State RAMP FAQ

Cybersecurity risks have proliferated ceaselessly over the years, and state governments have been a prime target of those attacks. State governments handle vast troves of personal, financial, or healthcare data; their IT security budgets are often meager, and their IT infrastructure can be filled with security holes.

So, from the criminals’ perspective, why wouldn’t you go after state governments? They’re easy targets.

State governments are, of course, aware of their vulnerability. One strategy they use to improve their cybersecurity and reduce risk is the State Risk and Authorization Management Program (StateRAMP) — a secure and compliant framework to verify that cloud-based software providers meet FedRAMP cybersecurity requirements before states start doing business with those providers.

In this post, let’s dive into what StateRAMP is, how it helps with cybersecurity, and how it differs from a similar government program, the Federal Risk and Authorization Management Program (FedRAMP).

What Is StateRAMP?

StateRAMP — shorthand for the State Risk and Authorization Management Program  — is a platform that offers states a way to verify that the cybersecurity of their cloud-based service providers is up to snuff. StateRAMP authorization helps advance cybersecurity standards for state government operations and keep personal data safe. 

The framework is simplified from the larger federal government version, FedRAMP. As described by Leah McGrath, executive director for StateRAMP, the program “helps bring state and local government together to create that common method, and assist state and local governments in managing the third-party service providers, when it comes to cloud security and cybersecurity.”

StateRAMP has a small board of directors plus a larger steering committee composed of executives from the cybersecurity sector and state and local governments. The platform also relies on NASCIO, the National Association of State Chief Information Officers, to help develop technical policies and standards for StateRAMP. 

What are the benefits of StateRAMP?

There are several key benefits that StateRAMP provides:

• Standardized baseline security assessments aligned with National Institute of Standards and Technology (NIST) 800-53 rev. 5 for cloud service providers across states
• Reduced risk for state agencies by ensuring baseline security controls are met
• Faster procurement by leveraging existing FedRAMP or StateRAMP Ready authorizations
• Shared knowledge on continuously monitoring information security between government entities
• Lower costs for accredited security audits compared to individual state reviews
• By relying on StateRAMP security standards, state Chief Information Officers (CIOs) spend less time evaluating Cloud Service Providers (CSPs). They can have greater confidence in the cybersecurity of approved SaaS products. It streamlines secure cloud adoption while managing risk.

What Is the Purpose of StateRAMP?

StateRAMP exists to help state and local governments evaluate the cybersecurity of Software-as-a-Service (SaaS) vendors. It produces templates that Third-Party Assessment Organizations (3PAOs) can use to assess the security of a SaaS vendor and provide a StateRAMP “seal of approval” for those cloud-based vendors. Then, CIOs and procurement officers in state and local governments can be more assured that the technology vendors they might use will have satisfactory data protection safeguards. 

How Do StateRAMP and FedRAMP Differ?

FedRAMP was established in 2011 by the Office of Management and Budget, which combines Chief Financial Officer (CFO) and Chief Operating Officer (COO) functions for the federal government. It aimed to foster better collaboration between government officers and cloud-based service providers on cybersecurity issues. 

To that end, FedRAMP develops templates to help 3PAOs assess the security of cloud-based providers. Those templates help federal agencies keep pace with new technologies and the changing nature of cybersecurity risk, and today, the FedRAMP framework is used across the entire U.S. federal government. 

StateRAMP is a simplified version of FedRAMP. It uses the same framework and model as FedRAMP, but it’s meant to be used on a smaller scale and focuses on state and local government issues. Also, remember that while the two programs are similar in design and primary objective, StateRAMP and FedRAMP are separate entities. 

Why Is StateRAMP Important to Use?

State and local governments will continue to embrace cloud-based technology providers. And they should embrace cloud-based vendors, too. The costs are lower, implementation is more accessible, and the technology runs better than what most government agencies could develop and operate themselves. 

The question is how to square that trend in IT adoption with the proliferation of cybersecurity threats we mentioned earlier. Evaluating the security of every cloud-based vendor can be challenging for state and local IT departments, so relying on StateRAMP gives them a level of assurance they might not otherwise achieve. 

How long does it take to become StateRAMP certified?

The StateRAMP certification and authorization process typically takes 3-6 months from when a cloud service provider begins their application to achieving an Authorization to Operate (ATO). The key steps include:

• Applying and completing required FedRAMP Moderate Impact Level documentation
• Undergoing a rigorous NIST-aligned security assessment by an accredited 3PAO
• Remediating any issues discovered during the assessment
• Receiving StateRAMP Ready status
• Being evaluated by the StateRAMP Joint Authorization Board (JAB)
• Getting the official Agency ATO notification
• CSPs with FedRAMP Moderate or High Authorizations can leverage those security packages to expedite StateRAMP certification to around 1-2 months via the StateRAMP Fast Track process.

If I am a provider with FedRAMP status, why should I consider StateRAMP?

Even with an existing FedRAMP authorization, pursuing StateRAMP verification can benefit CSPs by:

• Opening up state and local government markets for your cloud service offering
• Demonstrating you meet critical state-specific security controls beyond the FedRAMP baseline
• Getting your cloud product included in standardized state procurement language
• Saving state buyers from conducting redundant cybersecurity reviews
• Showing commitment to public sector clients
• Earning StateRAMP approval signals you have undergone specialized state-level vetting to align with their unique information security requirements. This can give your cloud solutions a competitive advantage for state-focused sales opportunities.

How ZenGRC Can Help with StateRAMP Compliance

The need for software automation to regulate security measures remains the most reliable option. Using automation for managing security is necessary: whether you’re a government organization at any level or a private company, security risks are expected to continue to grow.

ZenGRC takes the headaches out of managing StateRAMP compliance by guiding you through the framework step by step. 

ZenGRC’s central dashboard allows you to view your organization’s complete compliance stance through a single pane of glass, showing you where gaps exist and what steps or documentation are required to fill them. 

When hiring a third-party auditor, ZenGRC saves you time and money by organizing all of your compliance documentation with a pre-made compliance template that is easy to access when needed. 

If you’d like to see ZenGRC in action, contact us today for a free demo.