StateRAMP takes several of its requirements from FedRAMP, and perhaps one of the most important requirements is continuous monitoring. Continuous monitoring ensures that systems that earned StateRAMP Authorization remain in compliance year after year, avoiding gaps in security and protecting the interest of state and local governments.
What Is the StateRAMP Continuous Monitoring Guide?
Under StateRAMP, organizations providing cloud services to state and local governments must maintain their authorization regularly once they’ve met StateRAMP requirements. This ongoing maintenance must align with the StateRAMP regulations and the risk management framework and security posture of the organization, depending on their market and capabilities.
Simply put, ongoing maintenance proves that you aren’t letting security and risk issues slip after an audit and can remain in service to critical governmental agencies.
The StateRAMP Continuous Monitoring Guide provides a comprehensive model for how organizations must approach their maintenance obligation. It outlines the structure of this monitoring, including who must perform it and how it is reported.
Roles and Responsibilities
StateRAMP continuous monitoring includes several stakeholders, each of which serves a role in the process:
- Service Providers: The cloud service provider (CSP) and the subject of the audit and continuous monitoring. These organizations must understand their monitoring and auditing requirements and partner with an authorized assessment firm to complete these requirements.
- StateRAMP Project Management Office (PMO): The PMO manages the ongoing monitoring programs and implements the StateRAMP requirements.
- Government (or State) Authorizing Body: The organization that supports local or state government contracted with the Service Provider for cloud services of any sort. These bodies determine the information the CSP will store (PHI, PII, etc.). This organization will review monitoring “artifacts” (reports or assurances of compliance) on behalf of the state to ensure that Plans of Action and Milestones (POA&M) or other monitoring requirements are met.
- Third-Party Assessment Organization (3PAO): 3PAOs are certified security firms that partner with service providers for auditing and monitoring purposes. In cases of continuous monitoring, a 3PAO will verify provider controls by conducting penetration tests and annual scans, assessing security based on infrastructure changes, and performing annual reviews of at least ⅓ of the provider’s security controls.
- Standards Committee: This committee reviews and sets minimum requirements for StateRAMP Low, Moderate, and High impact levels and how they affect continuous monitoring.
Additionally, the Continuous Monitoring Guide divides a continuous monitoring program into five distinct stages:
- Create: An organization must create a plan for continuous monitoring. This plan should include insights from their 3PAO, findings during authorization, and any defined timelines in the POA&M.
- Implement: Organizations should be able to implement a monitoring infrastructure that can collect, analyze, and report on operations and data within the relevant systems.
- Respond: Any issues detected during monitoring must be followed by rapid mitigation of security vulnerabilities.
- Review: Any discovered issues and remediation efforts are followed by a review to maintain the visibility of these issues and ensure that the existing problems remain attended to.
- Adapt: Maintain ongoing updates and security upgrades to address emerging vulnerabilities.
Continuous Monitoring in StateRAMP
Considering these stakeholders and taking into account the basic steps of an ongoing monitoring process, StateRAMP will expect a series of actions, reports, and communications demonstrating their continued adherence to the process.
What is that process?
Traditional First Steps
Under StateRAMP, service providers must:
- Consider the continuous monitoring process starting as soon as they receive a StateRAMP authorization status.
- Partner with a 3PAO to create their monitoring plan. This plan must adhere to the policies devised and provided by the State Authorizing Body.
- Provide the StateRAMP PMO with monitoring artifacts, including monthly reports and reviews of access rights to the StateRAMP document repository.
Additionally, 3PAOs will submit annual documentation and penetration test reports.
Finally, the StateRAMP PMO will analyze these artifacts to determine if the provider has met their requirements. They will also provide access to the State Authorizing Body for further review. Suppose at any time, any party (PMO or Authorizing Board) determines that there are issues with the monitoring results. In that case, they will meet with the provider to create a POA&M that usually includes additional requirements.
StateRAMP PMO Monthly Review
On top of these first-step processes, the CSP is expected to provide a monthly report to the StateRAMP PMO that summarizes vulnerability and compliance scans. These reports will highlight high-, moderate-, and low-risk vulnerabilities. High-risk vulnerabilities must be addressed within 30 days, moderate risks within 90 days, and low risks within 180 days.
Additionally, providers with Low or Moderate impact levels will upload to the PMO a copy of their updated POA&M, an inventory of monitored controls, risk adjustments, operational requirement changes, records of false positives, and an executive summary of all the above elements.
Those with High impact levels must complete the above-listed rules under a program directly managed by the PMO.
Alongside monthly reporting requirements, service providers must conduct annual reviews and reports to remain in good standing with the StateRAMP PMO. Some of these actions include:
- Conduct reviews of all information security policies and procedures. High-risk systems require annual policy updates, while low- or moderate-risk systems only require policy updates every three years. These updates must be attached to their System Security Plan (SSP).
- Work with a 3PAO to annually assess a subset of their controls. The 3PAO decides on what controls they will review at a volume that equals roughly ⅓ of the provider’s relevant controls. The PMO or the Authorizing Body may require additional control audits.
- Perform penetration tests. Providers must partner with a 3PAO who will conduct the test and provide the results to the PMO.
Alongside these requirements, the provider’s 3PAO must also conduct a few annual activities outside the influence of the provider. These include:
- Developing security assessment plans to determine the scope of their annual audits.
- Assess and report on provider controls. This includes annual, in-depth monitoring, vulnerability scanning, testing, and threat assessment.
- Perform performance and load testing every three years.
Stay Ahead of StateRAMP Continuous Monitoring Requirements with Continuum GRC
Continuous monitoring is a lengthy, ongoing process. Providers are expected to regularly provide reports and checklists to demonstrate their compliance–paperwork that can take weeks or months to complete without careful planning and a straightforward process.
With the Continuum GRC cloud platform, you can streamline document management, risk management, and compliance control. Our automated tools provide a bird’s-eye view of your security posture while reducing the time needed to complete documentation and reports from months or weeks to days.
Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- DFARS NIST 800-171
- SOC 1, SOC 2, SOC 3
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.