Breaking Down Barriers: How SAS and Carahsoft Are Making Trustworthy AI More Accessible to Government Agencies

Posted on by Trent Smith

Government agencies face a unique challenge when it comes to adopting new technologies: they need cutting-edge capabilities, but they also need absolute certainty that those tools meet the highest security and compliance standards. For AI and analytics, this balance has historically been difficult to achieve—until now.

A Major Milestone for Government AI Access

Data and AI leader SAS has achieved FedRAMP® and GovRAMP (formerly StateRAMP®) authorization for SAS® AI and Analytics for Government. Alongside its partner Carahsoft, SAS empowers Government agencies to improve efficiency, reduce risk and enhance data security with SAS® Viya®, its cloud-native data and AI platform.

Enhanced Access to Dependable AI in the Cloud

FedRAMP is a Government-wide program that establishes a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services to ensure the protection of Federal information. GovRAMP, a nationally recognized risk authorization management program, provides a standardized approach to assessing cloud products. With these authorizations, even more Government agencies can use SAS Viya in the cloud operationalize predictive analytics and AI regardless of whether code is developed in SAS or open source. SAS has served as a trusted Government technology provider for nearly five decades and is used in all 15 executive departments of the US Federal Government and all 50 states.

Trust and Transparency at the Core

SAS Viya incorporates trustworthy AI capabilities such as bias detection, explainability, decision auditability and model monitoring, governance and accountability, boosting confidence in Government agencies’ responsible AI initiatives.

This accomplishment demonstrates SAS’ steadfast commitment to providing a secure and reliable solution that Government agencies can rely on to safeguard their data and operations.

“SAS understands that security is table stakes for being a government partner. Security and trust always come first, followed closely by value, innovation and the ability to solve the most pressing problems. That’s what SAS has helped governments with for nearly 50 years” said Ben Stuart, Vice President, US Public Sector at SAS. “These certifications are further evidence of this commitment, and we’re looking forward to bringing SAS Viya to even more Government customers to help them reach their goals and make an impact.”

SAS and Carahsoft’s Partnership Delivers Advanced Software to Government Agencies

The strategic agreement between the two technology leaders designates Carahsoft as a SAS Public Sector distributor, making SAS’ data and AI solutions accessible to US Government agencies through Carahsoft’s reseller partners and various contract vehicles and Government schedules. Through this partnership, Government customers can efficiently acquire SAS products and solutions, including cutting-edge, AI-optimized analytics tools for proactive response to evolving Public Sector challenges.

With a legacy in Government dating back to the company’s founding in 1976, SAS software is used in more than 1,600 Public Sector departments, ministries and agencies in more than 130 countries worldwide. Recognized as a leading software distributor in the market, Carahsoft provides expanded scale and reach to SAS’s products and solutions, including SAS Viya, across the Public Sector.

Looking Ahead: Empowering Data-Driven Government

SAS, in partnership with Carahsoft, is dedicated to empowering Government agencies with data and AI solutions. SAS and Carahsoft help Government agencies to make informed decisions, optimize operations and enhance public services. SAS and Carahsoft are committed to driving positive change and delivering measurable results for the Public Sector.

Ready to explore how SAS can support your agency’s data and AI initiatives? Learn more about SAS public sector analytics, including FedRAMP and GovRAMP certifications.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including SAS we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought-leaders.

Vice President for StateRAMP Solutions, Carahsoft: StateRAMP: Recognizing the Importance of Framework Harmonization

Posted on by John Lee and Drew Scherer

StateRAMP builds on the National Institute of Standards and Technology (NIST) Special Publication 800-53 standard, which underpins FedRAMP’s approach to cloud security for Federal agencies by offering a consistent framework for security assessment, authorization and continuous monitoring. Recognizing the need for a similar framework at the State and Local levels, StateRAMP has been developed to tailor these Federal standards to the unique needs of State and Local Governments.

