Following on the successes of the FedRAMP program that certifies cloud services as secure to use for Federal government agencies, the home-grown StateRAMP program is forging ahead with similarly vital services to state and local governments and institutions of higher learning, state, and industry leaders explained on October 5 during MeriTalk’s StateRAMP: Taking the On-Ramp to Secure SLED Cloud Solutions online event.
The event featured Leah McGrath, Executive Director of StateRAMP, J.R. Sloan, StateRAMP President, and Arizona state CIO, as well as industry experts Rick Rosenburg, Vice President and General Manager, Public Sector for Rackspace, and Stephen Ellis, Government Solutions Lead at Zoom.
StateRAMP is emerging as just the latest example of former Supreme Court Justice Louis Brandeis’ statement that states are the laboratories of democracy.
“In Arizona, we were seeking to solve the same challenges that every other state was faced with,” said Arizona CIO Sloan during the October 5 event. “States seek to adopt cloud technologies and to get the advantages of all the great things that the cloud has to bring.” The problem, Sloan said, was the process to validate vendors’ cloud security had become an onerous, repetitive burden.
“We had a program that we called AZRAMP, off the idea of FedRAMP,” he continued. “FedRAMP was a program that sought to address this need at the federal level, and we knew that we needed a structured approach to how we could begin to assess vendors and their capabilities and ability to protect the data of the state as it was being stored with them.”
StateRAMP’s McGrath explained how AZRAMP morphed into StateRAMP. “In the spring of 2020, J.R., along with some other individuals from the state of Arizona, joined forces with many others across the country who had that same challenge,” she said. Then they formed a steering committee composed of current and former state CIOs, CISOs, procurement, and privacy officers, as well as several individuals from private industry.
“We also included third-party assessing organizations,” she said. “They all came together to ask that question: what if states and local governments, together with the providers who serve them, could recognize a common method for verifying cloud security, what would that look like, how would it work.”
The steering committee gleaned a considerable amount from what Arizona was trying to do. “We did like what Arizona had done. We also looked at FedRAMP, and StateRAMP is modeled in part after FedRAMP,” McGrath said. There are many similarities to FedRAMP from a cloud security verification model, as StateRAMP also requires an independent audit by a third-party assessing organization.
StateRAMP also based its controls, requirements, and standards on guidance from the National Institute of Standards and Technology (NIST), similar to FedRAMP; and like FedRAMP, StateRAMP requires continuous monitoring.
“In fact, the continuous monitoring aspect was one of the gaps we started working through, as we found other states were facing this very issue just like Arizona,” McGrath said. “Even with states who had vendor verification models in place, they didn’t have the budget or the bandwidth or enough cybersecurity personnel to maintain that continuous monitoring effort, so that was really important.”
However, there were other nuances that the steering committee designed that are unique to StateRAMP. “I think you’ll see that there’s the flexibility of being a nonprofit, where we are able to have participation from the private sector, as well as the public sector to help form this and design it to fit state and local government needs,” she said.
StateRAMP also has a centralized program management office. The PMO validates and authenticates those security packages so there’s a consistent application of standards across the board. The PMO is also the first point of contact for continuous monitoring whether you’re talking about the providers working with the PMO, or the state and local governments.
“We’re really trying to design a model that can be a shared resource for states and local governments so those CISOs or the CISOs’ designee can have access to that continuous monitoring and reporting, and really make risk-based decisions that are right for them, to have that standardized ‘verify once, serve many’ approach for the cloud service providers,” McGrath said. “So rather than having to go through 50 different StateRAMP systems, they can go through StateRAMP once to satisfy all of those baseline minimum requirements.”
Working With Industry
From the IT vendor perspective, these developments have been just as promising, Rackspace’s Rosenburg attested.
“I’d like to commend Leah, and their coalition for pulling together StateRAMP,” he said. “Providing security templates and frameworks for 50 different states versus doing it all at once for all 50 states is a real benefit. And I think they’ve actually adopted the most crucial, best practice from FedRAMP in their ‘verify once, serve many’ approach.” Rackspace has 16 different verification/authorizations through FedRAMP and only had to go through that reauthorization process once a year, versus 16 different times, or every time with a new federal agency that chooses to utilize their service.”
“Hats off to the StateRAMP organization for what they’ve been able to pull together and looking forward to how this rolls out through each of the states,” he said.
Zoom’s Ellis concurred. “I want to echo everything that we all just heard,” he said. “I think one of the things when we think about best practices with StateRAMP, in particular, is that it’s focused properly. So I think it’s going to be a huge, huge advantage. I think StateRAMP is going to be an impressive legacy.”
There’s much more to learn, including StateRAMP’s initial vendor certifications, actual experiences with StateRAMP utilization in states like Arizona and Texas, and even the process for becoming involved either as a state or local government, or vendor. Check out the entire VOD presentation here.