StateRAMP stands for State Risk and Authorization Management Program. It is aimed at cloud service providers (CSPs) working for state (and local) governments. StateRAMP aims to help CSPs to demonstrate their ability to manage issues related to risk and authorization. StateRAMP services play a fundamental role in this. Here is a quick guide to what you need to know about them.
StateRAMP is essentially FedRAMP but reworked for use by state and local governments. It’s based on exactly the same framework (National Institute of Standards and Technology Special Publication 800-53 Rev. 4). The certification process and outcomes are very similar but not identical.
The core elements of StateRAMP services are registration, certification, monitoring, compliance, reporting, and continuous improvement. The certification service can be further subdivided into two individual StateRAMP services. These are assessment and auditing. Here is a quick guide to each of these StateRAMP services.
The very first of the StateRAMP services is registration. Becoming a member of the StateRAMP organization is a prerequisite for certification. It does not, however, guarantee that a CSP will become StateRAMP certified. The CSP still has to complete the process on their own merit.
Assessment and auditing are separate StateRAMP services. They are, however, both required to be recommended for StateRAMP certification. Unlike FedRAMP, StateRAMP only has one path to certification. There is, however, a fast-track option for CSPs with FedRAMP Ready, P-ATO, or ATO status.
The standard process consists of a self-assessment covering the CSP’s controls, policies, and procedures. This is followed by an on-site audit of the CSP’s facilities and operations. The audit is undertaken by members of the StateRAMP Accreditation Body (SAB). These are all verified experts in security and compliance.
Once both of these steps have been completed, the SAB will make a recommendation to the StateRAMP board.
In theory, the StateRAMP Board chooses whether or not to accept a recommendation from the SAB. In practice, it is almost guaranteed to sign off on the SAB’s decision (either way). There would need to be a very compelling reason for the StateRAMP board to overrule guidance from the SAB.
For completeness, if the StateRAMP certification is not granted, the CSP will still retain its membership of StateRAMP. They can simply take the feedback onboard and try again.
Assuming the StateRAMP certification is granted, the CSP moves on to the follow-up stage. This consists of compliance, monitoring, and reporting. These all combine to create the foundation of a process of continuous improvement.
The compliance element of the StateRAMP services essentially lays down the rules the CSP is expected to follow to maintain its StateRAMP accreditation.
As part of ongoing compliance, the CSP is required to monitor their performance against the StateRAMP framework.
The data created as a result of ongoing monitoring must be reported back to StateRAMP. This is partly to ensure that the CSP really is complying with the StateRAMP program. It is also, partly, to inform and, hence, improve the StateRAMP program.
Like FedRAMP, StateRAMP is intended to be a do-once-use-many-times certification. It is, not, however, intended to be a “one-and-done” certification. In fact, it can’t be if it is to keep its credibility.
The cybersecurity landscape is continuously developing as are the laws and regulations that relate to it. This means that the StateRAMP certification needs to develop alongside it. CSPs that participate in the StateRAMP program, therefore, need to be prepared to keep updating their security.
The benefits of StateRAMP are essentially the same as the benefits of FedRAMP, albeit (currently) on a smaller scale. The headline benefit is the fact that CSPs can certify once and use that certification in all participating states (and their local governments).
It has to be said that, at this point, the key word in that sentence is “participating”. Right now, StateRAMP has a much lower level of acceptance than FedRAMP. Even so, it can still be worth the effort of certification, especially if you’re also certifying for FedRAMP.
Like FedRAMP, StateRAMP runs its own marketplace of authorized CSPs. (Technically, this is referred to as a member directory). Having a place in this means that your company’s name may be put in front of states and local governments that are looking for vendors.
If nothing else, getting StateRAMP certified is another form of proof that you take security very seriously. This can be very reassuring for potential customers, especially ones that handle any kind of sensitive data.
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.