Help is on the way for public sector agencies and cloud vendors struggling to reconcile multiple cybersecurity frameworks.
The help is coming from StateRAMP, whose framework-harmonization initiative is giving state and local governments a faster, simpler way to assess cloud vendor security practices and confront never-ending threats to constituent data and agency IT systems. Modeled on FedRAMP, StateRAMP certifies the cybersecurity controls of commercial cloud vendors, which can help state and local governments narrow their choices of cloud-based services and applications.
Harmonization is one of StateRAMP’s biggest priorities because it helps unify the cybersecurity frameworks that federal agencies and standards organizations use to establish and enforce compliance guidelines. In recent decades, rising cyber risks prompted organizations across sectors to create multiple security frameworks for protecting data, IT systems, financial assets and other attractive targets. The FBI, IRS, National Institute of Standards and Technology (NIST) and other authorities created security frameworks with subtle differences that add complexity and confusion for government agencies and cloud software vendors.
StateRAMP’s framework-harmonization effort acknowledges that inconsistent controls across multiple frameworks undermine cyber defense.
“Not having harmony in cybersecurity frameworks weakens our collective security,” said Nick Leiserson, assistant national cyber director for cyber policy and programs with the Office of the National Cyber Director, at a recent StateRAMP summit in Indianapolis. “We spend too much time focusing on compliance and not enough on actual cyber defense.”
A day before the summit, framework harmonization took center stage at a symposium for state and local government security leaders. Convened by StateRAMP and the Center for Digital Government, the symposium was co-sponsored by 22nd Century, Amazon Web Services, CGI, NetApp and Palo Alto Networks. The symposium’s speakers and attendees discussed the hardships that multiple frameworks impose on state and local governments, the benefits of harmonization and the big-picture security topics weighing on IT security leaders’ minds.
StateRAMP recently took a significant step toward harmonization by aligning its baseline requirements to NIST SP 800-53 Revision 5. Revision 5 integrates privacy and security into a single, cohesive approach, aligning its controls with other major frameworks, including FedRAMP and StateRAMP. Next, StateRAMP plans to launch an initiative to harmonize its efforts with the FBI’s Criminal Justice Information Services (CJIS) policy requirements.
StateRAMP’s Role in Framework Harmonization
Just as FedRAMP vets the security controls of cloud vendors serving federal agencies, StateRAMP helps state and local agencies form a common cyber defense with their vendor partners.
“We continue to see some of the greatest threats coming from the supply chain,” StateRAMP Executive Director Leah McGrath said in an interview after the Indianapolis symposium. StateRAMP gives vendors throughout the cloud supply chain a venue to demonstrate that they follow standards of organizations like the National Institute of Science and Technology (NIST) and agencies like the IRS, FBI and Department of Homeland Security.
Because each authority has different guidelines — some similar, some contradictory — there’s a critical need to harmonize security frameworks and create a united front on defense. Unity also eases the load on resource-strapped IT leaders.
“While compliance frameworks such as NIST SP 800-53, ISO 27001 and FedRAMP each provide important security controls, their misalignment can lead to fragmented efforts, leaving gaps in security that sophisticated threat actors can exploit,” StateRAMP notedin an update on its website in early October 2024.
StateRAMP gained significant ground by collaborating with NIST to update SP 800-53 to Revision 5, integrating privacy and security controls and aligning them with FedRAMP, StateRAMP and other major frameworks. Cloud vendors that meet Revision 5 guidelines can demonstrate compliance with other frameworks, lightening overall compliance burdens for state and local agencies.
Ken Weeks, New Hampshire’s chief information security officer (CISO), is a StateRAMP early adopter who is enjoying the benefits of knowing a vendor’s proposal already meets StateRAMP’s approval. “It allows us to realize a lot of efficiencies, because now it's not the one-man show of Ken Weeks trying to evaluate security controls and privacy controls within a proposal,” he said in an interview after the Indianapolis symposium. “That's already done by StateRAMP.”
StateRAMP also tracks cloud vendor controls over the long haul. “Continuous monitoring is worth its weight in gold because even the initial review is a snapshot in time,” Weeks said.
Why Framework Harmonization is a Growing Priority
Data protection policies have had the best of intentions since the dawn of the digital era. McGrath notes that the FBI’s CJIS security guidelines predate NIST, for example. Over the years, agencies responsible for taxation, health and other specialties also developed data protection frameworks for their distinct needs.
“They're all somewhat similar, but not aligned,” McGrath noted. As the internet became more deeply woven into society and government operations, and threat actors got more and more adept at hacking government websites, framework compliance became increasingly convoluted.
Dan Lohrmann, senior fellow with the Center for Digital Government and former CISO for the state of Michigan, moderated discussions at the Indianapolis symposium. In an interview after the event, he described how things evolved under his watch in Michigan.
