In 2011, the Federal Risk and Authorization Management Program (FedRAMP) was introduced, establishing a standardized assessment methodology for federal agencies to manage risk within commercial cloud service provider environments. Acknowledging the “do once, use many” benefits of FedRAMP within the federal sector, the State Risk and Authorization Management Program (StateRAMP) was launched in 2021. StateRAMP is a 501(c)6 nonprofit organization with a focus on furthering cybersecurity best practices and cyber security posture of state, local, and education (SLED) agencies through education, policy development, and establishment of a cybersecurity assessment methodology. The StateRAMP initiative caters to the growing demand among state and local governments to effectively address third-party risks within commercial cloud environments, offering a streamlined methodology to evaluate the security stance of cloud environments.
StateRAMP implements a comprehensive security assessment framework, with the primary goal of aiding agencies in transitioning to secure and reliable cloud-based solutions. Cloud service providers (CSPs) seeking to provide cloud services to state and local governments must demonstrate adherence to the NIST 800-53 standards (Security and Privacy Controls for Federal Information Systems and Organizations) alongside StateRAMP-specific security controls. Compliance assessments are conducted by Third-Party Assessment Organizations (3PAOs), accredited by the American Association for Laboratory Accreditation (A2LA), and authorized by the FedRAMP program management office (PMO).
This blog post will walk you through the StateRAMP compliance process and give you an overview of key aspects that will help prepare you for the journey.
What Organizations Participate in the StateRAMP Process?
In order for the mission of improving the cybersecurity posture of state and local government agencies to be successful, it requires the efforts of several separate entities to work together to achieve the desired outcome. The following entities are involved in the overall StateRAMP process:
- StateRAMP Program Management Office (PMO): The StateRAMP governance committees establish policies and procedures to standardize security requirements. The StateRAMP PMO oversees the implementation of the StateRAMP program and ensures cloud service providers implement the security requirements through the use of independent audits and continuous monitoring efforts.
- SLED Agencies: Focusing on cybersecurity risk management, these organizations seek to acquire services from commercial cloud service providers (CSP) that meet a defined security baseline. They can sponsor CSPs through the process and issue an Authority to Operate (ATO). Currently, 23 states are participating members of StateRAMP. You can find them here.
- StateRAMP Assessment Organizations: Organizations that assess a CSP’s compliance with StateRAMP must be accredited by the American Association of Laboratory Accreditation (A2LA) and approved by the FedRAMP PMO. They serve as an independent assessment body and report the assessment findings and status to the StateRAMP PMO and sponsoring agencies.
- StateRAMP Service Providers: Cloud service providers (CSPs) are third-party organizations that offer businesses scalable computing resources via a network, encompassing cloud-based computing, storage, platform, and application services that can be accessed on demand. In short, they offer Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) solutions.
What is StateRAMP Compliance?
In order for a commercial cloud service offering (CSO) to be used by a SLED agency, the CSO must demonstrate StateRAMP compliance, which is the ability to substantiate adherence to government security requirements outlined in NIST 800-53 and supplemented by the StateRAMP Program Management Office (PMO). In simpler terms, cloud service providers (CSP) demonstrate StateRAMP compliance by obtaining a StateRAMP authorization, or StateRAMP Authority to Operate (ATO).
Below are the high-level requirements to achieve StateRAMP compliance:
- Develop StateRAMP policies and procedures for each of the 18 control families as defined in NIST 800-53 Rev 5.
- Develop a StateRAMP System Security Plan (SSP).
- Develop additional supporting plans (e.g., incident response plan, disaster recovery plan, configuration management plan, etc.).
- Implement controls in accordance with system categorization (low, moderate, high).
- Have CSO assessed by an accredited Third-Party Assessment Organization (3PAO).
- Remediate findings.
- Develop a Plan of Action and Milestones (POA&M).
- Obtain authorization to operate (ATO) from the StateRAMP approvals committee or a state sponsor agency.
