Site icon

StateRAMP, Subnetworks, and Boundary Security

StateRAMP guidelines include network security standards from NIST 800-53, with specific requirements for implementing those guidelines based on the application and data processing. Implementing boundary controls is one of the more relevant and sometimes challenging aspects of compliance network security. Here, we will dig into how StateRAMP (and FedRAMP, to some extent) approach subnetworks and boundary security.

 

Do StateRAMP-Compliant CSPs Need to Use Subnetworks?

The short answer is yes. Any cloud offering provider seeing StateRAMP Authorization must practice specific boundary protection processes for their networks, including using logical or physical subnetworks to separate specific computing areas. 

A “subnetwork” is a logical (software or hardware separated) or physical (hardware or air gap separated) section of a broader network such that internet traffic from external or other internal subnetworks must pass through unique security requirements (if access is permitted at all). 

An excellent example of a subnetwork is comprehensive Wi-Fi in a public location. This Wi-Fi network may support business operations and management while offering customers guest access. The operational and consumer networks leverage the same network infrastructure but are separated so guests cannot access business systems.

Crucial to the concept of boundary protection and subnetworks are the definitions of key terms:

Boundary controls for StateRAMP will address the need for cloud providers to provide boundary security from both outside access and internal access between StateRAMP-compliant subnetworks.

 

What Are NIST Special Publication 800-53 and Boundary Protection (SC-7) Controls?

The backbone of StateRAMP (and FedRAMP) requirements are found in NIST Special Publication 800-53. More specifically, both standards derive their network and boundary controls from the System and Communications Protection (SC) control family subsection SC-7.

This section includes three primary requirements that all CSPs must adhere to:

 

StateRAMP and SC-7 Requirements

All StateRAMP Impact Levels must implement some of the components of SC-17:

Low Impact

Cloud providers meeting StateRAMP Low Impact requirements will implement those baseline guidelines (i.e., those listed above). This means controlled interfaces and subnetwork separation between user-accessible resources and operational systems.

Low+ Impact

There’s a significant jump up from Low to Low+ Impact. Not only do CSPs have to meet the minimum core requirements of SC-7, but four additional capabilities:

Moderate Impact

Along with baseline SC-7 guidelines and additional Low+ guidelines, StateRAMP Moderate Impact also includes four additional requirements:

 

Maintain Network Security Under StateRAMP. Trust Continuum GRC

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id= “43885”]

Exit mobile version