ACCELERATING STATE AND LOCAL CLOUD ADOPTION
Taking a cue from the federal cloud program, StateRAMP standardizes the security assessments for CSPs that work with state and local agencies
BY STEPHANIE KANOWITZ
Anonprofit organization is adapt- ing the federal government’s approach to verifying the secu- rity of cloud products and services in an effort to streamline cloud adoption at the state and local level.
StateRAMP is modeled on the Fed- eral Risk and Authorization Manage- ment Program (FedRAMP) and also adheres to security controls devel- oped by the National Institute of Stan- dards and Technology. Cloud vendors will undergo an assessment similar to FedRAMP’s process to validate that they meet security controls at low, moderate and high levels.
Agencies that contract with validat- ed CSPs may not need to conduct their own assessments, a process that’s often redundant because companies work with multiple state and local agencies on similar programs.
Leah McGrath, StateRAMP’s execu- tive director, said the organization’s steering committee wanted “to bring state and local governments and the providers together to recognize a set of standards \[and\] to recognize a com- mon method for verification so that together we can improve the cyberse-
curity posture of everybody.”
Since the organization’s launch in January, the focus has been on aware- ness and outreach. Joe Bielawski, president of Knowledge Services and a member of StateRAMP’s board, said the steering committee and board of direc- tors have spent more than 1,000 hours on the effort, including having conversa- tions with representatives of 25 states and making presentations to 44 of the more than 800 CSPs that are interested
in participating in the program.
He added that FedRAMP has been a huge help to federal agencies, but its regulations limit the vendors that can participate. For example, FedRAMP requires that a company do business with an agency within 12 months of achieving certification. StateRAMP does
not have that stipulation.
A ‘verify once, use many’ standard
StateRAMP will offer six security sta- tuses: active, pending, ready, in pro- cess, provisional and authorized. The StateRAMP Marketplace will list CSPs that have attained a StateRAMP secu- rity status and CSPs that have received FedRAMP authorization. It will also list
StateRAMP-approved third-party assess- ment organizations (3PAOs) that can help CSPs through the certification pro- cess. FedRAMP 3PAOs can also register to be StateRAMP 3PAOs.
“Vendors that don’t do a lot of busi- ness with the U.S. government but do a lot of business with state and local governments will now have the oppor- tunity to go through...StateRAMP,” said Johann Dettweiler, director of operations at TalaTek. The company is a 3PAO for FedRAMP and recently became a StateRAMP 3PAO.
To receive StateRAMP authoriza- tion, CSPs have to undergo a readiness assessment — a high-level view of the company’s system that a 3PAO must perform, Dettweiler said. A full initial assessment takes eight to 12 weeks, but this assessment takes only two to four weeks.
At the end, the 3PAO determines whether a company would likely pass a full assessment. FedRAMP also has a readiness assessment, but it’s required only when providers seek a provisional authorization from the Joint Authoriza- tion Board.
“States have cybersecurity frame-
44 March/April 2021 FCW.COM