Feb 04 2022

States Take the Wheel with Their Own Version of FedRAMP

Governments may advance cloud adoption by standardizing compliance requirements for related products and services.

In 2015, Arizona CIO J.R. Sloan helped stand up AzRAMP, a state version of the Federal Risk and Authorization Management Program (FedRAMP). In 2020, he took that a step further by launching StateRAMP, a program that standardizes cybersecurity requirements for service providers working with state and local governments.

Late last year, Arizona released its first request for proposals that tasked vendors with StateRAMP compliances. In discussions with contractors, Arizona made it clear why StateRAMP is important and how it would outline requirements for original equipment manufacturers, resellers and integrators. Arizona might be the first to adopt the compliance requirements of StateRAMP, but it’s unlikely to be the last. Texas has been moving forward with its own version, and the state’s Department of Information Resources also accepts AzRAMP certification.

So, StateRAMP is now reality. StateRAMP gives states a closely held means of ensuring vendors comply with cybersecurity standards to safeguard public data. Like its federal counterpart, the program promotes the adoption of cloud products and services through its standardization of security assessments, authorizations and monitoring. 

For the federal government, FedRAMP compliance is not optional. Vendors interested in responding to RFPs with FedRAMP requirements are wasting their time if they are not FedRAMP-certified. Similar requirements will begin to emerge with RFPs under the banner of StateRAMP. States are going to seek assurances that products can do what vendors say they can do, and StateRAMP certification is the way they will gain that assurance.

Click the banner below to get access to customized cloud content by becoming an Insider.

StateRAMP May Strengthen Bonds Between States and Contractors

By establishing StateRAMP, states move closer to the requirements rather than relying on FedRAMP, which was developed by an outside organization. State governments have finer control over cybersecurity compliance, and this creates a closer working relationship with their vendor partners. The strengthening of this relationship, along with more transparency around the work, will draw more states into the StateRAMP organization

In September, StateRAMP first published its authorized vendor list. The consortium refreshes the list weekly, and it currently lists 73 certified vendors. Among those certified to date are recurring state and local vendors including Cisco, Google, Microsoft, VMware and Zoom. The StateRAMP member organization includes service providers offering Infrastructure as a Service, Platform as a Service and Software as a Service, as well as third-party organizations and state and local government officials. 

Prominent vendor breaches in the past several years have produced a new age of awareness for vulnerabilities. While news may focus on the impact of such breaches on federal agencies, state agencies also have suffered. According to a 2020 survey on FedRAMP, state and local agencies are more likely to host all of their IT systems in the cloud than federal agencies. With StateRAMP, states gain additional protections they once lacked.

Arizona has long been a leader in adopting new technology, establishing a cloud-first policy several years ago to speed transformation and streamline management of IT resources. With StateRAMP, Arizona and other states will lead the way to greater assurance in cloud adoption.

This article is part of StateTech’s CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.


Business/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.