Site icon

What Is the StateRAMP Security Assessment Framework?

stateramp featured

StateRAMP is now nearly two years old, and the small project is quickly becoming a mainstay in the security industry. State and local governments are looking for a solid cybersecurity framework that they can use to vet and certify cloud providers that they may work with. 

In this article, we’ll talk about the basics of StateRAMP, specifically the Security Assessment Framework, and the processes and documents required therein.

 

What Is StateRAMP?

In the interest of national security and the well-being of American businesses, citizens, and government agencies, Congress and associated security agencies have built a web of cybersecurity frameworks and guidelines. These regulatory frameworks ensure that the organizations that adopt them can have a firmer footing against hacks and state-sponsored cyber terrorism. 

While it’s feasible to implement national security frameworks that all agencies must follow, it’s not quite as easy at the state level, where local governments have independent requirements–independence that can significantly impact the adoption of helpful security measures.

The StateRAMP program intends to rectify this. StateRAMP was founded in early 2020 as a private-sector project to take government cybersecurity regulations around cloud computing and translate them to the state level. 

StateRAMP draws both its security model and its namesake from the Federal Risk and Authorization Management Program (FedRAMP), the federal regulation applying security requirements to Cloud Service Providers (CSP) offering products to federal agencies. FedRAMP draws from NIST Special Publication 800-53, among other documents, to derive a tiered approach to security based on the sensitivity of government agencies and the data they manage.

Likewise, StateRAMP draws more broadly from NIST SP 800-53 and FedRAMP to define its security framework. Some of the commonalities include:

As of 2022, several states have adopted StateRAMP requirements, including Texas, California, and New York. Likewise, major technology companies like BlackBerry, Box, Zoom, and Avaya have already completed their StateRAMP Authorization.

 

What Is the StateRAMP Security Assessment Framework?

The StateRAMP security model is based on NIST 800-53, a core document for national cybersecurity and an inventory of critical security controls used in regulations like FISMA, FedRAMP, and others. The framework also draws from a collection of NIST standards, including the NIST Risk Management Framework.

More specifically, the process is broken down into four steps:

 

Document

At this stage, the state or local government agency, and the provider, identify the demands of the cloud service needed–namely, the type of data being stored, and the subsequent security required. 

Some of the components of this step include:

 

Assess

As the name suggests, this stage involves the assessment of the provider. StateRAMP, like FedRAMP, doesn’t allow self-certification or reporting; CSPs and agencies must rely on 3PAOs for their audit. 

The crucial parts of this stage include:

 

Authorize

Once the assessment has been completed, it is up to the StateRAMP PMO to authorize the provider. 

Note: Once the provider is approved, their status can be revoked if they fail to meet their requirements. The StateRAMP PMO or the authorizing agency (the partner agency working with the provider) may consult with an Appeals Committee to consider revocation. Once Authorization is revoked, the CSP is removed from the Authorized Product List.

 

Monitor

Like FedRAMP Authorized CSPs, StateRAMP providers must continuously monitor their systems to ensure they still meet StateRAMP requirements. This includes:

 

Get Ready for StateRAMP Authorization with Continuum GRC

StateRAMP is quickly becoming a popular framework for CSPs that want to work in the evolving state and local government tech marketplace. Likewise, these government agencies are increasingly looking for providers that can help them modernize their services. 

Continuum GRC is a cloud-based platform that provides a risk- and compliance-based approach to assessments. Our tools are FedRAMP and StateRAMP authorized, and we have decades of experience in the government cybersecurity industry. 

Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id=”43885″]

Exit mobile version