StateRAMP is an acronym for State Risk and Authorization Management Program. It was launched in 2020 as a state-level alternative to FedRAMP. Here is a quick guide to what you need to know about it.
As the name suggests, StateRAMP is heavily inspired by FedRAMP. It is based on the same framework, namely the National Institute of Standards and Technology Special Publication 800-53 Rev. 4. This is supplemented by elements from other relevant frameworks such as ISO 27001, SOC 2, and PCI-DSS.
Like FedRAMP, StateRAMP aims to be a “do-once-use-many-times” solution to data-security compliance for cloud service providers (CSPs). A CSP with StateRAMP certification is automatically cleared for relevant work with any participating state government or agency. In the case of StateRAMP, relevant work means work involving ePHI, PII, and PCI data.
Unlike FedRAMP, StateRAMP currently only has one level. It is, however, entirely possible that this will change in the future as the program matures.
Here is an overview of the key points of the StateRAMP certification and, where relevant, how it compares with FedRAMP.
Unlike FedRAMP, StateRAMP (currently) only has one path to certification. The first part is for CSPs to register with the StateRamp organization and submit a self-assessment. This covers its controls, policies, and procedures. The StateRAMP Accreditation Body (SAB) then undertakes an on-site audit of the CSP’s facilities and operations.
The SAB then reports back to the StateRAMP Board with what is technically a recommendation. It’s the board’s decision on whether or not to grant the certificate. In practice, it would be highly unusual for the board to reject a recommendation.
If the CSP is not granted certification, they can simply address the feedback and submit a new application. In fact, the CSP can submit the application straight away if they wish.
As with FedRAMP, StateRAMP is not a “one-and-done” certification. All participating CSPs have to comply with robust monitoring and reporting guidelines. If they fail to meet the criteria in these guidelines, their certification can be withdrawn. Data submitted by the CSPs is analyzed by the StateRAMP organization and used to update its security guidelines.
StateRAMP is overseen by the StateRAMP organization. This operates under the Indiana Nonprofit Corporations Act. Legally, it is a 501(c)(6) nonprofit membership organization rather than a government organization. With that said, its governing Board of Directors is largely composed of representatives of state and local governments.
FedRAMP is overseen by the federal government via specific agencies and the Joint Authorization Board (JAB).
At present, StateRAMP only has official recognition in a small number of states. Currently, it’s unclear if this is due to the states themselves or to CSPs (or a combination of both).
States may be reluctant to adopt StateRAMP because they are already familiar with FedRAMP. They can simply look for FedRAMP-certified CSPs on the FedRAMP marketplace. Alternatively, they can just replicate the FedRAMP requirements in their own requirements and allow all CSPs to bid for contracts.
If this is the case, then it may create a bit of a “chicken-and-egg” situation. CSPs may hesitate to adopt StateRAMP because too few states support it. States will hesitate to support StateRAMP because CSPs are not supporting it. They are (probably) certifying for FedRAMP instead.
With that said, any CSP that can qualify for FedRAMP certification can almost certainly qualify for StateRAMP certification. This means that the cost of obtaining the second certification should be fairly minimal. It can therefore be easier to justify even if it delivers a lower business benefit.
StateRAMP is not recognized in every state. Getting the certification is, however, still more convenient than qualifying individually in each of the states where it is recognized.
It may also put you ahead of the game as more states come on board. If demand increases ahead of available certification resources, then it may start to take longer to certify. (FedRAMP has experienced this issue).
If you haven’t already qualified for FedRAMP, then getting StateRAMP certified could serve as a test run for getting FedRAMP certified. It could also give you recognizable certification while you are waiting to become FedRAMP certified.
In simple terms, the more security certifications you can claim, the more reassurance you can offer (potential) clients and members of the public.
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.