With the increased adoption of cloud services by governments and organizations of all sizes, there’s a new kid on the block for the state and local government market that is looking for consistent approaches on cybersecurity standards from cloud providers that they want to do business with.
Enter StateRAMP, which launched in January 2021, and says it advocates for “strong but fair cybersecurity standards,” and represents the “shared interests of state and local governments, third party assessment organizations, and service providers with IaaS, SaaS, and PaaS solutions.” The organization, whose board is majority-run by state and local government officials, is not affiliated with the General Services Administration’s Federal Risk and Authorization Management Program (FedRAMP) that provides a standardized approach to security authorizations for cloud services used by the Federal government.
While the FedRAMP and StateRAMP organizations are not affiliated, they share plenty of the same aims, said
Leah McGrath, Executive Director of StateRAMP, who was joined by Arizona’s CIO J.R. Sloan, and GovExec TV’s Executive Producer George Jackson, at GovForward’s FedRAMP Policy Summit event on July 20 to discuss the background, status and rollout of the new program.
“What if states and local governments could come together with the providers who serve them to recognize a common set of standards and therefore a common method for verifying cloud security for the suppliers,” McGrath posed. That effort, she said, would help states and local governments manage the third party risk that comes with working with different vendors in cloud services, similar to how FedRAMP serves the Federal sector.
To that end, last year a dozen current and former state CIOs, CISOs, and procurement officials joined with private industry, third party assessment organizations, and subject matter experts to identify a common set of standards, and establish a common method for verifying cloud security. The result was the formal establishment of StateRAMP in January 2021.
When moderator Jackson noted, “sometimes imitation is the sincerest form of flattery,” McGrath agreed.
“We really looked to existing frameworks to try to inform us as we developed StateRAMP including FedRAMP, the Federal process for verifying cloud security, and certainly looked at NIST, the National Institute of Standards and Technology.” They found in speaking with state and local officials that most if not all had adopted a cybersecurity framework based on NIST guidance. “So looking at FedRAMP, looking at NIST made a lot of sense as a place to start. We also had great input from some of the other state associations like NASPO and NASCIO, and so we had contributions from them to really help us think through the governance of how to organize a new nonprofit,” McGrath said.
Asked to explain how FedRAMP focusing on the Federal sector could be applied to a widely dispersed group like state and local government, Arizona CIO Sloan replied, “I think with StateRAMP what you see is a recognition that states – like the feds – are wrestling with a common set of challenges,” Sloan said.
Arizona, like most states, began its cloud adoption journey several years ago before there was anything like StateRAMP. The state has been adopting cloud services, infrastructure as a service, platform as a service, and now software service applications. “All these have different challenges that they bring with regards to what’s the approach to security, what’s the approach to governance, what’s the approach to the acquisition process, and how do all these things work together,” Sloan said.
He admitted that FedRAMP had a lot of things going for it in terms of recognition, so choosing the AzRAMP name in Arizona was an obvious path. “In this way, our vendors understood the intent of what we were trying to do with this process. We ultimately settled on the NIST 800-53 standard that we were going to base our security assessment on, and we brought 200-300 vendors on our approved list just in the past few years,” he said. The process in Arizona, however, convinced Sloan that adopting a program like AzRAMP nationwide was the way to go, and StateRAMP was born.
“As I went through this process, I started to see the organizational burden – on myself, and as an organization, on my people,” Sloan said. “But I also saw what vendors were faced with, serving multiple states and having to go through this assessment and approval process multiple times.”
In addition, vendors had perhaps completed a similar process in another state which might have been largely comparable to what Arizona was asking them to do, but there was no way for Arizona to access this information, nor for other states to share it. “So the concept of StateRAMP just really resonated with me when Joe [Bielawski, StateRAMP board member] and I sat down and first talked about it early last year,” Sloan said.
GovExec TV’s Jackson raised one issue that has been a concern on the FedRAMP side, and what StateRAMP could learn from their experience. “One of the initial critiques about the FedRAMP process was, as they were standing this up, it became somewhat cumbersome for the Federal IT contracting community to be on board and to receive that stamp of approval, if you will. Have you paid attention to that and how are you addressing it,” he asked?.
“I think the approach that StateRAMP has built in, is a mindset of seeking to provide reciprocity for those vendors that have already done FedRAMP,” Sloan said.
“This isn’t a, ‘Hey, now you’ve got to go through our hoops and run our gauntlet.’ We recognize that the FedRAMP is a good, solid standard. There’s a lot of alignment and similarity and so that reciprocity will ease and speed vendor adoption,” Sloan said. Also, by working with the vendor community, especially smaller firms that focus primarily on state and local governments, and having their input, the process will be eased for those outside the FedRAMP program.
At the same time Sloan emphasized that the StateRAMP certification process needs to require a certain amount of rigor. “If this is just a simple check the boxes, and we’re up and running, that’s really not going to provide me the comfort to sleep better at night about a given vendor,” he said.
One final point that Sloan highlighted was StateRAMP’s continuous monitoring aspect. “I don’t know that any state approach really had built into their solution, ongoing and continuous monitoring. That was the hill that I didn’t know we were going to be able to climb due to limited resources,” he said.
Plus, there were the examples when vendor solution assessments and procurements stacked up, causing delays while awaiting certification. So Sloan understood the question of speed in how states’ processes occur; however, he pointed out that there’s also going to be speed on the other side as states will be able to engage more quickly with a vendor that has already achieved certification. “I’m sure there will be some wrinkles to work out in the early days as we get started, but I’m confident that, just like FedRAMP, the processes will be improved. And the end result will be something that really serves state and local government well.”
Asked what’s next in the process, McGrath replied, “I’ve heard [Sloan] say before that StateRAMP is the right solution at the right time. And as we’re launching this we’re excited to see such a great reception, no matter who we’re talking to, not just states and local governments, but also the providers who are really looking forward to having this standardized approach, a ‘verify once, use many’ options that they haven’t had before.”
She believes that StateRAMP can significantly help streamline and standardize the procurement process, and that can help ease the friction that can occur when governments are trying to figure this out on a one-off basis. “I think you’re going to see states begin really adopting StateRAMP as a requirement for new contracts or new RFPs or renewals, to verify that the providers they’re working with have secure minimum baseline standards,” McGrath said. “You’re going to start seeing states adopt policies in RFP requirements where extra points are awarded for StateRAMP authorizations or verifications.”
McGrath closed with an appeal for attracting organization members who share a desire and passion to improve the cyber posture with state and local governments.
“We’re trying to help address a need that is really great and I think has come to light, especially in the last few years,” she said. “We know that states and local governments are under attack from cybercrime and other risks, and so it’s going to take everyone coming together to address that, and help make it better while improving the cyber posture of the providers as well.”
Membership in StateRAMP is open at no cost if you’re an appointed official, or if you’re an employee for a state or local government who has responsibility for security, or information technology procurement or privacy. Plus, there’s a membership category for providers as well. “We’ve got a membership category for providers to be a part of the network and committees, and by then joining, state ramp providers also have the ability to list their authorized offering on the state ramp authorized vendor list, and that is very similar to FedRAMP marketplace if you’re familiar with that, a listing that will be maintained on our website publicly,” McGrath said.