Much hay has been made about how cloud providers can take advantage of the new StateRAMP program. Only a few years into operations, there are already questions about how governments and cloud providers can leverage the requirements to bring top-tier cybersecurity to a local level. One of these questions involves the adoption of StateRAMP standards by FedRAMP-Authorized providers. The answer to that question is StateRAMP Fast Track authorization for FedRAMP-leveraging organizations.
FedRAMP Authorization and StateRAMP
StateRAMP is a localized, specialized form of FedRAMP targeting state and local governments.
FedRAMP, at its core, is a framework to link cloud service providers with federal agencies using a comprehensive and uniform approach to security. This framework requires that cloud offerings (unique and distinct products that a cloud provider may offer one or several) undergo rigorous audits via security organizations and regular monitoring and assessment.
StateRAMP imports several of the criteria of a FedRAMP authorization, with slight changes:
- Third-Party Assessment: Providers looking to authorize their cloud offerings must partner with a Third-Party Assessment Organization (3PAO) that conducts an audit, completes documentation, and reports their findings to the project’s governing board. Under FedRAMP, providers can partner with a certified 3PAO they can locate in the FedRAMP 3PAO Marketplace. StateRAMP relies on the list of A2LA-accredited 3PAOs on this marketplace list.
- Impact Levels: FedRAMP uses the designations of Low, Moderate, or High (as defined in FIPS 199) to define how many controls a given cloud offering should implement from NIST Special Publication 800-53. StateRAMP imports Low and Moderate designations, with a middle level (Low+) that serves as a middle ground between the two extremes.
While StateRAMP is a non-profit but private organization, FedRAMP is a government-mandated and operated standard plugged into major defense and IT departments throughout the government. However, Since the standards used by FedRAMP are public (via NIST), the StateRAMP standard essentially formalized a technical implementation of those standards for local and state governments, for whom there are no governing cybersecurity regulations.
That being said, a cloud offering that already has FedRAMP authorization can, with the right approach, streamline its StateRAMP authorization through the Fast Track process.
What Are the Steps for StateRAMP Fast Track Authorization?
If a provider and offering have already achieved some level of FedRAMP authorization, they are essentially meeting most of the requirements for StateRAMP. Fortunately, these providers want to offer their services to state and local governments. In that case, this means a quicker path to a larger market of users without adding a significant amount of recurring work in the form of audits and record keeping.
To help facilitate the movement of FedRAMP-Authorized offerings into the StateRAMP marketplace, the Fast Track for authorization seeks to streamline how these offerings can quickly enter the StateRAMP ecosystem.
And the process is quite streamlined, with a few core steps that a provider should follow. These include:
- Join StateRAMP: StateRAMP is a private non-profit organization using funds gained from donations and membership fees. As such, any provider that seeks their Authorization must become a registered member and pay their fees. The benefits of this, beyond the ability to achieve their StateRAMP Authorization, include access to training documents and templates, participatory rights in StateRAMP committees, and the StateRAMP logo. Additionally, this allows the provider to engage with the PMO as the first step of authorization, setting up security revues, and the like.
- Complete Authorization Documentation: The provider can work with their 3PAO to pull together their documentation. The StateRAMP PMO can’t access security documentation from the FedRAMP program–only a select group of agencies related to the provider and the offering may do so. During this process, the provider will work toward one of the StateRAMP Impact Levels (Low, Low+, Moderate).
- Undergo PMO Review: Once documentation is complete, the provider will give the security package to the PMO. Because of the Fast Track, the provider can essentially skip the StateRAMP Readiness assessment and a lengthy 3PAO assessment, suppressing the need for those through an existing FedRAMP Authorization.
- Continuous Monitoring: Like any other provider or offering, the program that has been fast-tracked must undergo the same continuous monitoring and assessments that others do.
What Are the Benefits of Fast Track Authorization?
Whenever a program like StateRAMP attempts to streamline processes, they do so either in response to internal criticism or due to feedback from partner organizations. In the case of StateRAMP, the goal is to get vetted cloud offerings into the market quickly and without sacrificing quality.
On the part of the providers and their offerings, there are some very specific benefits as well:
- Speed: If a cloud offering has already been through the FedRAMP process, there isn’t a good reason to expect the providers to undergo another full audit for another framework that is essentially derived from a standard they’ve already met. As such, if an appropriate cloud product of substantial quality and usefulness could benefit the market of local governments, then there shouldn’t be artificial boundaries in place. Providers who meet these very basic criteria can then spend less time preparing for and managing another compliance requirement and more time partnering with organizations that need them.
- Costs: Additionally, with so many security standards in the private and public sectors, cutting down costs (in time, money, and energy) associated with compliance can help bring IT companies into the fold. Fast Track cuts several redundant steps for providers, meaning less time conducting reviews and managing reports.
- Expanded Client Base: As new cyber threats evolve, and even local infrastructure becomes a target for hackers and foreign Advanced Persistent Threats (APTs), even state governments will have to consider the depth and breadth of their security. Established cloud providers with federal credentials can fill the gap for these customers by rapidly expanding into the local government space.
Work with the StateRAMP and FedRAMP Experts at Continuum GRC
The field of authorized cloud offerings is filling fast, due in no small part to the opportunities present for robust and innovative services that can fill the needs of a modern, digital government. We’re seeing a major space opening for providers already in the federal space and want to extend their offering to state, local, and tribal governments across the country. The StateRAMP Fast Track is an important process to know for these organizations.
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.