Aug 30 2022

Demystifying the Role of Third-Party Assessment Organizations in StateRAMP

Cloud service companies must submit each individual product for risk assessment by an outside inspector.

For more than a decade, federal agencies have relied on the Federal Risk and Authorization Management Program (FedRAMP) to clear cloud technology vendors through a security and risk assessment, thus qualifying them for federal contracts.

Founded in 2020, StateRAMP is an organization that aims to do the same for state governments. As Arizona CIO J.R. Sloan, one of StateRAMP’s founders, told StateTech recently, cloud service vendors may pass the StateRAMP risk assessment and thereby qualify as meeting security requirements prior to competing for state government contracts.

Moreover, because states act as issuing authorities of their own contracts and have different requirements from the federal government, state governments should have direct management over vendors’ security and risk data and their risk assessments.

Like FedRAMP, StateRAMP requires each vendor to undergo an evaluation by a third-party assessment organization, or 3PAO.

“Service providers must work with a StateRAMP-approved 3PAO for annual assessments of its system and to evaluate the impact of some significant changes made by the service provider to its system, platform and/or service offering,” StateRAMP notes on its website.

Click the banner below for a customized content experience by becoming an Insider.

Advisory Firms Can Seek Accreditation as a StateRAMP 3PAO

As of this writing, 34 companies provide 3PAO services for cloud service providers seeking StateRAMP certification.

To become a 3PAO, a consulting or advisory firm must seek certification from the American Association of Laboratory Accreditation (A2LA) in the qualifications for ISO/IEC 17020:2012, “Conformity assessment: Requirements for the operation of various types of bodies performing inspection,” and must hold assessment approval for FedRAMP.

RELATED: How states are taking the wheel with their own version of FedRAMP.

A2LA recognizes accreditation for inspection as a distinct discipline that involves competence in the examination of materials, products and more. A2LA has established a specific certification program for FedRAMP, and it requires a “rigorous evaluation of the technical competence” of a 3PAO and the organization’s compliance with standards. 3PAOs seeking accreditation for FedRAMP (and thus StateRAMP) must spend a year in the A2LA Cybersecurity Inspection Body Program to demonstrate this technical competence.

Any cloud service provider that would like clearance from StateRAMP must in turn receive assessment by a 3PAO. The vendor pays for the 3PAO assessment.

Major IT Vendors Cleared on StateRAMP Approved Product List

Many CDW partners are on the StateRAMP Authorized Product List. Cloud service providers receive specific approval for each offering. In August, the authorized product list included 28 fully approved products from companies such as these and others:

  • Microsoft for Azure and Dynamics
  • Okta for Identity as a Service
  • Zoom for Zoom for Government
  • Zscaler for Zscaler Private Access and Internet Access

Approved products are designated as “Ready” by StateRAMP.

DIVE DEEPER: The evolution of StateRAMP and how its supporting state and local agencies. 

StateRAMP also specifies a “progressing” product list of companies engaged in a 3PAO audit. “The progressing statuses include ‘Active,’ ‘In Process’ and ‘Pending,’” according to StateRAMP. “‘Active’ products are working toward ‘Ready’; ‘In Process’ products are working toward ‘Authorized’; ‘Pending’ products are currently being reviewed by the StateRAMP Program Management Office and are awaiting a determination for a verified status.”

This list includes these CDW vendor partners and others:

  • Cisco Systems for Cisco Secure Workload, Cisco Webex and more
  • Microsoft for Microsoft Office 365
  • SkyHigh Security for MVISION Cloud and MVISION for Endpoint
  • VMware for VMC on AWS Cloud and Workspace ONE

States Eye RAMP Approval as Condition of Contract Competition

Advisory firms can leverage their third-party security assessment expertise to assist vendors with gaining StateRAMP approval. Although most states do not yet require StateRAMP approval, many are signing on to the program. Some, like Texas and Arizona, are in the process of requiring either their own internal RAMP approval or StateRAMP approval for cloud service providers prior to competing for a government contract.

CDW•G provides third-party security assessments as a nonaccredited 3PAO. Vendors can turn to CDW•G for an initial assessment, which then may be validated by a StateRAMP-approved 3PAO.

EXPLORE: How governments can improve cybersecurity by following specifications within the standard.

Many third-party assessment organizations can conduct an array of functions for cloud service providers, including gap analysis, consulting services, compliance workshops, strategy sessions and more.

Qualified StateRAMP vendors must return to an approved 3PAO annually for a security assessment of its products and to review any significant changes to its systems and offerings.

This article is part of StateTech’s CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.


Charday Penn/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT