StateRAMP and Authentication: What You Need to Know
Providers looking into StateRAMP authentication standards may find themselves staring into a stack of requirements documents across multiple security frameworks and government contexts. Not only is this unhelpful for these providers, but it also makes the process sound much more intimidating than it needs to be. In this article, we’ll take a high-level view of authentication requirements that may be part of your StateRAMP authorization process.
The National Institute of Standards and Technology and Authentication
The importance of authentication and identity verification cannot be overstated, no matter the security context. Every proper cybersecurity framework or regulation will emphasize authentication because, without it, there can never be any other assurance that other security protocols can be effective.
Some of the core components of authentication include:
- Identity Management: Secure systems should be able to store and access user data related to digital identity. These systems will store and protect information connected to their function in the infrastructure. This means any user-specific information (including PII), authentication credentials, biometric information, etc. Additionally, identity management systems play a role in ensuring system integrity by disallowing duplicate or spoofed users.
- User Authentication: Authentication is the practice of comparing user-provided credentials and checking them against those connected to an existing user 9with privileges) within the system. These credentials can include username/password combinations, PINs, Biometric scans, SMS verification codes, etc.
- Multi-Factor Authentication: Most modern security systems will call for Multi-Factor Authentication (MFA), or the use of two distinct forms of authentication to ensure that the user is who they say they are and that they are present at the point of authentication. These factors can include things we know (passwords, PINs), things we own (mobile devices, email accounts, verification apps), and things we are (fingerprint scans, facial recognition).
- Device Identification: In some cases, it might be better for an organization to limit system access to specific devices as a security mechanism alongside other authentication methods. In these cases, device identification and authentication can ensure that only authorized devices gain access to IT infrastructure.
Authentication is much like a gatekeeper in front of a large mansion–it keeps unauthorized people out and ensures that the people inside the walls should be there. To provide that guarantee with as near 100% certainty as possible, an authentication system must use solid identity management, MFA, device authentication, etc., to ensure that fake users don’t climb over the wall or get through the front door with a fake ID.
NIST includes several criteria and requirements in a few documents to ensure that strong authentication best practices are used throughout government cybersecurity standards. Two of the key documents in this case include:
- NIST Special Publication 800-53, “Security and Privacy for Information Systems and Organizations”: This document serves as an inventory of controls accepted for use in federal security, covering everything from authentication and authorization to upgrades, physical security, and media disposal.
- NIST Special Publication 800-63-3, “Digital Identity Guidelines”: This document has several sections outlining requirements for organizations handling sensitive data, including how they deploy MFA, how they manage user identities, and how they can assure user identity more rigorously.
How Does StateRAMP Implement Authentication Controls?
As a spinoff of FedRAMP, StateRAMP adopts the exact requirements and controls. Following that, StateRAMP authorization will draw authentication requirements from NIST SP 800-53 that align with certain FedRAMP Impact Levels.
Regardless of the authorization level required by a CSP working with a state organization, a small collection of authentication controls will be part of some StateRAMP authentication.
These controls will include:
- IA-1 “Identification and Authentication Policy and Procedures”: The cloud offering undergoing StateRAMP authorization must have policies and procedures to implement and maintain authentication systems. This includes company hierarchies for IT and authentication management, remediation and incident response plans, and maps of how authentication requirements map onto existing business processes.
- IA-2 “Identification and Authentication (Organizational Users)”: Organizations must “uniquely” identify users and associate them with processes reflecting their position. In this case, “uniquely” refers to having a 1:1 relationship between a single user and a single, unique digital identity with system permissions. This control also includes smaller sub-requirements around MFA, replay-resistant authentication interfaces, and Single Sign-On (SSO) capabilities.
- IA-3 “Device Identification and Authentication”: This defines the use of unique device authentication through shared information like Media Access Control (MAC) identifiers and TCP/IP addresses across different communication and authentication solutions like Wi-Fi, EAP, TLS, Kerberos, etc.
- IA-4 “Identifier Management”: This factor discusses using unique identifiers as part of an authentication schema. Identifiers can include MAC addresses, IP addresses, device tokens, software tokens, usernames, passwords, etc. The critical part of this function is that the offering has a solution to ensure the integrity of managing these numbers and using them for unique authentication.
- IA-5 “Authenticator Management”: This sets some basic rules for the use of authenticators, including assuring the ID of an individual using the authenticator, assuring that the authenticator is sufficiently strong for the application, that default authentication is changed after the first use, refreshing authentication credentials over time, etc.
- IA-6 “Authenticator Feedback”: Systems will provide feedback based on user input (bad login attempts, system errors, etc.). This requires that feedback from the system, provided to either an end user or an unauthorized internal user, maintains the user’s privacy and does not compromise the security of any user accounts by disclosing credentials or contextual information.
- IA-7 “Cryptographic Module Authentication”: Cryptographic modules may require authentication before they allow maintenance or services, and such authentication must adhere to the same guidelines listed here.
- IA-8 “Identification and Authentication (Non-Organizational Users)”: The offering must provide authentication security for non-organizations (external) users in much the same way as internal users. However, additional concerns, such as federated identity services from outside ID providers and external MFA and authenticator verification, are additional concerns here. Providers must implement inventories and controls to address these issues.
Line Up Your Authentication Services for StateRAMP Authorization with Continuum GRC
If your cloud service offering is up for StateRAMP authorization, you’ll be looking at a walk of the NIST 800-53 requirements. Fortunately, Continuum GRC is a cloud-based risk and compliance management tool that can help you inventory your critical systems in preparation for this process. Furthermore, we have extensive experience with FedRAMP and NIST 800-53 requirements more broadly, meaning we are the experts in everything federal compliance.
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2, SOC 3
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.