Oct 27 2021

Arizona to Pilot StateRAMP Cloud Security Program

As more governments move data to the cloud, the Grand Canyon state aims to provide a streamlined vetting and monitoring process for vendors.

As more state and local governments move to cloud-based technologies to store massive amounts of resident data, they still have a responsibility to keep that data protected. 

“Just as we built policies, procedures and standard work around how we secure environments that the state physically owns, when we start working with cloud service providers, we need to do the same vetting and have the same assurance,” says Arizona CIO J.R. Sloan. 

That’s why his state will be the first to pilot a new program called StateRAMP that aims to provide a streamlined vetting and monitoring process for cloud service providers that other states can also take advantage of.

EXPLORE: Follow these tips for migrating government services to the cloud. 

What Is the StateRAMP Program?

The concept is modeled after the federal government’s FedRAMP, or Federal Risk and Authorization Management Program, which “promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP empowers agencies to use modern cloud technologies, with emphasis on security and protection of federal information,” according to the program’s website.

Essentially, FedRAMP gives its stamp of approval to vendors that have met a set of security guidelines and have been given the OK for federal agencies to work with, explains Sloan. StateRAMP would do the same for state and local government agencies.

RELATED: What are the challenges state and local agencies face in adopting hybrid cloud?

Why States Need the StateRAMP Program

State and local government agencies are more likely to have all systems and solutions in the cloud than federal agencies, according to a recent FedRAMP survey of more than 500 IT and business decision-makers from agencies with direct citizen services.

According to the survey, 9 percent of state and local government representatives said all their agency’s systems and solutions are in the cloud, and another 49 percent said most were, compared with 6 percent and 29 percent of respondents from federal agencies, respectively.  

No survey respondents — federal or state and local — said they would not consider moving their systems and solutions online. 

Sloan, who is also the president of StateRAMP, says Arizona has had a vetting and monitoring program called AZRamp in place for several years. More than 230 vendors have gone through the approval process, which is generally time-consuming and tedious for both the state and the vendor. Even after vendors got approved in his state, they’d still need to repeat the process with another state. 

“We don’t need to do this 50 different ways, or even the same way 50 different times,” Sloan says. “We should be able to come up with a way for one entity to be able to do the verification, to be able to share the verification information with states where states can trust it.”

DIVE DEEPER: How does disaster recovery via hybrid cloud help local agencies?

This process helps to accelerate states’ ability to engage with vendors that are effectively prequalified from a security perspective, Sloan says. If there are additional regulatory or statutory requirements, StateRAMP can work with the vendor to help close a particular gap.

“The value proposition for cloud services to state and local governments is so compelling,” Sloan says. “I would argue that state governments and local governments are in a much better position. They can be more agile, they can provide better services, they can move faster by focusing on partnering with these enterprise-scale cloud service providers and their solutions than by spending the time, money and effort in building our own data centers and maintaining those things. In order to then take advantage of that value proposition of those cloud services, we need to continue to ensure the proper protection of the data that goes in those environments.”

The Future of StateRAMP and State Government Cloud Security

Right now, StateRAMP is in the “maturing stages,” Sloan says, and Arizona is currently processing the paperwork to start the pilot program. The state hopes to announce the official launch soon after a legal review. 

While no other states have yet committed to participating in the pilot, there is already buy-in from several. The organization’s leaders include representatives from Indiana, Maine, Mississippi and elsewhere.

“We want to move quickly where we can, but also move carefully,” Sloan says of StateRAMP. “When you’re talking about security, being right is more important than being fast.” 

Looking ahead, Sloan hopes StateRAMP will become a well-established standard for state and local governments with the same value and veracity that FedRAMP has in the federal environment. StateRAMP currently gives reciprocity to cloud service providers that have already been vetted by FedRAMP. One day, he says, he hopes the federal government will give StateRAMP’s approval the same recognition.

Blue Planet Studio

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.