The state Treasury Department, for instance, needed one set of controls for processing IRS tax data. Lohrmann’s department had to free up time, space and money to accommodate their compliance audits. “In many cases, they'd send in 10, 15 or 20 people,” Lohrmann recalled. “We'd have to give them whole cubes and they'd move in for multiple months.”
There would be much more to come. Health-and-welfare regulators had patient data regulations to enforce. The State Police had CJIS rules to comply with. Payment Card Industry (PIC) overseers had rules for credit card transaction security. These and other organizations tied up resources that Lohrmann’s team could have devoted to strengthening cyber defense.
“It's kind of like taking the car for a test drive 37 different times,” Lohrman said.
How Framework Harmonization Helps State and Local Agencies
The need for common, consistent security standards became increasingly evident as new flavors of cyberattacks emerged with rising frequency. “I’ve seen more interest in action in this area in the last 12 to 18 months than I've seen in the last 20 years,” Lohrmann said. He hopes that when agencies and vendors start tapping the value of harmonization, they’ll want to do even more of it in the future.
It’ll be a big job that’s made easier by collaboration with organizations like StateRAMP. “We're starting the climb up Mount Everest,” McGrath said. “By doing that together, we are able to gain efficiencies and reduce the workload on states and local governments.” Working together on harmonization also yields greater transparency on agencies’ strengths and potential risks, she added. Moreover, security professionals can devote their limited resources to addressing threats and responding to attacks rather than overseeing audits and meeting compliance checklists.
How might harmonization shake out? McGrath explains that a cloud service provider could become StateRAMP authorized in 2025 and demonstrate their alignment, for instance, with the federal CJIS requirements. “This is a huge win” for state and local agencies, McGrath said, because they can trust that a cloud service provider has been StateRAMP vetted across multiple frameworks.
Weeks noted that framework harmonization will make operations more resilient in the future. It will also bring simplicity. “You can manage the complexity, and you can actually implement the controls that protect the data,” Weeks said.
Gaining Ground on Framework Harmonization
Agency leaders need to make sure they understand the broad ramifications of framework harmonization. For example, aligning frameworks can help agencies better monitor their cloud supply chains, many of which rely on APIs connected to services with potentially unknown cybersecurity measures. Agencies doing due diligence on a potential cloud vendor can gain some reassurance if they know that its supply-chain partners also have StateRAMP certifications.
Weeks encourages more attention to the furthest reaches of the cloud data supply chain — fourth- and fifth-party risks that might be overlooked when vetting potential cloud vendors. “Who are the subcontractors that the vendors do business with?” Weeks asked. “Do we have any idea if they're on the same framework? It's always the risk that we don't know we have, because it's been assumed on our behalf by others.”
McGrath noted that StateRAMP comprises state and local leaders participating in committees creating a safer future. She encouraged IT leaders to find out more about StateRAMP and become part of the conversation on improving security controls. “Let's look at how we can work together to drive toward framework harmonization so we can be stronger together as well,” she said.
Framework harmonization will always be a work in progress because attackers’ techniques and their targets’ vulnerabilities are always shifting. Moreover, health regulators and law enforcement agencies, for instance, will need specific controls that can’t be harmonized.
Thus, Lohrmann notes that it may be unrealistic to achieve full harmonization among all security frameworks. But every gain in simplicity and reduction of repetition helps. “If we can solve 80%, 90%, maybe even 95% of the common controls that are needed, that's a huge benefit,” he said.
What’s Driving Conversations on State and Local Cybersecurity
Framework harmonization was just one of the topics explored during the Indianapolis cybersecurity symposium, which brought together 21 state and local leaders from across the U.S. Lohrmann and Weeks moderated discussions revealing the key issues leaders are working through.
Ransomware and more. Incursions and coercion are exploding. “The number of attacks against state and local government continues to increase — we heard that loud and clear,” Lohrmann said. The interest in framework harmonization underscored a broad emphasis on managing risks and getting the right protections in place, he added.
Skills gaps. “It's still hard to get people with experience and talent, although it's getting easier than it was,” Lohrmann said. A few bright spots came up during the symposium: “There are many creative approaches being taken by states like Texas and Indiana to build pipelines, train their people and offer incentives for individuals transitioning from different career tracks,” he added.
Funding outlook. State and local IT leaders have enjoyed an influx of federal dollars for cybersecurity and technology modernization. Lohrmann echoed the concerns of many who’ve bought products or services with those funds: “What do you do when the money runs out?”
Small agency challenges. Smaller cities and counties must assess their cyber risks, implement controls and respond to attacks just like their peers from large jurisdictions. “Getting the funding and the resources to do a good risk assessment continues to be a challenge,” Lohrmann said.
Benefits of collaboration. Lohrmann noted that the symposium showcased IT leaders’ ability to work together on addressing cyber risks. “There's a lot of power in a really good network — sharing best practices, having a listening ear, picking up the phone and being able to contact people,” he said. “That gives me a lot of hope.”
Sponsor Content
