The New Hampshire and Maine cyber leaders say using the StateRAMP cloud security shared service accelerates their digital transformation efforts.
When Ken Weeks became the chief information security officer for the state of New Hampshire in 2022, he considered setting up a cloud security program just to serve his state.
Around the same time, Charles Rote, deputy CISO for the state of Maine, recognized the need to validate and verify the security of cloud services but quickly realized he had a people problem. Maine, like many public and private sector organizations, just couldn’t hire enough cybersecurity experts.
Weeks, meanwhile, had his New Hampshire team of three look into what it would take to set up an oversight security program.
What both Rote and Weeks quickly grasped, the “do once, use many” mantra became the fastest road to modernizing their states’ aging technology infrastructures and applications.
“Having a repeatable process, through StateRAMP or FedRAMP that aligns with the standards that our policies and procedures are written to anyway, has been a lifesaver for me,” Weeks said during the Federal News Network StateRAMP Exchange 2024.
“In New Hampshire, for example, we’re fortunate that we looked into the crystal ball and guessed properly and aligned our policies and procedures with the same set of National Institute of Standards and Technology standards that StateRAMP currently operates under. By doing that, when we select a vendor or give a preference to a vendor who’s gone through the StateRAMP process, we know that not only have they met the same security standards and controls that we impose upon ourselves at the state, but they’ve been verified by somebody else.”
It means the state no longer has to take a vendor’s word for the validity of cybersecurity statements, Weeks said. “We have a trusted third party, both from the auditing documents that are submitted to StateRAMP as well as the StateRAMP program management office that’s reviewing all those in great detail before we select the vendor and start doing business with them.”
StateRAMP, the cloud security program modeled after the federal cloud security program FedRAMP, launched in 2021 to provide a shared service model for best practices and standardization in cloud security verification.
Rote said the duals challenge of hiring cyber talent and maintaining an aging technology stack drove the decision to lean into StateRAMP.
“By transitioning to a cloud environment, oftentimes if you have the right partner, it causes you to be more disciplined in how you manage that environment. Applications can’t be exceptionally old to operate in these cloud environments, so that pushes some of the application development and our infrastructure folks to be more modern, more current and maintain the security at an appropriate level,” Rote said.
“The importance of the security assurances is we only select certain assurances for those most critical datasets or those most critical business functions. By selecting only the best of those credentialing requirements, it alleviates a lot of burden on our information security office, which may not have the appropriate personnel and the appropriate time to do the assurances. But also, oftentimes, if you’re not leveraging these third-party audits and results, the solutions can be a bit of a black box too. You’re not necessarily doing your due diligence to make sure that what you’re putting in that environment is truly safe.”
For Maine, New Hampshire and likely many other state and local organizations, having that confidence in their chosen cloud service providers removes one level of complexity as they continue on their digital transformation journeys.
Weeks said, for example, New Hampshire recently accelerated its move of applications and workloads to the cloud.
“It has a lot to do with maintaining data centers and keeping data centers modern — and the expense that goes into that from a power, space and cooling standpoint. It’s also having enough staff to do all of the necessary cyber hygiene things, security updates, application updates and so on,” he said. “The idea is to host as little on premise and have as few remaining custom applications as we can. We’re looking for more and more commercial products that can be hosted as a managed service, both from a cloud hosting environment as well as the applications themselves.”
Weeks said the reliance on StateRAMP also has made it easier to contract with cloud service providers, which then speeds up digital transformation.
If a CSP is StateRAMP-approved, New Hampshire accepts the certification and focuses on the other aspects of the contract such as terms and conditions. But Weeks warned that while having a StateRAMP certification is reassuring, it’s still incumbent on his team to understand all the risks associated with every product the state acquires and implements.
“It’s important to point out that just because a product from a company is StateRAMP- or FedRAMP-certified, that doesn’t mean the company is certified, it’s just that product,” he said. “You have to make that distinction, and you also have to make a distinction between the product and the hosting environment. Because you can take a certified product and host it at Joe’s Chicken Shack and Web Hosting, and you’ve kind of defeated the purpose of having a StateRAMP-certified product.”
Maine is using the confidence in the CSPs to move toward a single enterprise. Rote said each of the CSPs becomes a part of a larger network.
“There has to be an inherent level of trust associated with that. We were lucky too as we saw the tea leaves and the writing on the wall that NIST standards were the way to go. Utilizing cloud service providers at the various impact levels translates well and enables us to deploy capability at an efficient rate with the right partners,” he said. “The great thing about leveraging FedRAMP for anything that’s holding our federal regulatory compliance requirements is that the federal government approaches certifications of clouds services in a similar fashion to the way that we can explain being accepting of the StateRAMP certifications. So it expedites our ability to migrate data from the federal government that’s been shared with us. That is essential to us conducting our businesses.”
He added that when using a CSP that meets FedRAMP requirements, the different federal agencies the state deals with are more likely to accept that single security baseline, typically at the FedRAMP Moderate certification.
“However, when it’s on premise and you’re dealing with each one of these federal entities in isolation, they tend to pile on all these extra requirements on the state in their compliance regimes, and it can be problematic and it’s a significant burden,” Rote said.
Discover more tips and tactics shared during the Federal News Network StateRAMP Exchange 2024.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Jason Miller is executive editor of Federal News Network and directs news coverage on the people, policy and programs of the federal government.
Follow @jmillerWFED