What Is the StateRAMP Program?
The concept is modeled after the federal government’s FedRAMP, or Federal Risk and Authorization Management Program, which “promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP empowers agencies to use modern cloud technologies, with emphasis on security and protection of federal information,” according to the program’s website.
Essentially, FedRAMP gives its stamp of approval to vendors that have met a set of security guidelines and have been given the OK for federal agencies to work with, explains Sloan. StateRAMP would do the same for state and local government agencies.
Why States Need the StateRAMP Program
State and local government agencies are more likely to have all systems and solutions in the cloud than federal agencies, according to a recent FedRAMP survey of more than 500 IT and business decision-makers from agencies with direct citizen services.
According to the survey, 9 percent of state and local government representatives said all their agency’s systems and solutions are in the cloud, and another 49 percent said most were, compared with 6 percent and 29 percent of respondents from federal agencies, respectively.
No survey respondents — federal or state and local — said they would not consider moving their systems and solutions online.
Sloan, who is also the president of StateRAMP, says Arizona has had a vetting and monitoring program called AZRamp in place for several years. More than 230 vendors have gone through the approval process, which is generally time-consuming and tedious for both the state and the vendor. Even after vendors got approved in his state, they’d still need to repeat the process with another state.
“We don’t need to do this 50 different ways, or even the same way 50 different times,” Sloan says. “We should be able to come up with a way for one entity to be able to do the verification, to be able to share the verification information with states where states can trust it.”
This process helps to accelerate states’ ability to engage with vendors that are effectively prequalified from a security perspective, Sloan says. If there are additional regulatory or statutory requirements, StateRAMP can work with the vendor to help close a particular gap.
“The value proposition for cloud services to state and local governments is so compelling,” Sloan says. “I would argue that state governments and local governments are in a much better position. They can be more agile, they can provide better services, they can move faster by focusing on partnering with these enterprise-scale cloud service providers and their solutions than by spending the time, money and effort in building our own data centers and maintaining those things. In order to then take advantage of that value proposition of those cloud services, we need to continue to ensure the proper protection of the data that goes in those environments.”
The Future of StateRAMP and State Government Cloud Security
Right now, StateRAMP is in the “maturing stages,” Sloan says, and Arizona is currently processing the paperwork to start the pilot program. The state hopes to announce the official launch soon after a legal review.
While no other states have yet committed to participating in the pilot, there is already buy-in from several. The organization’s leaders include representatives from Indiana, Maine, Mississippi and elsewhere.
“We want to move quickly where we can, but also move carefully,” Sloan says of StateRAMP. “When you’re talking about security, being right is more important than being fast.”
Looking ahead, Sloan hopes StateRAMP will become a well-established standard for state and local governments with the same value and veracity that FedRAMP has in the federal environment. StateRAMP currently gives reciprocity to cloud service providers that have already been vetted by FedRAMP. One day, he says, he hopes the federal government will give StateRAMP’s approval the same recognition.