- Implement a continuous monitoring (ConMon) program, similar to FedRAMP Continuous Monitoring, to include monthly vulnerability scans (i.e., operating system, database, web application(s), containers (as applicable)).
What Are the Different Paths to Achieve StateRAMP Compliance?
There are two distinct paths to demonstrate StateRAMP compliance or obtain a StateRAMP authorization (or ATO). The first path is to be sponsored by a SLED agency, and the second is to receive authorization from the StateRAMP approvals committee.
If a CSP has a SLED agency they are working with that will sponsor them through the process, that SLED organization will issue the ATO. Oftentimes, though, a CSP will not have a SLED agency that has committed to sponsor them, but they know the services they offer are valuable to the SLED community. In the case where a CSP does not have a SLED agency sponsor, then the StateRAMP Approvals Committee can serve as the body for government sponsorship for StateRAMP authorized and StateRAMP provisional status. This committee consists of government, education, and cybersecurity leaders with the necessary technical and governmental policy knowledge to effectively evaluate a CSP’s security posture in relation to StateRAMP requirements (based on NIST 800-53 controls).
How Does a CSP Achieve StateRAMP Compliance & Authorization?
Whether via the SLED agency path or the StateRAMP Approvals Committee path, demonstrating StateRAMP compliance is a rigorous process. CSPs, particularly management, must fully commit before embarking on this journey. The process requires a substantial investment of time and resources, both in terms of personnel and finances. The following high-level steps from the NIST Risk Management Framework (RMF) outline the process to obtain StateRAMP compliance.
Prepare
Execute critical tasks to ready all tiers of the organization in handling its security and privacy risks through the RMF. Tasks include identifying key risk management roles, determining risk appetite, performing a risk assessment, and developing a plan on how to execute continuous monitoring.
Categorize
Enhance organizational risk management procedures and duties by assessing the negative consequences concerning the compromise of confidentiality, integrity, and availability of systems and the information they handle, store, and transmit. Tasks include determining the security categorization (low, moderate, high).
Select
Select, tailor (as applicable), and document the appropriate controls needed to safeguard both the system and the organization in alignment with the level of risk. Controls will be based on the system categorization and the tailoring performed. Controls should be allocated to system components to ensure complete coverage for control implementation.
Implement
Implement the technical controls as selected based on system categorization and tailoring (as applicable).
Assess
Assess whether the controls are effectively implemented, functioning as planned, and achieving the intended results in fulfilling the security and privacy needs of both the system and the organization. The security assessment plan (SAP) will be developed by the 3PAO and approved by the CSP and the sponsoring agency (as applicable). Significant deficiencies are remediated and a plan of action and milestones (POA&M) is developed by the CSP to address the remaining findings.
Authorize
A senior official determines whether the security and privacy risks associated with the operation of a system or the use of common controls are deemed acceptable for their organization, and an ATO is issued accordingly.
Monitor
Continuously monitor and stay informed about the security and privacy status of both the system and the organization to facilitate informed risk management decisions. In this phase, the CSP follows its continuous monitoring plan and addresses vulnerabilities identified by monthly vulnerability scans.
Summary
The StateRAMP compliance process is rigorous. However, upon obtaining a StateRAMP SLED agency ATO or an ATO from the StateRAMP Approvals Committee, CSPs unlock significant opportunities to broaden their cloud service offerings across state, local, and educational organizations. As CSPs weigh the decision to commit to the StateRAMP authorization process, they must assess whether the return on investment justifies the financial and personnel commitments.
To explore how Linford and Company can support your organization with StateRAMP services, please reach out to us.
For related reading on FedRAMP, check out these articles:
- An Expert Guide to a FedRAMP Readiness Assessment
- FedRAMP Compliance: What is it? Requirements, Process, & More
- FedRAMP Authorizations – Which Path Should a CSP Take?
- The FedRAMP SSP: Important Tips for a Successful Outcome
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.