Site icon

StateRAMP and Monitoring: Breaking Down the StateRAMP Continuous Monitoring Process

continuous monitoring featured

StateRAMP takes several of its requirements from FedRAMP, and perhaps one of the most important requirements is continuous monitoring. Continuous monitoring ensures that systems that earned StateRAMP Authorization remain in compliance year after year, avoiding gaps in security and protecting the interest of state and local governments.

 

What Is the StateRAMP Continuous Monitoring Guide?

Under StateRAMP, organizations providing cloud services to state and local governments must maintain their authorization regularly once they’ve met StateRAMP requirements. This ongoing maintenance must align with the StateRAMP regulations and the risk management framework and security posture of the organization, depending on their market and capabilities. 

Simply put, ongoing maintenance proves that you aren’t letting security and risk issues slip after an audit and can remain in service to critical governmental agencies. 

The StateRAMP Continuous Monitoring Guide provides a comprehensive model for how organizations must approach their maintenance obligation. It outlines the structure of this monitoring, including who must perform it and how it is reported.

 

Roles and Responsibilities

StateRAMP continuous monitoring includes several stakeholders, each of which serves a role in the process:

 

Monitoring Stages

Additionally, the Continuous Monitoring Guide divides a continuous monitoring program into five distinct stages:

 

Continuous Monitoring in StateRAMP

Considering these stakeholders and taking into account the basic steps of an ongoing monitoring process, StateRAMP will expect a series of actions, reports, and communications demonstrating their continued adherence to the process. 

What is that process?

 

Traditional First Steps

Under StateRAMP, service providers must:

Additionally, 3PAOs will submit annual documentation and penetration test reports. 

Finally, the StateRAMP PMO will analyze these artifacts to determine if the provider has met their requirements. They will also provide access to the State Authorizing Body for further review. Suppose at any time, any party (PMO or Authorizing Board) determines that there are issues with the monitoring results. In that case, they will meet with the provider to create a POA&M that usually includes additional requirements.

 

StateRAMP PMO Monthly Review

On top of these first-step processes, the CSP is expected to provide a monthly report to the StateRAMP PMO that summarizes vulnerability and compliance scans. These reports will highlight high-, moderate-, and low-risk vulnerabilities. High-risk vulnerabilities must be addressed within 30 days, moderate risks within 90 days, and low risks within 180 days. 

Additionally, providers with Low or Moderate impact levels will upload to the PMO a copy of their updated POA&M, an inventory of monitored controls, risk adjustments, operational requirement changes, records of false positives, and an executive summary of all the above elements. 

Those with High impact levels must complete the above-listed rules under a program directly managed by the PMO. 

 

Annual Review

Alongside monthly reporting requirements, service providers must conduct annual reviews and reports to remain in good standing with the StateRAMP PMO. Some of these actions include:

Alongside these requirements, the provider’s 3PAO must also conduct a few annual activities outside the influence of the provider. These include:

 

Stay Ahead of StateRAMP Continuous Monitoring Requirements with Continuum GRC

Continuous monitoring is a lengthy, ongoing process. Providers are expected to regularly provide reports and checklists to demonstrate their compliance–paperwork that can take weeks or months to complete without careful planning and a straightforward process.

With the Continuum GRC cloud platform, you can streamline document management, risk management, and compliance control. Our automated tools provide a bird’s-eye view of your security posture while reducing the time needed to complete documentation and reports from months or weeks to days.

Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id=”43885″]

 

Exit mobile version