Cloud Service Providers (CSPs) are quickly filling the gap for the computing and storage needs of government agencies. Both Federal and State governments are turning to enterprise-level tools, technologies, and practices to better manage citizen data and modernize critical infrastructure and services. They do this, naturally, by handling private citizen data that requires protecting, which means that cloud providers need to adhere to critical security standards like StateRAMP.
What is StateRAMP? StateRAMP is an security framework based off of FedRAMP built for State Governments. It extends the requirements found in FedRAMP ATO to state governments and CSPs so that any government use of third-party cloud technology adheres to a high standard of cybersecurity and data protection.
But what is StateRAMP in practice, and how does that impact businesses? Here we’ll discuss the basics of StateRAMP and how CSPs and State government can prepare to achieve ATO.
What is StateRAMP?
According to their official website, StateRAMP is a “platform that provides States a mechanism for efficiently and effectively verifying whether cloud service providers meet a State’s published cybersecurity policies.”
Much like FedRAMP, StateRAMP is a regulatory focus on high-level cybersecurity measures for government work. States are decentralized, however, and not all states adopt the same framework. This is unfortunate and, in many ways, dangerous because sophisticated threats can take advantage of fragmented security profiles. Likewise, States are just as responsible for private Personally Identifiable Information (PII). Just like the federal government, States handle data related to addresses, social security numbers, phone numbers, etc.
On top of those facts, more states are turning to cloud platforms to support advanced storage, analytics and computing potential. Enterprise-level public cloud computing is quickly becoming a necessity rather than a luxury, and the major providers of public cloud products (AWS, Microsoft, and Google) are increasingly reaching out to public actors and agencies to meet those needs.
The truth is, however, that most States have implemented some set of security standards. It’s up to cloud providers who want to serve several State governments.
Thus, StateRAMP seeks to bridge the gap between secure cloud vendors and State agencies to provide better security at the State level of government.
How is StateRAMP related to FedRAMP?
StateRAMP is modeled off of the FedRAMP specification, which means that it shares the core features and requirements of FedRAMP–namely:
- Compliance with security rules outlined in Special Publication 800-53 Revision 5 of the National Institute of Standards and Technology in partnership with the StateRAMP Project Management Office (PMO).
- A further partnership with a Third-Party Assessment Organization (3PAO) that works with you throughout the ATO process.
- Developing a StateRAMP ready package to illustrate preparedness, at which time the 3PAO attests to the readiness of your organization for audit and assessment. StateRAMP readiness shows authorizing bodies that your cloud product and business operation can meet the demands of a StateRAMP audit successfully.
- Development of a security package with the 3PAO to submit to StateRAMP authorities for authorization, including a breakdown of controls and securities based on High, Moderate, and Low security levels.
- Continued monitoring post-authorization to demonstrate continued compliance with regulations.
Within these steps, 3PAOs will examine your cloud infrastructure and operations to determine security readiness. Readings refer to several levels of security, from administrative to technical and physical safeguards, including:
- Encryption. Is data encrypted at rest and in transit? Is data secured from remote access? What encryption do you use (AES-256 or AES-128? TLS 1.1 or 1.2)?
- Authorization. What are your authentication standards for users? Are you using multi-factor authentication? Are there audits for unauthorized access and modification of any data?
- Device Security. Are your data centers secure from physical access? Are workstations protected and logged to determine what users can access what data? Are mobile devices meeting security requirements? Are there alarm systems in place for unauthorized physical access? Do you have backup power supplies to protect data from power loss?
- Segmentation. Are you separating user data from operational data? Are there security measures in place to protect user data from operational data and vice versa?
- Security Information and Event Management (SIEM). Can your system support event monitoring for at least 90 days on online storage and 365 days of event data?
- Scanning and Remediation. Is your system able to consistently scan and remediate high vulnerabilities within 30 days, moderate vulnerabilities within 90 days, and low vulnerabilities within 180 days?
What is the Process for State Adoption?
State governments also have clear directives for adopting StateRAMP requirements. At the core of this process is the StateRAMP Implementation Checklist. The process for successfully completing that checklist involves a series of tasks and milestones critical to the StateRAMP authorization process:
- Reach out to the StateRAMP organization. This is your first step in starting the process, from learning more about requirements and developing relationships with the agency and 3PAOs.
- Identify the State stakeholders you want to work with. Much like FedRAMP, CSPs that want to work with State governments should have clearly identified which agencies they are preparing to work with and the stakeholders in that organization. This also includes clearly identifying stakeholders in your own organization as primary contacts for the process, including your CIO, CPO, CTO, CISO, and/or your Chief Risk/Privacy Office (if they are a separate position).
- Complete a Data Discovery form. This helps StateRAMP connect you with the right partners to prepare you for adoption.
- Adopt security policies. Government bodies must adopt a general security policy for any CSPs providing IaaS, PaaS, or SaaS solutions. This includes items like information about NIST compliance, a clear designation of High, Moderate, and Low security needs, 3PAO audit processes, and liabilities for CSPs, 3PAOs, and other contractors.
Differences Between StateRAMP and FedRAMP Authorization
The differences between FedRAMP and StateRAMP are minor, and generally have nothing to do with the actual authorization. StateRAMP was built on FedRAMP requirements, and as such, they are nearly identical in their demands. However, since State governments are decentralized and not under the auspices of a centralized federal mandate, the authorization process works slightly differently.
Why Should State Governments and CSPs Consider Authorization?
In one word: security. The recent SolarWinds Orion hack has shown us the dangers of security missteps in the public and private sectors. In fact, one of the major revelations of the SolarWinds hack is that there is an increasingly small gap between public and private infrastructure. Likewise, the PII held by Federal and State agencies is vulnerable to a breach, often from third-party contractors who are not compliant with a high standard of security.
As we’ve seen, SolarWinds has impacted a number of federal agencies. But State agencies aren’t off the hook, as much as they want to be. Modern smart cities and online state databases, portals, and data centers all either rely on public cloud technology or are migrating to the cloud. These cloud services must follow strict security protocols.
Accordingly, it isn’t enough to have a decentralized security standard. In an interconnected world, a fragmented security posture could spell disaster.
FedRAMP standardizes this posture for federal agencies. StateRAMP seeks to do the same for States, and as of this writing, several state agencies are turning to StateRAMP, or similar, certifications to guarantee security for their citizens.
Prepare Your StateRAMP Authorization with Lazarus Alliance
A necessary part of StateRAMP ATO is working with a 3PAO. The 3PAO isn’t simply a required partner, however. They can help you navigate the challenging world of cybersecurity without having to field your own IT teams. Lazarus Alliance has been working with clients in the State and Federal spaces for years as an authorized 3PAO, and we can help CSPs prepare for both FedRAMP and StateRAMP authorization.
If you want to learn more about StateRAMP, FedRAMP and how we can help you as your authorized 3PAO, please call us at 1-888-896-7580 or contact us through the form below.