Regarding cybersecurity and compliance, there is a massive benefit in having a deep field of providers and offerings that can serve large federal customers alongside smaller offerings that can serve the state, local, and municipal customers. It’s essential, however, to ensure that maintaining a competitive marketplace doesn’t compromise security. This means helping small or young tech cloud service providers prepare for Authorization in ways that support their success rather than leaving them to flounder through a complex program. That’s where the StateRAMP Security Snapshot comes in.

Why Is it Important to Prepare for StateRAMP Before Authorization?

StateRAMP, built on FedRAMP requirements, represents a long process of authorization that includes pre-assessment audits, complete-system inventories, and (once authorized) long-term continuous monitoring. That is to say, it isn’t a simple process. 

However, there is a demand for cloud offerings at the local and state levels, and it doesn’t serve the agencies that need these offerings by creating a process that companies cannot complete. Furthermore, having a process in place that’s more democratic and supportive rather than opaque and challenging helps independent cloud providers have a way to gain authorization status and compete with larger service providers. 

In the spirit of helping providers determine how they might begin their StateRAMP Authorization process, the program has announced an early-stage security maturity assessment tool. This tool will enable providers new to StateRAMP, or federal assessment in general, to understand how well-positioned they are to succeed in the program.

What Is StateRAMP Security Snapshot?

The core of the StateRAMP Security Snapshot is to provide a “moment in time” picture of the organization’s security posture. More concretely, the process will give providers a gap analysis of their system compared to StateRAMP requirements. 

As per any maturity model, the Security Snapshot (or “Security” status) uses a scoring model formed from a few factors, including:

• Security and IT factors that may or will impact that offering’s ability to meet StateRAMP requirements.
• IT factors that impact total security posture more broadly.
• Insights that the StateRAMP PMO can provide to procurement teams (with state and local agencies) regarding particular security and IT components.

Adherence to best practices around these areas will result in the gaining of “points” that demonstrate the maturity of the underlying infrastructure. Additionally, the StateRAMP PMO may award additional points based on specific criteria, namely:

• StateRAMP Authorized IaaS: If a given offering undergoing Security Snapshot is hosted on StateRAMP authorized Infrastructure-as-a-Service architecture, then the PMO will offer higher total scores.
• FedRAMP Authorization: Counterintuitively, if the cloud offering uses FedRAMP Authorized IaaS architecture or is itself FedRAMP Authorization, the offering may receive additional points, but less so for StateRAMP Authorized tools. This is because, while StateRAMP is derived from FedRAMP, FedRAMP Authorization does not provide the StateRAMP PMO with any insights into monitoring and security processes.
• Annual Security Awareness: A provider may be awarded additional points for ensuring annual security awareness training for their employees so long as that training directly impacts the company’s security posture. 

The provider will then provide documentation on their current security posture that the StateRAMP PMO will review based on some essential criteria using a weighted scaling system.

Some of the criteria that the PMO will assess include:

• StateRAMP or FedRAMP Authorization: Does the security infrastructure in question reside in StateRAMP- or FedRAMP-Authorized IaaS? Is the solution FedRAMP Authorized? These questions are weighted more highly than the others.
• Inventory: Can the provider effectively and accurately inventory regulated security components? Do they employ automated solutions to maintain that inventory?
• Certifications: Has the provider completed other certifications? These may include SOC 2 Type 2, ISO 27001, CSA STAR, or HITRUST.
• Training: Does the organization provide required, continuing security awareness training relevant to the infrastructure and data uses?
• Security Modules: Does the infrastructure include cryptography modules where cryptography is required? Does it employ Single Sign-On (SSO) technology? Does it use Multi-Factor Authentication (MFA)? Can it detect and eradicate malicious software (anti-malware)?
• Scanning and Testing: Does the organization conduct regular vulnerability scans? Has the infrastructure undergone a penetration test in the last 12 months? 
• Auditing: Are regular audits performed? Are audit logs automated, maintained, and protected? Can the organization protect audit information from unauthorized access or modification?
• Recovery: Can the provider recover effectively from security events or other disasters? Do they have an incident response plan in place? Do they have a contingency plan in place as described in NIST SP 800-34?
• Configuration: Does the provider have a configuration management plan in place? Do they conduct regular scans for configuration changes? Do they have a formal change control process in place?

StateRAMP Security Snapshot is not required but helpful for organizations just getting into the program. It will begin in January 2023, and cost fees range from $500-$1,500 based on price tiering. 

Are You Considering StateRAMP Authorization

Lazarus Alliance is an experienced, certified FedRAMP and StateRAMP 3PAO that helps large and small businesses develop their security posture to jump into the government agency IT market. We have decades of experience in some of the most rigorous compliance standards in the industry, and we’ve supported companies through FedRAMP, StateRAMP, ISO, SOC, HIPAA, and NIST audits and assessments (among others). 

If you’re considering your StateRAMP Authorization, contact us today to get an early start.