StateRAMP, like any other compliance framework, includes several reports to document a provider’s progress through certification for the Program Management Office (PMO). As of February 2021, however, the PMO is still spinning up its resources and and StateRAMP reports templates. As such, many required report templates are slated for availability on the StateRAMP website but are as of yet not published. 

Fortunately, Cloud Service Providers (CSPs) preparing for potential StateRAMP certification can use the already-existing FedRAMP requirements as a guidepost. While there will be slight differences in requirements due to differences between state and federal agencies, both are based on NIST 800-53 requirements for security controls and assessment. 

With that in mind, here are some of the key reports that have been outlined in StateRAMP documentation and what role they will play in the certification process.

System Security Plan

The System Security Plan (SR-SSP) is a large and significant part of StateRAMP reports that a CSP must complete documenting their implemented security controls and infrastructure.

Before building out this report, CSPs define their security categories based on the kinds of data that they will handle. These include:

1. Category 1: Aligns with FedRAMP Low Impact designation
2. Category 2: Aligns with FedRAMP Low Impact designation with additional controls
3. Category 3: Aligns with FedRAMP Moderate Impact designation.

Following this, the CSP complies with thorough documentation of its security controls across physical, administrative, and technical responsibilities (depending on the designation). This layout of controls must be well-defined and thorough, speaking to the responsibilities of the CSP in relationship to their State agency partner and the services they provide. 

Unlike other reports in this article, the SR-SSP doesn’t require the work of a Third-Party Assessment Organization (3PAO). However, many CSPs will begin working with their 3PAO to leverage their automation tools and expertise and guarantee an accurate StateRAMP reports. 

The Readiness Assessment Report

According to the StateRAMP Assessment Framework, CSPs pursuing certification must complete a Readiness Assessment Report (SR-RAR). This document serves as a technical review of your capabilities to meet the requirements for the StateRAMP assessment. 

What does that mean in practice? It means that your 3PAO will work with you to determine if your existing security controls can meet the demands of StateRAMP authorization. This includes assessing whether or not you have security controls like the following in place:

• Encryption and cryptography for data security
• Transport Layer Security for data-in-transit
• Anti-malware software, including alerts and auditing
• Access controls, including authorization 
• Risk management measures
• Response, policies, and training related to security

The entire purpose of the RAR isn’t to penalize new CSPs, but to streamline the certification process by promoting organizations that are prepared to undergo the assessment process. A reputable 3PAO will support you during this process and prepare you. If you are simply not prepared, they can tell you what controls need to be in place for you to find success in the program.

Note that this report is not undertaken by the CSP. It is an assessment by the 3PAO in conjunction with the StateRAMP PMO to maintain an independent audit of your capabilities. 

For FedRAMP requirements, this requirement can have slight differences based on the certification route, but as of yet, we’re waiting to see how these requirements will be shaped by StateRAMP regulations.

The Security Assessment Plan

Once a CSP is determined to be StateRAMP Ready, they are then required to submit a Security Assessment Plan (SR-SAP) to the StateRAMP PMO. This document covers the testing and assessment approach that the 3PAO will take to test the capabilities of the CSP.

The SR-SAP derives directly from the SR-SSP, in that the 3PAO will outline how they will approach testing the controls listed in the SSP against the demands of the partner agency that the CSP will work with. The 3PAO will draw from several layers of previous assessment cases based on the present controls alongside procedures defined in NIST SP 800-53A. These tests will include procedures like penetration testing, logging and reporting audits, and evaluations of authorization and access controls like firewalls and multifactor authentication.

This might seem redundant. After compiling an SSP and a RAR for their client CSP, the 3PAO seemingly should have a clear picture of the CSP and its vulnerabilities. 

In reality, the purpose of certification is to set up CSPs to succeed if they are able. All the preparation leads up to the actual assessment. Just because a CSP has security controls in place does not mean that these are implemented well, or that they don’t hide unknown weaknesses or vulnerabilities that could accidentally disclose citizen data.  

The Security Assessment Report

Once the 3PAO completes their testing, they complete their StateRAMP Security Assessment Report (SR-SAR). This report provides the results of the assessment, including an analysis of CSP risks and a breakdown of any vulnerabilities that the CSP must address to meet StateRAMP requirements for authorization. It also includes steps to mitigate these vulnerabilities within the StateRAMP framework and NIST 800-53.

The results documented in the SAR must respond to the steps and outcomes outlined in the SAP and speak specifically to corrections needed based on the limitations only of the relevant controls outlined in the SSP and the SAP. 

The Plan of Action and Milestones and Final StateRAMP Reports

StateRAMP includes requirements for addressing vulnerabilities and performing continuing maintenance after authorization. As a final report, the CSP must complete a Plan of Action and Milestones (POA&M) that documents how the CSP will address the vulnerabilities defined in the SAR, including milestones as to when appropriate mitigation efforts will occur and be fully implemented. 

The execution of the POA&M will occur during the Continued Monitoring Phase under the review of the 3PAO and the StateRAMP PMO.

Final Security Package and Authorization

For final authorization, the CSP must compile and provide a complete security package, which includes the following StateRAMP reports:

1. The SR-RAR completed by the 3PAO demonstrating completion of StateRAMP Ready
2. The Security Controls Template (SSP) completed by the CSP
3. The SR-SAP completed by the 3PAO
4. The SR-SAR completed by the 3PAO
5. The POA&M completed by the provider

The PMO will evaluate the package to make a final decision on StateRAMP Authorized status. Note that this evaluation has nothing to do with the partner State agency and contracting issues outside of certification are distinct from the StateRAMP PMO.

Are you preparing for FedRAMP or StateRAMP reports for Authorization to Operate and want a 3PAO with years of experience and advanced automation tools? Call Continuum GRC at 1-888-896-6207 or contact us with the form below.