public Sector distributor, making SAS’ data and AI solutions accessible to US Government agencies through Carahsoft’s reseller partners and various contract vehicles and Government schedules. Through this partnership, Government customers can efficiently acquire SAS products and solutions, including cutting-edge, AI-optimized analytics tools for proactive response to evolving Public Sector challenges. 

With a legacy in Government dating back to the company’s founding in 1976, SAS software is used in more than 1,600 Public Sector departments, ministries and agencies in more than 130 countries worldwide. Recognized as a leading software distributor in the market, Carahsoft provides expanded scale and reach to SAS’s products and solutions, including SAS Viya, across the Public Sector.

Looking Ahead: Empowering Data-Driven Government

SAS, in partnership with Carahsoft, is dedicated to empowering Government agencies with data and AI solutions. SAS and Carahsoft help Government agencies to make informed decisions, optimize operations and enhance public services. SAS and Carahsoft are committed to driving positive change and delivering measurable results for the Public Sector.

Ready to explore how SAS can support your agency’s data and AI initiatives? Learn more about SAS public sector analytics, including FedRAMP and GovRAMP certifications.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including SAS we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Vice President for StateRAMP Solutions, Carahsoft: StateRAMP: Recognizing the Importance of Framework Harmonization

Posted on by
Reply

StateRAMP builds on the National Institute of Standards and Technology (NIST) Special Publication 800-53 standard, which underpins FedRAMP’s approach to cloud security for Federal agencies by offering a consistent framework for security assessment, authorization and continuous monitoring. Recognizing the need for a similar framework at the State and Local levels, StateRAMP has been developed to tailor these Federal standards to the unique needs of State and Local Governments.  

Key to StateRAMP’s initiative is the focus on framework harmonization, which aligns State and Local regulations with broader Federal and industry standards. This harmonization includes efforts like FedRAMP/TX-RAMP reciprocity and the CJIS task force, making compliance more streamlined. By mapping more compliance frameworks to one another, StateRAMP helps Government agencies and industry players leverage existing work, avoid redundancy and facilitate smoother procurement of secure technologies. Carahsoft supports this mission by partnering with StateRAMP Authorized vendors and engaging in initiatives that promote these harmonization efforts, such as the StateRAMP Cyber Summit and Federal News Networks’ StateRAMP Exchange.  

Developing Framework Harmonization 

CSPs often operate across multiple sectors and industries, each regulated by distinct frameworks such as FedRAMP CJIS, IRS Publication 1075, PCI DSS, FISMA, and HIPPA. Managing compliance across multiple frameworks can lead to redundant processes, inefficiencies and complexity. These challenges have emphasized the need for framework harmonization—aligning various cybersecurity frameworks to create a more cohesive and streamlined process.  

Carahsoft StateRAMP Framework Harmonization Blog Embedded Image 2024

With the FedRAMP transition to the NIST SP 800-53 Rev. 5 requirements in 2023, StateRAMP began working towards harmonization with FedRAMP across all impact levels. Through the StateRAMP Fast Track Program, CSPs pursuing FedRAMP authorization can leverage the same compliance documentation, including Plans of Actions and Milestones (POA&M), System Security Plans (SSP), security controls matrix and Third Party Assessment Organization (3PAO) audits, to achieve StateRAMP authorization.  

Reciprocity between StateRAMP and TX-RAMP has been established to streamline cybersecurity compliance for CSPs working with Texas state agencies, higher education institutions and public community colleges. CSPs that achieve a StateRAMP Ready or Authorized status are eligible to attain TX-RAMP certification at the same impact level through an established process. Additionally, StateRAMP’s Progressing Security Snapshot Program offers a pathway to provisional TX-RAMP certification, enabling CSPs to engage with Texas agencies while working towards StateRAMP compliance. Once CSPs have enrolled in the Snapshot Program or have engaged with a 3PAO to conduct an audit, they are added to the Progressing Product List, a public directory of products and their cybersecurity maturity status. This reciprocity eases the burden of navigating multiple compliance frameworks and certifications.  

