StateRAMP is the State Risk and Authorization Management Program. As the name suggests, StateRAMP essentially aims to be FedRAMP but at the state (and local) level. It, therefore, offers much the same benefits as FedRAMP. With that in mind, here is a guide to StateRAMP and the main StateRAMP advantages.
Before you can understand the StateRAMP advantages, it’s important to be clear on how StateRAMP actually works.
The mechanics of StateRAMP are very similar to the mechanics of FedRAMP. To begin with, it’s built on the same framework, i.e. the National Institute of Standards and Technology Special Publication 800-53 Rev. 4.
This framework is, however, adapted for the needs of state and local governments rather than the federal government. It’s also supplemented by other security standards including ISO 27001, SOC 2, and PCI-DSS.
As a result, it should take very little effort (and hence very little money) for FedRAMP-compliant CSPs to achieve StateRAMP certification. If a CSP doesn’t (yet) have either qualification, they could feasibly do both at once. Alternatively, they could do the certification for their most important market first.
The StateRAMP certification process follows much the same principles as the FedRAMP certification process. CSPs register with the StateRAMP organization. They then apply for official StateRAMP certification.
CSPs support their application by providing a self-assessment of their controls, policies, and procedures. StateRAMP-approved auditors then make an on-site inspection of the CSP’s facilities and operations. If everything is in order, the auditors will recommend that the StateRAMP board grant the CSP the StateRAMP certification.
There are, however, two key differences between StateRAMP and FedRAMP. The first is that StateRAMP only has one path to certification. There is a fast-track version of that path for CSPs that meet the qualifying criteria. It is, however, still the same path. The second is that, for the time being at least, StateRAMP only has one level.
It is important to note that StateRAMP has yet to come anywhere close to full acceptance across all states. Currently, official recognition is distinctly patchy. With that said, it’s arguably already wide enough to justify the certification process. It’s also growing and expected to continue to grow. In fact, the StateRAMP organization is working hard on this.
Here are the five main StateRAMP advantages for cloud service providers (CSPs).
This is the headline advantage of StateRAMP. It provides a straightforward route for CSPs to demonstrate their security and privacy credentials. There are, certainly, other ways to do this. Probably the most obvious one would be FedRAMP.
The main StateRAMP advantage however is that it is tailored to the needs of states (and local governments). This makes it more directly relevant to those clients than any other qualification. When tenders come down to fine margins, this could make the difference between winning and losing business.
Before FedRAMP, CSPs had to spend significant resources convincing each individual agency that their services were secure. Since FedRAMP, they have been able to certify once and use that certification multiple times. This has been much less draining on their resources.
These cost savings benefit hirers too as they mean that participating CSPs can offer more competitive prices. This is possibly the single, biggest reason why StateRAMP is likely to succeed in its mission to become accepted across all states.
Like the federal government, states (and local governments) have to watch their budgets. They therefore arguably need to make the most of opportunities to cut costs through streamlining processes rather than reducing services.
By creating a baseline for all data security relating to ePHI, PII, and PCI data, StateRAMP eliminates the need for this to be agreed upon on a case-by-case basis. This can substantially reduce the time it takes to complete a project. In particular, it makes it easier for CSPs to work together. They can all be confident that they are working to a common standard.
As with FedRAMP, one of the most important points about StateRAMP is that it lays down a process for continuous improvement. This ensures that the StateRAMP certification always represents the very highest standards in data security and privacy.
One of the major selling points of FedRAMP is that certified CSPs are listed in the FedRAMP marketplace. StateRAMP has an equivalent, the member directory. Interested parties can check this to find StateRAMP-certified CSPs. They can then invite them to tender for projects.
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.