Fast track to StateRAMP for more secure state and local government
- By Phil Fuster
- Jul 20, 2021
The SolarWinds breach, the Colonial Pipeline and JBS meatpacking ransomware attacks, the D.C. Metro Police hack and countless more cyberattacks on state and local government organizations and critical infrastructure have public-sector cybersecurity and IT leaders wondering what’s next.
This pileup of events has catapulted cybersecurity to the top of government agendas. In fact, FBI Director Christopher Wray recently compared today’s ransomware threat to that of the post-9/11 global terrorism threat, underscoring the urgent need to ramp up cybersecurity efforts across government and industry.
As state and local governments look to accelerate migration to the cloud to improve citizen services delivery, security is a driving force. StateRAMP, which opened membership just this spring, is expected to become an essential bridge for secure modernization. However, the road to StateRAMP compliance is still under construction. It could be a rocky journey for states and their solutions providers that don’t carefully plan and craft their cloud modernization plans.
StateRAMP -- which is taking best practices from its cousin the Federal Risk and Authorization Management Program (FedRAMP) -- aims to standardize state and local governments’ approaches to security and risk assessment across cloud technologies at a time when they need all the support they can get.
StateRAMP is slated to announce its first list of authorized vendors this summer, and there are expectations that state and local governments will quickly embrace the model. The program is expected to transform cloud service procurement, so governments and their cloud solution providers (CSPs) must be ready.
The good news is that StateRAMP includes a reciprocity system that will allow solutions with a FedRAMP authority to operate certificate, a provisional ATO or those designated FedRAMP-ready to move quickly through the StateRAMP certification process. It involves submitting the FedRAMP security packet to StateRAMP, demonstrating a prior 90 days of continuous monitoring and paying a fee.
The landscape is different for cloud solution providers and offerings that are not FedRAMP certified. To accelerate StateRAMP certification, CSPs should seek a partner with experience in the federal authorization program. A platform that includes security as part of the delivery model is key, as well as an enablement process that reflects FedRAMP requirements. Inheritable security controls can be an essential compliance accelerator that also reduces costs.
Ongoing monitoring is also an essential part of maintaining StateRAMP compliance and can be a heavy lift for CSPs not experienced in the world of FedRAMP. CSPs will be required to continuously monitor cloud systems that have been awarded StateRAMP authorized status. They also must submit monthly and quarterly reporting as well as a security assessment from an independent third party. And, while StateRAMP is still in the ramping-up phase, seasoned FedRAMP solution vendors can be a crucial part of helping agencies and CSP through the process and achieving success.
Cybersecurity, always a top priority for public sector organizations and IT leaders, has never been more critical – and cloud security is the new cybersecurity. StateRAMP, based on a “complete once, use many times” concept, stands to significantly elevate and improve cybersecurity by standardizing and transforming cloud solution procurement and reducing costs and complexity for governments and their vendor partners. The key to success is careful planning, a trusted guide and a model that includes security as an integral part of the planning and delivery process.
Phil Fuster is senior director public sector at Rackspace Technology.