The initiative essentially offers companies a way to have their product offerings assessed and authorized for secure federal government use and to meet compliance requirements for cloud security.
“Change is coming,” said J.R. Sloan, Arizona CIO and co-founder of GovRAMP — formerly known as StateRAMP. “It’s not clear what the exact impacts will be.”
As he explained, StateRAMP was born out of a need for state agencies like his own to be able to ensure that their data is secure, even while embracing the benefits of cloud computing. The FedRAMP program already existed, and states were enacting their own versions inspired by that concept. Due to subsequent demand from other states, local governments and educational institutions, and a desire for unity, the new program — recently rebranded from StateRAMP to GovRAMP — was born to serve all those levels of government.
“So, today, [GovRAMP]’s mission is really to do that thing that FedRAMP has done, but to do it at the state and local government level,” Sloan said. That thing is to establish security standards ensuring suppliers working with government can provide high-level, verifiable security protections for the data governments entrust them with. Because, he underlined, the government is still ultimately responsible for that data.
The GovRAMP team has worked extensively with its counterparts at FedRAMP to achieve alignment — to the greatest extent possible while serving the needs of local and state governments — between the two programs, said Jessica Van Eerde, chief of operations for GovRAMP. Notably, governments that have submitted their documentation package for FedRAMP can submit the same package to GovRAMP, but not the other way around. Van Eerde said as FedRAMP changes, GovRAMP will continue exploring whether the process can go both ways, so governments submitting to GovRAMP can also submit to FedRAMP.
There will likely be conjecture in the market about the impacts of FedRAMP 20x, but Sloan advised stakeholders to wait and see what happens as the efficiency initiative develops further.
“We’re all about being efficient in what we do, but not at the expense of security,” he said.
As governments wait to see what shape the future of FedRAMP takes, states and locals can work with GovRAMP — an entity with which they are familiar — to continue to receive protection and assurances, Sloan said.
The GovRAMP team will be part of the working groups as FedRAMP 20x develops, Van Eerde said, and is eager to have a voice at the table on behalf of GovRAMP members.
As FedRAMP evolves, Sloan said that GovRAMP will be “a place of stability in a landscape that’s maybe somewhat unstable.”
One factor that differentiates states and localities from organizations in the federal ecosystem is a greater reliance on working with small– to medium–sized businesses, Van Eerde said.
Because smaller companies may not be doing business with the federal government, the FedRAMP authorization was not open to them. This gap in the market, Teri Takai explained, prevented certain companies that wanted to work with states — or localities — from ensuring data security as a standard prior to the creation of GovRAMP. Takai has experience serving as CIO both at the federal level with the Department of Defense and at the state level for Michigan and for California. She currently serves as the chief programs officer for e.Republic.*
GovRAMP has worked in recent years to ensure there is a path for those smaller businesses to open doors to working with government, as Executive Director Leah McGrath explained in a webinar Thursday.
So, will GovRAMP implement changes to mirror those at the federal level that take shape through FedRAMP 20x? That depends, Van Eerde said, on whether the outcomes of that initiative support GovRAMP’s mission to “improve the cyber posture of the nation.”
“Security is the trust currency in which we trade, and that we must maintain with our constituents,” Sloan said.
FedRAMP first emerged in the early days of organizations moving data to the cloud and seeking a way to do so securely — a time Takai described as the “wild, wild west.” She said she expects the program changes to impact all parties served by FedRAMP: federal agencies, businesses working with them, and constituents.
Procurement was a big reason for the creation of both GovRAMP and FedRAMP, she underlined. Their standards in this area have significant impact because of the level of difficulty for procurement organizations to effectively vet every potential provider without it. And although these security validations can take time, the intent was ultimately to speed up the procurement process. FedRAMP enabled companies to work with different government customers without needing to repeatedly recertify their security, with an aim of making procurement easier for organizations in both the public and private sectors.
This will be important to keep in mind as FedRAMP program changes are implemented, Takai said, to maintain the efficiency the program aims to create.
While the federal government implements changes under a new administration, Takai emphasized the importance of reading “the fine print” to understand the intent of specific actions. She said that assessing longstanding government programs for whether they meet current industry cybersecurity needs is “a good idea.” She said this initiative may also create opportunity for greater autonomy among state and local governments to responsibly implement security measures.
“This is an evolving story,” Takai said, indicating that more will be known in the coming months. “It’s going to be sort of a continual understanding — and a leveling, if you will — in terms of how these critical functions for government are accomplished.”
*e.Republic is Government Technology's parent company.