StateRAMP Exchange 2024: How StateRAMP aims to keep iterating through ‘framework harmonization,’ procurement efforts

The state and local program for authorizing cloud services, known as StateRAMP, intends to continue evolving its young program to meet the demands of a growing customer base.

StateRAMP launched in 2021 to provide state and local government officials with a way to verify the security of cloud service providers. Leah McGrath, executive director of StateRAMP, said the program has grown quickly, with 25 states and nearly 400 cloud providers now involved.

“We’ve just seen rapid growth and adoption and interest, and we’ve iterated the program as well because of the member involvement and engagement,” McGrath said during the Federal News Network StateRAMP Exchange 2024.

Unlike federal agencies that are required to use FedRAMP-authorized cloud services, there’s no mandate for state and local governments to use StateRAMP. But with cyber criminals targeting public institutions at all levels, McGrath said threats are driving the demand for StateRAMP.

“Whether it’s malware or ransomware or just good, old fashioned cybersecurity breaches, we’re seeing it often coming through those third-party suppliers,” she said. “So we’ve got to work together to solve that challenge and to have that stronger cyber defense. And so I think StateRAMP gives an entry point for that to happen.”

StateRAMP’s Security Snapshot

StateRAMP is modeled after FedRAMP and based on the same National Institute of Standards and Technology controls. It relies on the third-party assessment organization (3PAO) model as well. Cloud providers that go through a C3PAO audit can be provisionally or fully authorized.

But McGrath pointed to several ways cloud service providers can get involved and show their commitment to security, even before they’re fully approved.

One is StateRAMP’s progressing products list, which identifies cloud service products that CSPs are working toward getting approved.

The other program she highlighted is StateRAMP’s Security Snapshot. Instead of a full-blown StateRAMP assessment, the snapshot provides an initial evaluation of a cloud provider’s security.

“Think of it like a mini audit,” McGrath said.

The snapshot program involves a virtual assessment of 41 high-impact security controls selected by the StateRAMP program office.

“At the end they get a score, but more importantly, they’re able to see, ‘What’s my risk? What do I need to work on?’” McGrath said. “The goal is to be able to work with these providers so that at some point, they’re ready for that StateRAMP ready audit or that StateRAMP authorized audit.”

Whether cloud providers start with a security snapshot or go through a full audit, the ultimate goal is to better understand and address the cybersecurity risks facing state and local governments.

“The reality is most of these providers are already working with state and local governments,” McGrath said. “We cannot freeze time and stop doing business because we’re reliant on these technologies to deliver government services. So what we can do is work with these providers to say, ‘OK, what’s your risk now?’ So that at least I have government visibility into where my potential threats may be.”

Harmonizing security frameworks

One of the goals for the StateRAMP program this year, McGrath said, is to help states meet various information security requirements under a framework harmonization effort.

“It’s all the different requirements out there that flow down to states and locals that they’re trying to make sense of,” she said. “And they have to make sure some of their providers comply with them. And that’s really hard because sometimes there’s disharmony, and they are all based on different things.”

For instance, StateRAMP now has a task force specifically focused on the Criminal Justice Information Services (CJIS) requirements established by the FBI. State and local courts, police departments and other institutions need to comply with CJIS requirements to handle criminal justice information.

By the end of 2024, McGrath said StateRAMP hopes to roll out an overlay that lets state and local governments map a cloud provider’s StateRAMP moderate assessment to the CJIS requirements.

“If we can help bring everybody together to drive toward that common understanding and acceptance of a baseline standard, we are making it far easier, I hope, for the provider community to be able to demonstrate that compliance once in order to serve their many government customers,” she said.

Blending StateRAMP and procurement

Another major initiative for StateRAMP this year is a joint procurement task force that’s been established in partnership with the National Association of State Procurement Officers.

“It’s really bringing procurement officials and experts together from the public sector with those IT folks and coming out of it with some great tools, very practical tools, for procurement officials across the country to be able to leverage when they’re looking at, what are those terms and conditions? And when should StateRAMP apply? Or how should it apply?” McGrath said.

The initiative is intended to recognize that it’s difficult for any public sector institution to adopt new processes.

“It’s really hard because you’re constantly hit with a new fire every day,” McGrath said. “So what we’re trying to do is provide easier-to-use resources to be able to make that change and adopt StateRAMP more confidently and consistently.”

Discover more tips and tactics shared during the Federal News Network StateRAMP Exchange 2024.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.