We’ve written a few articles and resources on StateRAMP certification for Cloud Service Providers (CSPs). However, there are multiple parties involved in the process. One of the most important is the State agency searching for a secure CSP partner.  Here, we’ll discuss some of the high-level steps that a State agency must take to adopt StateRAMP requirements. This includes the necessary contacts, infrastructure, and documents needed to conform with StateRAMP.

Steps to StateRAMP Adoption

The steps for State agency adoption of StateRAMP requirements involve organizing your agency around a new security policy framework, preparing your organization to recruit compliant CSPs, and understanding how contract agreements work in terms of security levels.

Step 1: Contact StateRAMP PMO for Roles and Responsibilities

The first step to adopt StateRAMP requirements is to contact the StateRAMP Project Management Office (PMO). The PMO will help you by providing the necessary next steps and resources for meeting StateRAMP requirements as a state agency. 

At this stage, these requirements are primarily organizational, and include the following steps:

• Receiving a responsibilities matrix to help you identify who will handle what responsibilities as part of managing compliance with partner CSPs.
• Identifying government stakeholders in your organization who will maintain some level of control or responsibility for StateRAMP adherence either as a point of contact or as someone responsible for managing internal policies.
• Completing a Data Discovery form, which outlines your current cloud services portfolio and any providers that are currently managing data on your behalf. 

During this stage, your responsibilities are essentially building your relationship with StateRAMP as an organization and documenting your current position as an agency with potential cloud provider partners.

Step 2: Develop a Standard Security Policy

Rather than develop your own specific security infrastructure, StateRAMP recommends that agencies new to the program adopt a more general policy for all cloud providers offering SaaS, IaaS, or PaaS services. 

During this phase, you are creating an internal policy for your organization stating that cloud vendors will, at minimum, adhere to the regulations and standards laid out in NIST SP 800-53 Rev. 4 that can be verified by StateRAMP officials. StateRAMP will provide you a sample policy that you can adapt to the unique needs of your agency. StateRAMP recommends that your policy include the following information:

• Require CSP adherence to NIST 800-53 Rev. 4
• Require all contractors and suppliers using the cloud system to process or store data must also adhere to NIST 800-53
• Outline a data security Impact level that requires adherence to FIPS PUB 199 for data classification
• Necessitate regular and continuous maintenance of security controls for CSPs
• Set aside the right to request a review of any 3PAO used by a CSP as part of their StateRAMP certification or continued monitoring
• Layout a response requirement for any CSP or contractor if a serious flaw is found in their cloud system
• Define the process for approval for any deviation from StateRAMP certification

Additionally, you will present this sample policy to the StateRAMP PMO so that they may keep it on record. It will serve as the backbone for your policies moving forward. 

Step 3: Determine Your Security Category and Required Security Status

Alongside defining your security policy, you need to determine where your operation falls as a security threat based on the data you manage. 

StateRAMP follows FedRAMP in designating the “Impact Level” of the data that a government agency handles and providing a security category based on that level. 

As state agencies typically handle less sensitive data (i.e., data that isn’t private and damaging to the general public, data that is protected by classified designations, etc.) StateRAMP only includes three security levels:

1. Category 1: This category follows the FedRAMP Low Impact rating, which includes data that is generally accessible by the public.
   
2. Category 2: This category follows the FedRAMP Low Impact rating with a select addition of security controls that place it above Category 1 but not as strict as Category 3.
   
3. Category 3: This category follows the FedRAMP Moderate Impact rating, which includes unclassified but private data that isn’t available to the public. 

Category 2 is a bit of a hybrid and can serve as a flexible middle-ground between Low and Moderate Impact Levels. 

These categories follow FIPS 199 designations. So:

• At Low Impact Level, the disclosure, modification/destruction, and disruption of access to the information would be of a limited adverse effect. This means that the data isn’t private and that it isn’t considered integral to the operation of any agency in a way that would negatively impact workers or citizens.
  
• At Moderate Impact Level, the disclosure, destruction, or disruption of such data could have serious adverse effects on people or agencies. This includes Personally Identifiable Information (PII). 

Once you have a category designation in place, you can further identify a Security Status requirement. During StateRAMP certification, CSPs will work through several designations: Ready, In Process, Provisional, and Authorized. Each status illustrates where a CSP is in the process and how much of the testing and reporting requirements they have met. You can, as part of your policies, define the minimum status a CSP must be at to be considered as part of any partnership with your organization.

Step 4: Integration into Request for Proposals

Now that there is a general policy in place, with language around StateRAMP requirements for security level and progress in the program, your agency can include StateRAMP requirement language in all Request for Proposals (RFPs) for CSPs.

Again, state agencies can utilize their own language or use language provided by the StateRAMP PMO.

An important thing to note about this is that all requirements outlined in an RFP must still adhere to StateRAMP requirements. Additional requirements for security or risk assessment that fall outside of StateRAMP must be managed and maintained by the agency. 

StateRAMP recommends that any StateRAMP-compliant RFP includes the following information:

• Security policies for your agency, including StateRAMP requirements based on NIST 800-53.
  
• Notification that no contract will be executed with a CSP unless that CSP meets the stated StateRAMP certification requirements.
  
• That anyone applying to the RFP with a “Ready” status does so as an attestation to their capability to eventually move to full certification, and that any CSP not at full Authorized status must reach such status within 12 months of contract execution.
  
• CSPs and contractors must maintain continuous, compliant maintenance and monitoring through certified 3PAO audits.
  
• CSPs and contractors must respond to serious security issues within a predefined period of time.
  
• Any deviation from certification requires authorization from your organization.

The Journey to Adopt StateRAMP

A State Agency who wants to adopt StateRAMP for their CSPs would therefore follow a simple procedure:

1. Contact the StateRAMP PMO to discuss requirements based on the data and mission of the agency. This includes documenting technical officers in your organization who will serve as points of contact for the PMO and providers.
2. Standardize your security policies in line with the StateRAMP requirements and NIST 800-53. At this juncture, it would benefit many agencies to work with an experienced security partner with experience in areas like FedRAMP and StateRAMP (perhaps even established 3PAOs).
3. Determine your security category based on the data you manage, and coordinate your needs from cloud providers based on that assessment and your new security policies. 
4. Integrate StateRAMP-compliant language to describe your policies, needs, and expectations in future RFPs for cloud service providers.

Note that if you decide to work with a CSP that is currently working through StateRAMP certification, you may be called upon to act as a sponsor.

Conclusion

Once you’ve prepared your agency for StateRAMP compliance, you should be prepared for continuous monitoring reports from CSPs and contractors. StateRAMP is a rigorous security framework that will protect your data, but it takes commitment so long as it is implemented. 

If you are preparing for a new step into the world of StateRAMP, you’ll most likely be working with a partner CSP that fits your needs. If you or your CSP partner need an experienced and certified 3PAO to support your road to StateRAMP certification, contact Lazarus Alliance at 1-888-896-7580 or contact us through the form below.