Key to StateRAMP’s initiative is the focus on framework harmonization, which aligns State and Local regulations with broader Federal and industry standards. This harmonization includes efforts like FedRAMP/TX-RAMP reciprocity and the CJIS task force, making compliance more streamlined. By mapping more compliance frameworks to one another, StateRAMP helps Government agencies and industry players leverage existing work, avoid redundancy and facilitate smoother procurement of secure technologies. Carahsoft supports this mission by partnering with StateRAMP Authorized vendors and engaging in initiatives that promote these harmonization efforts, such as the StateRAMP Cyber Summit and Federal News Networks’ StateRAMP Exchange.

Developing Framework Harmonization

CSPs often operate across multiple sectors and industries, each regulated by distinct frameworks such as FedRAMP CJIS, IRS Publication 1075, PCI DSS, FISMA, and HIPPA. Managing compliance across multiple frameworks can lead to redundant processes, inefficiencies and complexity. These challenges have emphasized the need for framework harmonization—aligning various cybersecurity frameworks to create a more cohesive and streamlined process.

Carahsoft StateRAMP Framework Harmonization Blog Embedded Image 2024

With the FedRAMP transition to the NIST SP 800-53 Rev. 5 requirements in 2023, StateRAMP began working towards harmonization with FedRAMP across all impact levels. Through the StateRAMP Fast Track Program, CSPs pursuing FedRAMP authorization can leverage the same compliance documentation, including Plans of Actions and Milestones (POA&M), System Security Plans (SSP), security controls matrix and Third Party Assessment Organization (3PAO) audits, to achieve StateRAMP authorization.

Reciprocity between StateRAMP and TX-RAMP has been established to streamline cybersecurity compliance for CSPs working with Texas state agencies, higher education institutions and public community colleges. CSPs that achieve a StateRAMP Ready or Authorized status are eligible to attain TX-RAMP certification at the same impact level through an established process. Additionally, StateRAMP’s Progressing Security Snapshot Program offers a pathway to provisional TX-RAMP certification, enabling CSPs to engage with Texas agencies while working towards StateRAMP compliance. Once CSPs have enrolled in the Snapshot Program or have engaged with a 3PAO to conduct an audit, they are added to the Progressing Product List, a public directory of products and their cybersecurity maturity status. This reciprocity eases the burden of navigating multiple compliance frameworks and certifications.

Harmonized frameworks enable CSPs to align with the cybersecurity objectives of various organizations while simultaneously addressing a broader range of threats and vulnerabilities, improving overall security. StateRAMP’s focus is to align requirements across the Federal, State, Local and Educational sectors to reduce the cost of development and deployment through a unified set of standards. To ensure the Public and Private Sectors work in alignment, StateRAMP members have access to the same guidance, tools and resources necessary for implementing a harmonized framework. This initiative will streamline the compliance process through a unified approach to cybersecurity that ensures adherence to industry and regulatory requirements.

The Future of StateRAMP

StateRAMP has rolled out an overlay to its Moderate Impact Level baseline that maps to Criminal Justice Information Services (CJIS) Security Policy. This overlay is designed to strengthen cloud security in the law enforcement sector, helping assess a product’s potential for CJIS compliance in safeguarding critical information.

At the 2024 StateRAMP Cyber Summit, Deputy Information Security Officer Jeffrey Campbell from the FBI CJIS addressed the challenges state and local entities face when adopting cloud technologies. He explained that while state constituents frequently asked if they could use FedRAMP for cloud initiatives, the answer was often complicated because FedRAMP alone does not fully meet CJIS requirements. “You can use vendors vetted through FedRAMP, that is going to get you maybe 80% of these requirements. There’s still 20% you’re going to have to do on your own” Campbell noted. He emphasized that, through framework harmonization, StateRAMP can bridge this compliance gap, offering states a viable solution to achieve several parallel security standards.

