StateRAMP (State-Level Risk Management and Authorization Program) is essentially FedRAMP but for state and local governments. Currently, its acceptance is still patchy but it is definitely growing. Here is a quick guide to what you need to know about the StateRAMP government program for cloud service providers (CSPs).
States and local governments have to deal with the same cybersecurity considerations as the federal government. The key difference is that there are 50 states compared to one federal government. What’s more, states are further subdivided into local governments. This created a patchwork of organizations all following different paths to the same endpoint.
StateRAMP was created with the goal of unifying data security across states and local governments. It essentially aimed to replicate the success achieved by FedRAMP in the federal sector.
At present, the StateRAMP government program has nothing like the same level of acceptance as FedRAMP. It is, however, growing rapidly and is expected to continue to do so. In fact, it is very reasonable to suppose that all states and local governments will come on board sooner rather than later.
The simple fact is that the argument for StateRAMP is as compelling as the argument for FedRAMP. It makes absolutely no sense for each state and local government to run individual security programs when there is a standardized alternative.
Likewise, certifying once to work across all states and local governments is clearly appealing to CSPs. It is much less work for them than having to demonstrate compliance with 50+ different security programs. Putting all this together suggests that the StateRAMP government program for CSPs has a bright future ahead of it.
Technically, StateRAMP is a complement to FedRAMP rather than a competitor to it. In reality, there is likely to be a certain level of competition between them. CSPs may want to certify for both eventually. They will, however, need to decide whether or not to apply for the two certification programs at the same time.
If CSPs cannot (or do not want to) undertake both certifications together, they will need to choose which to do first. The argument for FedRAMP is that it is accepted throughout the federal government. It is also recognized by many states and local governments. StateRAMP, by contrast, isn’t even recognized in all states.
The argument for StateRAMP is that it is designed specifically for the needs (and wants) of states and local governments. This means that it is a more compelling option in the states that officially recognize it. In fact, it may have more appeal than FedRAMP even in the states that don’t (yet) officially recognize it.
Although StateRAMP and FedRAMP are different, they are similar enough for at least some CSPs to be able to do them together. Alternatively, CSPs could use one as a test run for the other.
If a CSP was looking at doing that, it would probably make the most sense to do StateRAMP first. This is mainly because, at present, it can be a lot easier to get access to the necessary certification resources.
It’s therefore less of a challenge to get retested if your request for certification is turned down. With FedRAMP, you’re likely to be under more pressure to get everything right the first time if you possibly can.
As you might have expected from the name, the StateRAMP certification process is very similar to the FedRAMP certification process. CSPs need to register with StateRAMP to get access to the program. Registration is chargeable for service providers. (Service buyers can register for free).
With StateRAMP there is only one path to certification. CSPs undertake a self-assessment of their controls, policies, and procedures. StateRAMP-approved auditors then undertake an on-site assessment of the CSP’s facilities and operations.
CSPs with a FedRAMP Ready, P-ATO, or ATO status can take a fast track along this path. They will, however, still be on the same track as everybody else.
Assuming all is well, the auditors will recommend the CSP for certification by the StateRAMP board. There is only one level of certification, although this may well change in the future.
As with FedRAMP, StateRAMP requires an ongoing commitment to compliance. This is backed by monitoring and reporting. Data submitted by CSPs is analyzed by the StateRAMP organization and used to improve the program. This ensures that the StateRAMP certification stays relevant and hence valued.
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.