Site icon

StateRAMP, System Security Plans, and the Operational Control Matrix

StateRAMP is based on the FedRAMP standard, which means that it uses a similar set of documents and requirements to assess and authorize cloud service providers. One of the key documents of both StateRAMP and FedRAMP is the System Security Plan (SSP), which represents the provider’s security controls, compliance perimeter, and capabilities. 

In Revision 5, StateRAMP has seemingly moved from the traditional SSP toward an “operational control matrix,” or systematized document outlining the same information. Here, we’ll cover the SSP/control matrix and what it represents for the provider during StateRAMP authorization. 

 

What Is in the StateRAMP Operational Control Matrix?

StateRAMP, like FedRAMP, involves the cloud provider offering a report on their security capabilities, expected assessment perimeter, and other core information. This SSP is usually one of the first documents in the assessment process. 

With the move to Revision 5, StateRAMP has recently replaced the SSP with a similar document, the Operational Controls Matrix

The StateRAMP Operational Controls Matrix is a tool cloud service providers use to document and manage the operational controls they have implemented to comply with StateRAMP requirements. It demonstrates the list of controls the provider has implemented and how their policies and procedures map onto basic StateRAMP compliance–in essence, it is a testament to the provider’s ability to undergo assessment and a beginning roadmap for 3PAOs to develop their assessment plans. 

Critical aspects of the StateRAMP Operational Control Matrix include:

Note that the matrix is not a static document; it should be regularly updated to reflect changes in the operational environment, new or updated controls, and improvements in control implementation.

According to the StateRAMP Rev. 5 Templates and Resources page, this matrix replaces the original System Security Plan. Reviewing the document shows that much of what was in the SSP is in the control matrix

 

What Was the System Security Plan (SSP)?

The StateRAMP System Security Plan (SSP) was a foundational document under StateRAMP, modeled on the FedRAMP document of the same name, within which cloud providers would outline their security capabilities and ability to undergo compliance assessment.

Some of the critical components of this document were:

 

What Is the Difference Between the SSP and the Operational Control Matrix?

The SSP and the Operational Control Matrix are very similar. The former arranges itself as more of a narrative, working through the organization’s control structure in a top-down fashion. The operational matrix, however, is a spreadsheet in which controls and other important information are laid out as a skimmable grid that is much easier to process from a management perspective. 

However, there is some overlap between the two. While the StateRAMP Rev. 5 website states that the control matrix has replaced the SSP, there are still references to SSPs in the core documentation. When in doubt, consult with your security partners, 3PAO, and the StateRAMP PMO.

The information provided will, by and large, be the same. However, the layout, organization, and arrangement are much different and ideally more intuitive for assessors and the StateRAMP PMO.

 

How Do CSPs Complete and Submit Their Security Plan/Control Matrix?

The process for drafting and completing the SSP is outlined in the Getting Started guide provided by the StateRAMP and involves the following steps:

 

Operationalize Your Security Controls and Compliance with Continuum GRC

Working to obtain or maintain StateRAMP compliance? Work with Continuum GRC.

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id= “43885”]

Exit mobile version