Feb 02 2021

StateRAMP Aims to Help Agencies with Cybersecurity Vetting

The new nonprofit organization will help state and local governments verify cloud service providers’ safety.

The federal government has a well-established program, the Federal Risk and Authorization Management Program, better known as FedRAMP, to help government agencies procure verified and secure cloud services. “The program also standardizes security requirements for the authorization and ongoing cybersecurity of cloud services, which enables agencies to leverage and reuse security authorizations on a governmentwide scale,” FedRAMP Director Ashley Mahan tells FedTech.

Now, state and local agencies are getting something similar via a new group of public and private sector cybersecurity officials.

Launched late last year, the new StateRAMP consortium says that it aims to provide states with a way to “efficiently and effectively verify whether cloud service providers” meet a state’s published cybersecurity policies.

“StateRAMP helps States reduce cyber risks from unsecure cloud solutions and protects data,” the nonprofit group states on its website. “Like FedRAMP, StateRAMP simplifies the cybersecurity process by providing a standardized approach for validating cyber-readiness for cloud applications.”

Addressing Cloud Security Needs for Government

As bad as ransomware attacks against state and local governments seemed in 2019, the issues worsened in 2020, according to Charles Carmakal, CTO of Mandiant, the incident response arm of the cybersecurity firm FireEye, who spoke late last year at the Aspen Institute’s Cyber Summit, StateScoop reports.

“Cyber criminals have identified governments as easy targets in their exploits, and given the sensitive nature of government data, the lack of verified cybersecurity is a real threat,” StateRAMP says.

Most state governments have poured cybersecurity resources into securing internal systems and training employees, the group notes. And while those efforts are crucial to protecting citizen data, StateRAMP argues that if states “do not also address the cybersecurity of the cloud services in use, they are leaving the back door open to cyber criminals.”

While most states have “adopted requirements for third party cloud providers to meet cybersecurity standards” developed by the National Institute of Standards & Technology, StateRAMP says, “there has not been a cost-effective way” for states to verify compliance.

“We identified the things within the FedRAMP structure that says, that’s great, they’ve done the work,” Joe Bielawski, president of Knowledge Services and a member of the board of directors for StateRAMP, tells Government Technology.

“It was how can we help government through a public-private partnership to solve an identified problem, an identified need, knowing that we couldn’t do it alone,” he says.

Other StateRAMP board directors include Ted Cotterill, the chief privacy officer of Indiana, and Arizona CIO J.R. Sloan. The group’s 16 steering committee members include a range of public and private sector IT leaders, including National Association of State Chief Information Officers Executive Director Doug Robinson; Teri Takai, the executive director of the Center for Digital Government; Mississippi CISO Jay White; Security Mentor Chief Strategist Dan Lohrmann; and others.

MORE FROM STATETECH: Find out how agencies can optimize their cloud services via assessments.

How StateRAMP Helps Secure Government Cloud Services

StateRAMP says it “stores, maintains, and publishes the security status of cloud service providers” and provides states and municipalities with “a centralized source to access CSP cybersecurity certifications along with status updates and compliance changes.”

StateRAMP partners with accredited third party assessment organizations to audit and report on CSPs, giving government IT leaders a “simple way to verify that cloud service providers meet and maintain security standards,” the organization states.

According to StateRAMP, the “level of scrutiny and the types of information reviewed during an audit depend on the sensitivity” of the government agency data handled by the cloud service provider. Cloud service providers that have already received a FedRAMP authorized certification “will inherit the equivalent level of StateRAMP Authorization,” the group says.

With state governments caught up in the recently disclosed large-scale cyberattack suspected to emanate from Russia, state government cybersecurity is more important than ever.

“I think it reflects our role as stewards of the peoples’ information,” Cotterill tells Government Technology. “There’s got to be an expectation from our citizens, from across the U.S., that we’re getting it right in government.”

While states can use FedRAMP as a guide for cloud service provider security, many CSPs’ state and local agencies use will not go through the process of the FedRAMP certification, according to Bielawski. “We have taken what we think are the really great things that are replicable, but yet we’ve created what we think is flexible and understanding for the need to serve local government and state government,” he tells Government Technology.

Now, the group is looking to drum up interest and adoption among government agencies. “I sense, without being overly optimistic, that we’ll see an adoption that is fairly quick in the coming years,” Bielawski says. “Operationally, providing that single point of contact for our cybersecurity needs for all the vendors that we drive through this process, that’s a big win,” he adds.

DIVE DEEPER: Find out how CDW Cloud Check can help you protect your cloud environment.

da-kuk/Getty Images