“Vendors that don’t do a lot of business with the U.S. government but do a lot of business with state and local governments will now have the opportunity to go through... StateRAMP.”
JOHANN DETTWEILER, TALATEK
works for their internal operations, but the extension of those through the procurement process to vendors on an ad hoc basis is very difficult, and that’s where StateRAMP comes in,” said Ted Cotterill, Indiana’s chief privacy officer and a StateRAMP board member. By offering a collective approach “through this uniformity at the agency level or at the contract level and then across the country, \[it puts\] states on this very solid footing with respect to CSPs and all the cyber risk management concerns that flow from those relationships.”
The standardization benefits CSPs, too, said J.R. Sloan, Arizona’s CIO. “I think it will be tough for states to con- tinue to invest in their own monitor- ing and verification processes when there’s something like this that’s avail- able,” added Sloan, who also serves on StateRAMP’s board.
CSPs now have a “verify once, use many” standard, Bielawski said. Before, “I didn’t know what I didn’t know,” he added. “If I had had a StateRAMP orga- nization that had guidance, mentorship and \[quality assurance\] and teams of people at various levels of the certifica- tion process to answer questions just as
a sounding board, it would have saved so much time, money and false starts.”
Finding common ground
on security
Security and cloud policies are funda- mentally similar across state and local governments, Sloan said.
“While there may be nuances from a policy perspective, the common ground is there,” he said. “We’re \[making\] allow- ances for that, where there can be a low-plus or a moderate-plus approach to data classification and the type of controls. If any government entity has something that is special and unique to them, there’s a construct to be able to deal with that, recognize it and identify it but still minimize the burden on both the state and the vendor from a compli- ance and monitoring perspective.”
McGrath said that basing the organi- zation’s efforts on NIST’s Cybersecurity Framework “gave us a place to start so that we can have a standardized approach to these different impact lev- els but allow the flexibility when need- ed. That’s how we’ve tried to adapt the controls and make it work for state and local government.”
The organization’s leaders expect wide interest in StateRAMP for sev- eral reasons. In particular, many agen- cies accelerated their adoption of cloud technology in response to the COVID-19 pandemic. Although companies must still be assessed on the front end, Dett- weiler said, “on the back end, it’s going to be much faster because once the organization receives its StateRAMP accreditation, then all those other states and the local governments within the state itself...will be able to look at the StateRAMP Marketplace and say, ‘Yes, this cloud service provider has gone through the process.’”
Additionally, Cotterill said StateRAMP reduces the friction that can occur during contract negotiations and allows a single point of contact for ven- dors in the event of a cyber incident.
“All of that frees up state re- sources,” he said. “We’re expected, as governments, to do more with less. We have to mitigate these risks with often fewer resources actually assigned to do that.... In state government, we’re stewards of the people’s information, and we have to get it right. StateRAMP makes it easy.” ■
March/April 2021 FCW.COM 45