You may have heard of FedRAMP but wondered what StateRAMP means. The answer is that StateRAMP is the State Risk and Authorization Management Program. As the name suggests, it is inspired by FedRAMP. The two programs are, however, not at all identical. Here is a quick guide to what you need to know about StateRAMP.
Like FedRAMP, StateRAMP is based on the National Institute of Standards and Technology Special Publication 800-53 Rev. 4 framework. It is, however, not actually overseen by the states (as FedRAM is overseen by the federal government). Instead, it is run by the StateRAMP organization. This is a 501(c)(6) nonprofit membership organization.
Similarly to FedRAMP, the StateRAMP organization’s role is essentially as an overseeing body. The actual implementation of StateRAMP relies on a network of authorized providers. These are all vetted experts in cybersecurity and compliance.
The aim of StateRAMP is to provide a use-once-apply-to-many certification in the same vein as FedRAMP. Currently, however, its acceptance amongst state governments is relatively low. At present, it is unclear if this is because StateRAMP is relatively new or if it’s because it is seen as competing with the better-known FedRAMP certification.
The practicalities of StateRAMP are broadly similar to the practicalities of FedRAMP. A CSP registers with the StateRAMP organization and requests to be certified by their approved assessors.
There are two parts to the certification. The first is an assessment of the CSPs’ security controls, policies, and procedures. This is completed by the CSP themselves and submitted to the StateRAMP Accreditation Body (SAB) for review. The second is an external, in-person audit of the CSP’s facilities and operations.
After both of these stages have been completed, the assessors will either authorize StateRAMP certification or recommend improvements. If certification is granted, the CSP will be required to participate in ongoing monitoring and reporting. Failure to do so will see the certificate revoked.
If the certificate is not granted, the CSP will be advised of the reason(s) for its refusal. They can then make any necessary changes and apply again.
The benefits of StateRAMP are similar to the benefits of FedRAMP. The headline benefit is that it brings CSPs into compliance with laws and regulations relating to ePHI, PII, and PCI. Broader benefits relate to the fact that this builds trust and confidence with customers in general. This is good for a CSPs public image and can act as a selling point.
Probably the most obvious benefit of StateRAMP is that it demonstrates compliance with the Health Insurance Portability and Accountability Act (HIPAA). As a corollary, it also demonstrates compliance with many other state and federal laws and regulations relating to ePHI, PII, and PCI.
Achieving StateRAMP certification can also lay the foundations for other security certifications. The most obvious option here would be FedRAMP. FedRAMP is more widely recognized. It also has a lengthier process for certification.
The length of the process is, however, only partly related to the robustness of the certification. The other part is due to the scarcity of testing resources. This can leave businesses that are fully compliant waiting in limbo for official certification. Using StateRAMP could help to demonstrate compliance during this period.
Security certifications are always reassuring for businesses. StateRAMP is particularly reassuring because it relates to ePHI, PII, and PCI data. These are three of the most sensitive data categories there are. It therefore logically follows that businesses certified to handle it can safely be trusted with other, less sensitive forms of data.
This can be a major selling point for modern businesses. In general, today’s senior managers are very well aware that you can delegate tasks but not accountability. In other words, they can outsource tasks relating to their data. They cannot, however, outsource the fact that, ultimately, they are responsible for the security of that data.
In some cases, they may be held legally accountable for the actions of their third-party vendors. Even if they’re not, they will certainly be held responsible in the eyes of the public. The repercussions of this can be much worse than anything the law can do.
As a corollary to the previous points, security certifications build trust and confidence amongst a broad range of people. The harsh reality is that all businesses say that they take data security with the utmost seriousness. Unfortunately, the evidence shows that this is not always the case.
Having an objective, third-party endorsed security certifications means that people do not just have to take your word about your security (or not). Certifications that have to be continually updated are particularly valuable precisely because they are not just “set and forget”.
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.