Harmonized frameworks enable CSPs to align with the cybersecurity objectives of various organizations while simultaneously addressing a broader range of threats and vulnerabilities, improving overall security. StateRAMP’s focus is to align requirements across the Federal, State, Local and Educational sectors to reduce the cost of development and deployment through a unified set of standards. To ensure the Public and Private Sectors work in alignment, StateRAMP members have access to the same guidance, tools and resources necessary for implementing a harmonized framework. This initiative will streamline the compliance process through a unified approach to cybersecurity that ensures adherence to industry and regulatory requirements. 

The Future of StateRAMP  

StateRAMP has rolled out an overlay to its Moderate Impact Level baseline that maps to Criminal Justice Information Services (CJIS) Security Policy. This overlay is designed to strengthen cloud security in the law enforcement sector, helping assess a product’s potential for CJIS compliance in safeguarding critical information.  

At the 2024 StateRAMP Cyber Summit, Deputy Information Security Officer Jeffrey Campbell from the FBI CJIS addressed the challenges state and local entities face when adopting cloud technologies. He explained that while state constituents frequently asked if they could use FedRAMP for cloud initiatives, the answer was often complicated because FedRAMP alone does not fully meet CJIS requirements. “You can use vendors vetted through FedRAMP, that is going to get you maybe 80% of these requirements. There’s still 20% you’re going to have to do on your own” Campbell noted. He emphasized that, through framework harmonization, StateRAMP can bridge this compliance gap, offering states a viable solution to achieve several parallel security standards.  

Another initiative is the NASPO/StateRAMP Task Force, which was formed to unite procurement officials, cybersecurity experts, Government officials and industry experts together with IT professionals. The task force aims to produce tools and resources for procurement officials nationwide to make the StateRAMP adoption process more streamlined and consistent. 

Though still relatively new, StateRAMP is gaining traction, with 28 participating states as of October 2024. As cyberattacks become more sophisticated, cybersecurity compliance has become a larger point of emphasis at every level of Government to protect sensitive data. StateRAMP is working to bring all stakeholders together to drive toward a common understanding and acceptance of a standardized security standard. StateRAMP’s proactive steps to embrace framework harmonization are helping CSPs and State and Local Governments move towards a more secure digital future. 

To learn more about the advantages the StateRAMP program offers State Governments and technology suppliers watch the Federal News Network’s StateRAMP Exchange, presented by Carahsoft.  

To learn more about framework harmonization and gain valuable insights into others, such as cloud security, risk management and procurement best practices, watch the StateRAMP Cyber Summit, presented by Carahsoft. 

How to get StateRAMP Ready Faster with Security Snapshot

Posted on by
Reply

Security is of utmost importance to government agencies because they have access to the sensitive information of millions of people. To ensure this information stays private, StateRAMP (State Risk and Authorization Management Program) offers several guidelines to help.

StateRAMP is a nonprofit launched in 2021 and modeled after FedRAMP, a government-wide program that promotes secure cloud usage across the Federal government. State and local governments created StateRAMP to extend this authorization to the relationships between cloud service providers (CSPs) and state and local governments to improve cybersecurity posture. As an independent  nonprofit organization, StateRAMP has created a process for continuous cybersecurity improvement to efficiently and cost-effectively verify the cybersecurity of cloud service providers.

Carahsoft StateRAMP Security Snapshot Blog Embedded Image 2023A main initiative is evaluating the data security capabilities of cloud solution providers that sell to state and local governments. StateRAMP ensures CSPs meet minimum security requirements and helps them obtain verification and achieve certification. These verification statuses were created by StateRAMP and must be certified by a third party. To simplify this certification process, StateRAMP has introduced “Security Snapshot.”

Hurdles to Attaining StateRAMP Verification

StateRAMP has had an Authorized Product List since 2021,updated at the end of every business day. This list is comprised of verified providers who meet the minimum security requirements and provide an independent audit conducted by a Third Party Assessment Organization (3PAO). StateRAMP recognizes three verified statuses:

  1. Ready: The product meets minimum requirements.
  2. Provisional: The product exceeds minimum requirements and has a government sponsor.
  3. Authorized: The product satisfies all requirements and has a government sponsor.

There are 38 cloud service offerings (CSOs), 4 local government agencies, 2 universities and 17 states that are qualified in the above three tiers.

