StateRAMP Exchange 2024: Genesys’ Steven Boberski on value of StateRAMP authorization, FedRAMP reciprocity

With cyberattacks on the rise, government agencies want to make sure the cloud services they use are secure. That makes “reciprocity” a key watchword for both agencies and industry alike.

While states aren’t involved in the Federal Risk and Authorization Management Program for authorizing cloud services at the federal level, the four-year-old StateRAMP process was built to mirror FedRAMP in many ways.

Both programs are based on the same cybersecurity standards. And StateRAMP now lets cloud companies submit the same security package and third-party audit that they prepared for FedRAMP under the StateRAMP Fast Track program.

“Reciprocity allows FedRAMP stakeholders and authorization holders to reuse the artifacts that they’ve used to get their space FedRAMP authorization,” said Steven Boberski, the public sector chief technology officer at Genesys, during Federal News Network’s StateRAMP Exchange 2024.

By allowing companies to submit the same documentation for StateRAMP, the hope is that they can get authorized faster and save money at the same time.

FedRAMP over StateRAMP?

But in some cases, a state agency may require a technology provider to be FedRAMP-certified, rather than obtaining a StateRAMP authorization.

Boberski pointed out that any state agency that handles federal tax information, such as a department of revenue, needs to be compliant with Tax Information Security Guidelines set by the IRS, for instance.

And those guidelines require states to ensure that any cloud service provider they use for handling federal tax information has a FedRAMP authorization.

“States cannot issue FedRAMP authorization – that’s why they have the StateRAMP program – so they are dependent upon the federal agency to issue an authorization if they want to use that service,” Boberski explained. “So that’s really why they might prefer it. Otherwise, the programs are pretty similar.”

Cyber compliance in high demand

While StateRAMP and FedRAMP are fairly well aligned, there are more government cyber supply chain risk management programs bursting onto the scene.

The Defense Department’s Cybersecurity Maturity Model Certification (CMMC) program is perhaps the highest profile of them all. The program will require many defense contractors that handle controlled unclassified information (CUI) to get a third-party assessment of their cybersecurity practices.

The Pentagon released the proposed rule for the CMMC program in late December. DoD hopes to begin including the requirements in contracts starting next year.

With FedRAMP already in existence, industry has called on DoD to allow some level of reciprocity for contractors that use FedRAMP-certified cloud environments.

“Hopefully, we’ll see some reciprocity there as well,” Boberski said. “There is a moderate amount of overlap between CMMC and the FedRAMP controls based on what baseline or risk impact level you’re at. And it would be nice if you could perhaps leverage those artifacts again.”

Similarly, the Office of Management and Budget has set new software security standards for federal agencies. Software producers can comply with those requirements by submitting FedRAMP documentation, another example of reciprocity.

“Supply chain risk management in general as a practice, commercially and in the government, is becoming extremely popular,” Boberski said.

That includes state and local agencies that are turning to StateRAMP to verify the cybersecurity of their technology vendors.

“It is definitely picking up in popularity and use,” Boberski said. “It’s really about accessing those documents and getting that seat at the table and having a risk management framework that everybody can leverage equally. And that’s what StateRAMP brings to the table for the non-federal agencies.”

Discover more tips and tactics shared during the Federal News Network StateRAMP Exchange 2024.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.