Government agencies are expanding their civil services, and that includes a huge investment into modern technology like cloud platforms. Cloud platforms supporting government agencies will necessarily handle private data, which means that they need to maintain a high level of security. That’s where StateRAMP comes in.
States don’t have a unified security framework. But the StateRAMP organization modeled a new compliance framework off of the existing and robust FedRAMP requirements for cloud providers working with Federal clients.
Learn more about StateRAMP and why it may be important for your business to prepare for it.
What is StateRAMP?
StateRAMP is a state-level equivalent to FedRAMP. Based on federal regulations and NIST 800-53, StateRAMP is both an organization and a compliance framework that helps State agencies manage high-level security requirements.
Likewise, it helps Cloud Service providers demonstrate to State agencies that they meet a certain level of security for personal data.
What are StateRAMP Requirements?
As State agencies turn to cloud platforms, they are working to adopt security standards to meet necessary data protections for their citizens. StateRAMP outlines the requirements along the same lines as FedRAMP certification:
- Meeting standards outlined in NIST Special Publication 800-53 Revision 5. This document spells out technical, physical, and other security controls that providers can take for IT security. Compliant CSPs must adhere to this document to be StateRAMP compliant.
- Working with a Third-Party Assessment Organization (3PAO) throughout the certification process, from readiness assessment and through continued maintenance and monitoring.
- Providing a report demonstrating that your cloud service meets or exceeds requirements for certification.
- Undergoing continuous monitoring to show that your organization continues to meet current StateRAMP requirements.
Within this framework, there are dozens of specific requirements in play that can impact a cloud vendor and how they serve State agencies.
The StateRAMP Authorization Path
The StateRAMP authorization path follows the FedRAMP path rather closely, all things considered. It involves several steps to not only ascertain preparedness but also guarantee that a provider stays compliant.
The steps of the Authorization Path are:
- Active: Active simply means that the process has been started and a CSP has approached StateRAMP for certification. At this step in the process, the providers began working with a 3PAO and StateRAMP Project Management Organization (PMO).
- Pending: After a period of assessment, the 3PAO submits a “Ready Package” to StateRAMP officials. This package demonstrates that your cloud organization is ready to handle the minimum mandatory requirements of certification. It DOES NOT, however, suggest that you are compliant.
- Ready: The StateRAMP organization reviews your Ready Package and determines if you are capable of completing the audit as required.
- In Process: The meat and potatoes of the review. Here, a couple of things happen. First, your IT team and leadership will begin working with your 3PAO to prepare your full security package. Testing here includes items like cataloging security controls and risk assessments, penetration testing, determining reporting and logging capabilities, and more. Remember that these are compared to the requirements of NIST 800-53. Following that, the 3PAO compiles a report for StateRAMP showing that you meet requirements and are a candidate for certification.
- Authorized: Once StateRAMP has approved the Security Package, your organization is certified and capable of answering any RFP or working with State agencies that require StateRAMP.
- Continuous Monitoring: Following approval, your organization must, alongside your 3PAO, continue monitoring your controls to ensure compliance with existing and updated regulations.
StateRAMP Security Assessment Framework
The StateRAMP framework is similar to the FedRAMP framework, which is modeled off of the NIST Risk Framework management. In this framework, there are several key steps to moving through this framework towards compliance:
- Selecting your security controls. This is where you must determine your impact level and the controls and requirements associated. These impact levels include Low Impact, Low/Moderate Impact, and Moderate Impact, all three of which align with FedRAMP categories of the same name. Additionally, you may have additional control requirements outside of these categories to consider. StateRAMP and 3PAOs can help you with these determinations and the relevant security controls for each category.
- Implementing your security controls. Perhaps it goes without saying but at this stage you and your 3PAO work to implement these security controls within your organization. This doesn’t include controls already in play, but it does impact existing controls if there are discrepancies in configuration or implementation. You’ll also document these controls and their implementation in a System Security Plan (SSP).
- Running a Security Assessment Plan (SAP) and completing a Security Assessment Report (SAR) with Your 3PAO. Your 3PAO will create and complete a Readiness Assessment Plan For approval before assessment. Following that, the 3PAO creates an SAP to use during testing of your controls. Once testing is complete, they also complete the SAR.
- Authorization. The SAR contains information on any vulnerabilities, weaknesses and risks discovered during testing. You must submit a Plan of Action and Milestones (POA&M) which outlines steps for you to take during continuing maintenance.
- Submission. You submit your StateRAMP SAP, SAR and POA&M (including any additional required documents as determined in consultation with your 3PAO.
Why are Cloud Service Providers Turning to StateRAMP Certification?
More and more government agencies are turning to advanced frameworks to guarantee the security of citizen data. This data is highly sensitive and private and could be damaging if not protected properly.
Likewise, these agencies are looking to enterprise solutions to help them better protect that data and develop real solutions for better products and services that can enhance the lives of their constituents. Cloud platforms provide that level of flexibility and power, and many of them also include compliant features to meet specific security needs.
If you are a cloud provider offering any level of IaaS, SaaS, or PaaS services or functionality, then it’s imperative that you meet a high level of security scrutiny. Unfortunately, there isn’t necessarily a uniform compliance framework among all states. StateRAMP is a push to a uniform framework, but not every State agency or State government follows it.
Meet StateRAMP Compliance with Continuum GRC Solutions
Like FedRAMP, businesses don’t have to manually manage their compliance requirements when they have a reliable 3PAO and an automation solution. Working with a GRC provider that supports StateRAMP can help you not only prepare for StateRAMP, but maintain your StateRAMP compliance no matter how it, or your business operation, changes.
Want to learn more about how you can automate your StateRAMP and FedRAMP compliance efforts? Call Continuum GRC at 1-888-896-6207 or contact us with the form below.