StateRAMP, System Security Plans, and the Operational Control Matrix

StateRAMP System Security Plan Featured

StateRAMP is based on the FedRAMP standard, which means that it uses a similar set of documents and requirements to assess and authorize cloud service providers. One of the key documents of both StateRAMP and FedRAMP is the System Security Plan (SSP), which represents the provider’s security controls, compliance perimeter, and capabilities. 

In Revision 5, StateRAMP has seemingly moved from the traditional SSP toward an “operational control matrix,” or systematized document outlining the same information. Here, we’ll cover the SSP/control matrix and what it represents for the provider during StateRAMP authorization. 


What Is in the StateRAMP Operational Control Matrix?

StateRAMP, like FedRAMP, involves the cloud provider offering a report on their security capabilities, expected assessment perimeter, and other core information. This SSP is usually one of the first documents in the assessment process. 

With the move to Revision 5, StateRAMP has recently replaced the SSP with a similar document, the Operational Controls Matrix

The StateRAMP Operational Controls Matrix is a tool cloud service providers use to document and manage the operational controls they have implemented to comply with StateRAMP requirements. It demonstrates the list of controls the provider has implemented and how their policies and procedures map onto basic StateRAMP compliance–in essence, it is a testament to the provider’s ability to undergo assessment and a beginning roadmap for 3PAOs to develop their assessment plans. 

Critical aspects of the StateRAMP Operational Control Matrix include:

  • Control Identification: The matrix lists the specific operational controls required by StateRAMP. These controls are typically based on standards such as NIST SP 800-53, which are used to ensure the security and integrity of cloud services.
  • Control Implementation Details: The matrix details how the CSP has implemented each control. This includes descriptions of processes, tools, and technologies used to meet the control requirements.
  • Responsibility Assignment: The matrix assigns responsibility for each control to specific roles or departments within the CSP’s organization. This helps in ensuring accountability and clarity in control management.
  • Status Tracking: Along with the name and type, the control matrix includes information regarding the status of that control and how it is implemented.
  • Documentation of Procedures: The matrix often includes references to additional documentation that supports the implementation of each control, such as policies, procedures, or system configurations.

Note that the matrix is not a static document; it should be regularly updated to reflect changes in the operational environment, new or updated controls, and improvements in control implementation.

According to the StateRAMP Rev. 5 Templates and Resources page, this matrix replaces the original System Security Plan. Reviewing the document shows that much of what was in the SSP is in the control matrix


What Was the System Security Plan (SSP)?

The StateRAMP System Security Plan (SSP) was a foundational document under StateRAMP, modeled on the FedRAMP document of the same name, within which cloud providers would outline their security capabilities and ability to undergo compliance assessment.

StateRAMP System Security Plan Featured

Some of the critical components of this document were:

  • Description of the Cloud Service Offering: The Service Security Plan (SSP) includes an in-depth description of the Cloud Service Provider’s (CSP) cloud services. This section covers the service’s features, architectural design, and the operational environment.
  • Security Control Implementation: A vital part of the SSP is a comprehensive overview of how the CSP has applied the security controls mandated by StateRAMP. These controls are generally aligned with the NIST SP 800-53 standards.
  • System Boundaries: The SSP delineates the limits of the cloud service’s information system. It specifies what is encompassed within the service and what falls outside, clarifying the reach of the security measures and data protection efforts.
  • Operational Context: This section of the document delves into the practical usage of the cloud service. It discusses user roles, the flow of data, and how the service interacts with other systems.
  • Risk Assessment and Management: The SSP contains details on the CSP’s approach to identifying and handling risks associated with the cloud service.
  • Policies and Procedures: The document outlines the CSP’s security-related policies and procedures. This includes guidelines on incident response, access management, data security, and more.
  • Roles and Responsibilities: This part explicitly outlines the responsibilities and duties of the staff tasked with managing and operating the cloud service. This ensures clear accountability and effective management of security measures.
  • Compliance with Regulations: The SSP addresses the cloud service’s adherence to relevant laws and standards, a critical aspect for state and local government clients.
  • Continuous Monitoring Strategy: Lastly, the document details the approach for ongoing surveillance of the security measures. This strategy is key to maintaining compliance and tackling new threats and vulnerabilities.


What Is the Difference Between the SSP and the Operational Control Matrix?

The SSP and the Operational Control Matrix are very similar. The former arranges itself as more of a narrative, working through the organization’s control structure in a top-down fashion. The operational matrix, however, is a spreadsheet in which controls and other important information are laid out as a skimmable grid that is much easier to process from a management perspective. 

However, there is some overlap between the two. While the StateRAMP Rev. 5 website states that the control matrix has replaced the SSP, there are still references to SSPs in the core documentation. When in doubt, consult with your security partners, 3PAO, and the StateRAMP PMO.

The information provided will, by and large, be the same. However, the layout, organization, and arrangement are much different and ideally more intuitive for assessors and the StateRAMP PMO.


How Do CSPs Complete and Submit Their Security Plan/Control Matrix?

The process for drafting and completing the SSP is outlined in the Getting Started guide provided by the StateRAMP and involves the following steps:

  • Engagement with a Third-Party Assessment Organization: The cloud service provider must use a StateRAMP-approved 3PAO to conduct their StateRAMP Authorization Review. This is a necessary step before the provider can complete the SSP.
  • Completion of the StateRAMP System Security Plan: Once the provider has engaged with a 3PAO, they must complete the StateRAMP System Security Plan. This document is crucial for the Authorization Review process.
  • Submission for Review: Before the 3PAO can submit the provider’s completed documentation and assessment report, the provider must complete the Authorization Review Request Form and pay the Authorization Review fee. This step is necessary for the provider’s documentation and assessment report to be submitted to the StateRAMP PMO.
  • Review by StateRAMP PMO: The PMO only accepts security assessments and documentation submitted by StateRAMP-approved 3PAOs. All documentation must be in the appropriate StateRAMP templates for it to be considered for review and approval.


Operationalize Your Security Controls and Compliance with Continuum GRC

Working to obtain or maintain StateRAMP compliance? Work with Continuum GRC.

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

Continuum GRC