IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

One Year In, StateRAMP Program Gets Off the Ground

Modeled on the FedRAMP program to pre-verify the cybersecurity of third-party vendors, StateRAMP is now working to get states on board and fill out its roster of companies certified to work with government.

man working on laptop with purple background
Shutterstock.com
The State Risk and Authorization Management Program, or StateRAMP, launched in early 2021 with the aim of solving a problem many governments are encountering in the pursuit of securing their systems: How can they be sure third-party vendors are meeting cybersecurity standards? Modeled on the Federal Risk and Authorization Management Program (FedRAMP), which offers pre-verification services for companies looking to contract with federal agencies, StateRAMP hopes to make it easier for both states and private companies to work together.

Since its inception, StateRAMP organizers have been working to get vendors certified in the program, as well as to get states to sign on to participate. The program’s success hinges on getting both sides on board.

STATES SIGN ON


Arizona is currently in the process of participating in the StateRAMP pilot program, but it is not currently operational.

“Arizona has had an approach to reviewing cloud vendors for several years now,” state CIO J.R. Sloan, also currently president of StateRAMP, said. “We labeled it AZRamp.”

Under AZRamp, Sloan said vendors must provide documentation to show that they meet different thresholds relating to security and data protection. If a vendor meets these qualifications, they fill out a 30-question document and undergo a security assessment before being approved. However, one of the concerns the state had about AZRamp was the resources required to continuously monitor approved vendors. That made StateRAMP appealing.

“We joined StateRAMP’s steering committee after seeing how their program was able to address the issues AZRamp did on a larger scale,” Sloan explained.

Right now, the state is engaging in State-RAMP’s pilot program and doing internal reviews to see how its cybersecurity efforts can be improved. Moving forward, Sloan said, the hope is that joining StateRAMP will create a centralized approach to working with its current 230 vendors and create room for other vendors to join.

Another goal is freeing up resources that AZRamp previously used to work on other projects.

“I am looking forward to this process,” Sloan said. “Vendors will have a predictable understanding of what to expect when working with Arizona, and it will allow us to engage with vendors on an ongoing basis and maintain the state’s data properly.”

In Texas, the state is not directly using the program but will accept StateRAMP-certified vendors under its own certification program called TX-RAMP. State Senate Bill 475, passed in spring 2021, will require the Texas Department of Information Resources to certify vendors through TX-RAMP, with a fast track for vendors certified by FedRAMP and other states’ RAMP programs. StateRAMP-approved vendors also qualify to be fast-tracked into TX-RAMP. However, that’s the current extent of the state’s use of the program.

“We are in the process of finalizing the development of the program,” Texas Chief Information Security Officer Nancy Rainosek said. “It’s a similar process where vendors will have to submit documentation and meet required security controls.”

The major difference is that TX-RAMP’s program will solely work with Texas-based vendors to ensure that small and medium-sized companies have the chance to engage with the state if the cost of joining StateRAMP is prohibitively expensive.

“The certification process under State-RAMP can be costly and time-consuming,” Rainosek said. “Through TX-RAMP, there will be no charge to Texas-specific vendors that don’t do business outside of the state.”

She anticipates the program will be live in December.

As for other states signing onto StateRAMP, Teri Takai, vice president of e.Republic* and a member of the StateRAMP steering committee, said that understanding what the program can do along with the benefits it offers is key in widespread adoption.

“What I’m hearing is states are slowly getting an understanding of StateRAMP,” Takai said. “They are beginning to understand that this can help them streamline procurement, and they won’t have to go back and do multiple security assessments for each state. Instead, they would simply have to say they are StateRAMP-certified.”

Another benefit is that vendors who are already FedRAMP-certified qualify to become StateRAMP-certified. If a FedRAMP-approved vendor wants to become StateRAMP-certified, they would have to show a prior 90 days of continuous monitoring and pay a fee to the StateRAMP Program Management Office to convert their documents to StateRAMP’s templates.

MAKING IT WORK


As for vendors, Salesforce and Boomi, an IT service management company, are currently undergoing certification through StateRAMP.

According to Boomi’s public-sector Chief Technology Officer Joseph Flynn, “one of the biggest benefits is that StateRAMP looks at security challenges more than we can and provides a common line among providers to work with states and creates a common language for procurement.”

The barriers, Flynn said, are that it is a time-consuming process that requires a lot of resources and money. Another challenge, according to Paul Baltzell, vice president of strategy and business development for Salesforce, who also serves on the StateRAMP steering committee, is getting people on board since StateRAMP is relatively new.

“There has definitely been a lot of interest in states and vendors using StateRAMP,” he explained. “But there have been a lot of questions from stakeholders in the vendor community, along with states.”

However, despite these questions and having to undergo a rigorous process to become certified, Baltzell said, “State-RAMP allows vendors to become a true partner to states.”

“We believe StateRAMP can be adapted to work in all 50 states,” Leah McGrath, StateRAMP’s executive director, said. “What makes this possible is that StateRAMP creates a common set of standards for vendors and states to follow.”

“It also stands out from other certifications because it continuously monitors for cyber threats and allows vendors to go through the verification process one time and serve all states and local governments,” McGrath said.

Getting Certified
To be StateRAMP-certified, vendors must go through several steps. The first is to fill out an online membership application. The second step is to use a data classification tool to determine a vendor’s security category (Category 1, 3 or 3+). Categories are determined by different data characteristics and corresponding security requirements ranging from nonprivate, generally accessible information to protected, personally identifiable information or
classified data.

Once a category is assigned, a vendor must work with a third-party assessment organization to review their StateRAMP System Security Plan and other required documentation in order to provide a StateRAMP Readiness Assessment Report to the StateRAMP Project Management Office.

Costs: It costs $2,500 for the project management office to conduct a review for “Ready” status or $5,000 for an authorization review. After a vendor is approved, the annual membership fee is $500. Following that, continuous monitoring costs $5,000 per year.

Governments can join StateRAMP for free.
Katya Diaz is a staff writer for Government Technology. She has a bachelor’s degree in journalism and a master’s degree in global strategic communications from Florida International University.