A Simpler Future with Security Snapshot

After StateRAMP’s verification process was introduced, providers encountered several questions. For some CSPs, it wasn’t easy to know if they could achieve a StateRAMP-Ready approval. The fear that CSPs would be left with a public, poor StateRAMP score induced anxiety in starting the approval process. Many agencies were unsure if they were making progress in the right direction. To combat this, StateRAMP released a new solution in early January 2023—the “Security Snapshot.”

Security Snapshot provides detailed information on how companies can get StateRAMP-certified. The snapshot offers a preliminary numerical score that CSPs can share with prospective government clients, which will not appear on the CSP’s record.

This resource acts as an early-stage security maturity assessment tool for cloud products. The intent of the service is to provide a first step toward achieving StateRAMP security status. The criteria are designed to help agencies validate minimum requirements and provide controls and additional benchmarks that would further aid in certification.

The Security Snapshot also helps providers gain quality insight into security postures and third-party cloud solutions such as Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) products. Ultimately, it provides insights for providers and the government branches they serve.

With the introduction of Security Snapshot, CSPs can ease their concerns, knowing they will receive detailed, personalized support to help them qualify for StateRAMP’s verification.

 

For more information on StateRAMP’s security approach, visit our StateRAMP resource hub and watch our Carahsoft briefing at carah.io/StateRAMP.

MultiCloud Resilience: How StateRAMP Prepares SLG for the Next Step in Cybersecurity

Posted on by
Reply

 

The standard for cloud security is continuously being raised as the public sector grows its cybersecurity needs. Due to the recent outages and disruptions from several cloud vendors, government agencies need to expand to a MultiCloud system to have a catalog of clouds for their diverse needs. State and local government agencies can turn to StateRAMP (State Risk and Authorization Management Program) to provide education and cost-effective solutions for verifying cloud security.

Expanding to a MultiCloud System

Moving from a single cloud system to a hybrid or MultiCloud system can be overwhelming and expensive for public sector organizations to tackle alone. That process consists of the agency finding a new cybersecurity policy, finding Third Party Assessing Organization (3PAO) to assess vendors, reviewing the security package to make sure it aligns with the new policy, and finally choosing vendors to work with. StateRAMP works through the process for SLG agencies, verifying the cybersecurity policy, providing an approved list of vendors, and maintaining the list by continuously monitoring those service providers’ products, impact level, provider type, and security status. This allows state and local government agencies to increase operating efficiency through the Authorized Vendor List (AVL) and certified infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) solutions.

StateRAMP MultiCloud Resilience Blog ImageCreating a Cybersecurity Standard on the State Level

Every government agency has unique needs when it comes to cybersecurity requirements. Since there is no common standard for state and local governments, they are left with either relying on a contract with the federal government or coming up with their own method. Creating a unique standard requires each agency to secure its own budget, recruit/retain its own experts, and develop its own policies. Outsourcing is the most cost-effective for State and Local Governments that do not possess the infrastructure to execute this process alone. StateRAMP streamlines this process by curating a baseline of cyber assurance and level of trust between the public and private organizations. State and local government agencies can rely on cloud giants because they have an investment in security capabilities and education to know how to assist agencies without large IT departments.

Integration is Essential for Efficiency

Once an agency decides to expand to a hybrid or MultiCloud system, cybersecurity efficiency is increased. State and Local Governments can purchase multiple cloud services to avoid interruptions in day-to-day operations. This also means that states can recover faster and continually scan the backup clouds for performance issues. Agencies can take advantage of having several cloud platforms by strategically placing specific jobs and responsibilities with particular clouds to optimize cybersecurity operations.  Integrating cloud platforms in a hybrid or MultiCloud system allows the public sector to align applications to those platforms to increase the functionality and connection of data between them.

MultiCloud Resilience

Like the rest of the world, many agencies are continuing to encourage state and local employees to work from home. Having on and off-premise applications leaves agencies increasingly vulnerable to cybersecurity threats and decreased cloud efficiency. The National Association of State Chief Information Officers (NASCIO) listed cybersecurity and managing third-party risk as their top 2021 priority for the 8th consecutive year.[1] There are many steps to be taken before graduating from a single cloud system; however, agencies need to invest time and resources to keep up with today’s cybersecurity standards. Once prepared, StateRAMP has the resources and knowledge to assist SLG in the fight against cybersecurity attacks.

For more information on StateRAMP’s MultiCloud security approach, visit our StateRAMP resource hub at carah.io/StateRAMP.

