States’ determination to ensure that their cloud products and vendors are secure is driving membership in StateRAMP, the non-profit dedicated to managing supplier risk.
With more state and local governments set to join the State Risk and Authorization Management Program (StateRAMP), the nonprofit organization’s executive director said she sees “momentum” for its efforts to standardize cloud security.
Speaking during FCW’s FedRAMP summit, Leah McGrath said between 12 and 15 more governments are set to be announced as members, just months after more states joined the nascent group that was launched last year to verify that cloud services used by state and local governments satisfy its adopted security requirements. McGrath said states’ determination to ensure that their products and vendors are secure and their desire for a more standardized approach to cloud procurement has driven the increased membership.
"I think finding a way to speed up the [authorization] process is really critical, and it's part of what I think is driving the momentum we're seeing in state and local government,” she said.
Continued attention on data privacy is also pushing agencies to bolster their cybersecurity, even as Congress continues to debate national regulations.
In the absence of a federal data privacy law, several states have stepped up with their own, including California, which also was an early adopter of StateRAMP. Its privacy law has forced state leaders to be even more rigorous in their assessment of vendors’ cybersecurity preparedness, and McGrath said StateRAMP has helped set a “baseline” in that assessment ahead of any further auditing required by law. That could be a model for elsewhere, she said.
"It's part of what I think is really exciting and what's so important about the StateRAMP initiative,” she said. “We're bringing all these state leaders and local governments together to participate in these committees to try to drive toward a standardized approach so we can have as much of a standardized baseline as possible."
StateRAMP’s federal equivalent, FedRAMP, was the model for the state version. Congress is working to codify FedRAMP in law, rather than have it remain a presidential directive that can be overturned. Rep. Gerry Connolly (D-Va.) added language to the House version FY22 National Defense Authorization Act to formalize the program in law, with the Senate debating its own version.
McGrath said some state and local governments were surprised to learn that FedRAMP has not been codified. And with StateRAMP also picking up members, she said the authorization process will all become standard practice sooner rather than later, regardless of whether it is codified in law. "I think it will stick,” McGrath said.