Another initiative is the NASPO/StateRAMP Task Force, which was formed to unite procurement officials, cybersecurity experts, Government officials and industry experts together with IT professionals. The task force aims to produce tools and resources for procurement officials nationwide to make the StateRAMP adoption process more streamlined and consistent.

Though still relatively new, StateRAMP is gaining traction, with 28 participating states as of October 2024. As cyberattacks become more sophisticated, cybersecurity compliance has become a larger point of emphasis at every level of Government to protect sensitive data. StateRAMP is working to bring all stakeholders together to drive toward a common understanding and acceptance of a standardized security standard. StateRAMP’s proactive steps to embrace framework harmonization are helping CSPs and State and Local Governments move towards a more secure digital future.

To learn more about the advantages the StateRAMP program offers State Governments and technology suppliers watch the Federal News Network’s StateRAMP Exchange, presented by Carahsoft.

To learn more about framework harmonization and gain valuable insights into others, such as cloud security, risk management and procurement best practices, watch the StateRAMP Cyber Summit, presented by Carahsoft.

How to get StateRAMP Ready Faster with Security Snapshot

Posted on by John Lee

Security is of utmost importance to government agencies because they have access to the sensitive information of millions of people. To ensure this information stays private, StateRAMP (State Risk and Authorization Management Program) offers several guidelines to help.

StateRAMP is a nonprofit launched in 2021 and modeled after FedRAMP, a government-wide program that promotes secure cloud usage across the Federal government. State and local governments created StateRAMP to extend this authorization to the relationships between cloud service providers (CSPs) and state and local governments to improve cybersecurity posture. As an independent nonprofit organization, StateRAMP has created a process for continuous cybersecurity improvement to efficiently and cost-effectively verify the cybersecurity of cloud service providers.

A main initiative is evaluating the data security capabilities of cloud solution providers that sell to state and local governments. StateRAMP ensures CSPs meet minimum security requirements and helps them obtain verification and achieve certification. These verification statuses were created by StateRAMP and must be certified by a third party. To simplify this certification process, StateRAMP has introduced “Security Snapshot.”

Hurdles to Attaining StateRAMP Verification

StateRAMP has had an Authorized Product List since 2021,updated at the end of every business day. This list is comprised of verified providers who meet the minimum security requirements and provide an independent audit conducted by a Third Party Assessment Organization (3PAO). StateRAMP recognizes three verified statuses:

Ready: The product meets minimum requirements.
Provisional: The product exceeds minimum requirements and has a government sponsor.
Authorized: The product satisfies all requirements and has a government sponsor.

There are 38 cloud service offerings (CSOs), 4 local government agencies, 2 universities and 17 states that are qualified in the above three tiers.

A Simpler Future with Security Snapshot

After StateRAMP’s verification process was introduced, providers encountered several questions. For some CSPs, it wasn’t easy to know if they could achieve a StateRAMP-Ready approval. The fear that CSPs would be left with a public, poor StateRAMP score induced anxiety in starting the approval process. Many agencies were unsure if they were making progress in the right direction. To combat this, StateRAMP released a new solution in early January 2023—the “Security Snapshot.”

Security Snapshot provides detailed information on how companies can get StateRAMP-certified. The snapshot offers a preliminary numerical score that CSPs can share with prospective government clients, which will not appear on the CSP’s record.

This resource acts as an early-stage security maturity assessment tool for cloud products. The intent of the service is to provide a first step toward achieving StateRAMP security status. The criteria are designed to help agencies validate minimum requirements and provide controls and additional benchmarks that would further aid in certification.

The Security Snapshot also helps providers gain quality insight into security postures and third-party cloud solutions such as Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) products. Ultimately, it provides insights for providers and the government branches they serve.

With the introduction of Security Snapshot, CSPs can ease their concerns, knowing they will receive detailed, personalized support to help them qualify for StateRAMP’s verification.

For more information on StateRAMP’s security approach, visit our StateRAMP resource hub and watch our Carahsoft briefing at carah.io/StateRAMP.