[1] “StateRAMP Overview,“ StateRAMP, https://static.carahsoft.com/concrete/files/7116/3249/5033/StateRAMP_Overview_-_Spring_2021.pdf

A New Option for Agencies and Providers: StateRAMP

Posted on by
Reply

 

FedRAMP, a program that standardizes the federal government’s approach to security and risk assessment across cloud technologies, has been a success for both government agencies and technology providers. A team of state executives saw the need for a FedRAMP-style option for state and local governments to verify cybersecurity and manage third-party risk. In 2020, they created StateRAMP (State Risk and Authorization Management Program) so the “verify once, use many” approach can benefit state and local governments.

StateRAMP, which is not affiliated with FedRAMP, is an independent not-for-profit organization providing an efficient and cost-effective solution for verifying the cybersecurity of cloud service providers for state and local governments. The organization’s goal is to create a framework for continuous improvement in cybersecurity for governments, providers, and the constituents they serve.

While StateRAMP’s Marketplace is modeled after FedRAMP, StateRAMP’s mission is education. StateRAMP will provide proactive education, sample policies, resources, and templates for its members. The goal with this documentation is to provide clear guidance with a focus on intent and purpose.

The StateRAMP Process

State and local governments will have the option of adopting a cyber policy requiring independent verification—via StateRAMP—of their vendors’ cyber posture. Because states have adopted a cybersecurity framework based on National Institute of Standards and Technology (NIST), that is also the basis for the StateRAMP verification requirements.

Providers who wish to do business with that state or local government would need to engage a third party assessment organization (3PAO) for the required assessments. Any FedRAMP 3PAO is eligible to become a StateRAMP 3PAO, letting StateRAMP leverage the marketplace that already exists. FedRAMP 3PAOs are American Association for Laboratory Accreditation certified and know how to verify for NIST controls.

The 3PAO conduct the readiness or security assessment report and submit that security package to StateRAMP—which manages the program management office (PMO) that reviews the security package and verifies security status. StateRAMP also maintains responsibility for continuous monitoring and maintains updates to the StateRAMP Marketplace.

StateRAMP Marketplace

StateRAMP’s Marketplace is a public website (stateramp.org) that will include information about the service provider’s products, including impact level, provider type, and security status.

StateRAMP is organized as a membership organization. Providers that wish to list products on the StateRAMP Marketplace must join as a subscriber member for an annual fee; government agencies can join for free. In addition to listing products, subscriber members are eligible for education, templates, and resources provided by StateRAMP.

Security Impact Levels

Once a provider has decided to list a product on the StateRAMP Marketplace, they will need to identify their impact level. The higher the impact level, the more sensitive or critical the data or the system will be. For example, FedRAMP has three levels, including low, moderate, and high impact. Low is for less sensitive and generally publicly available data, and high impact typically involves data and systems at the highest security, including national security.

StateRAMP also offers three security impact levels, including category one, which will align with FedRAMP low. Category three aligns with FedRAMP moderate and maps to confidential data or highly critical systems.

The StateRAMP committee learned of interest in a low-plus option for systems that transmit processors store less-sensitive PII, such as emails, or systems that store public data and may interface with a more sensitive system. In these examples, the state may wish to require a low-plus option—which is what led to the concept of a category two. It includes control and sub-controls of low impact with select additional controls.

Provider Path and Minimum Mandatory Requirements

There are three milestone statuses: Ready, Authorized, and Provisional. Ready does not require government sponsor, but authorized and provisional do. The Ready status is attained by meeting the minimum mandatory requirements—demonstrated by a readiness assessment report conducted by a 3PAO. A provider that is StateRAMP Ready indicates its product meets the minimum requirements and is well-positioned to comply with the full authorization requirements.

Authorized indicates the product meets all required NIST controls by impact level and the provider has completed the necessary documentation, including a 3PAO security assessment report. To be Authorized, both the StateRAMP PMO and the sponsoring government must agree that the product meets the requirements.

If a provider meets the minimum requirements and most, but not all, critical controls, a sponsoring government might list their status as Provisional while the provider works towards becoming Authorized. State and local governments perceived a need to give providers an on-ramp to attain a listing of Ready or Authorized.

 

If you would like to learn more about StateRAMP, join their briefing on Friday, April 30th.