While the federal government can mandate overall cloud security requirements, each state, local and education agency has its own authority, StateRAMP’s Leah McGrath explains.
Governments at all levels face many of the same challenges when it comes to cloud computing, but there are differences, too.
A recent Government Accountability Office report found that ensuring cybersecurity, procuring cloud services, maintaining a skilled workforce and tracking costs and savings top the list of obstacles at the federal level.
State, local and education agencies also face the first three challenges, said Leah McGrath, executive director of StateRAMP, which offers standardized cybersecurity verification and provides transferrable credentials and an Authorized Product list that governments can use for cloud procurement. But she would replace tracking costs and savings with an inability to mandate the same requirements across all entities as the fourth challenge.
“Tracking costs and savings is on the minds of every government official, but I don't know that it’s specific or unique to cybersecurity or cloud solutions,” McGrath said. “The other reason that I think it’s not something we’re talking about as often is really just because we’re starting to see increased investment from state legislatures, from the federal government in cybersecurity…. I think it’s unfortunately because we’re seeing so many threats that the federal government agreed to grant programs, and then states through legislators are starting to invest in that.”
What’s trickier to navigate is the unique needs of each state, local and education agency. “In the federal government, there can be a mandate that applies to all. [In] state and local government, you’ve got independent jurisdictions with their own authorities,” she said.
McGrath said the answer to state cybersecurity is information sharing, determining common connections and building from there.
“Cyber criminals don’t know town borders, town limits,” she said. “They don’t care what’s a K-12 vs. higher ed vs. a state agency. But in many states, and in most cases, there is still some connectivity between all of those. So how do we make sure that [agencies are] all working from that same playbook of best practices for cybersecurity?”
Also driving shared resources among state, local and education entities is the nationwide shortage of cyber professionals. “If there’s a way to lean on one another or [on] an organization like StateRAMP to validate that cloud security so that they can then focus on strategic initiatives and how to manage risks more effectively or mitigate risk, I think that becomes even more important, given the landscape of the challenges everyone’s facing from workforce,” McGrath said.
Still, GAO’s findings are relevant to all levels of government. For instance, the report recommends that agencies develop guidance so that their cloud service contracts specify what constitutes a data breach, a breach notification processes and how data and networks will be managed – all advice that’s universally applicable.
After all, state and local governments often take their cue from federal actions. StateRAMP itself is modeled after the Federal Risk and Authorization Management Program (FedRAMP).
“We are certainly looking at reports like this always to understand best practices,” she said. “What can we learn? How can we continue to get better? How can we improve together?”
StateRAMP is working to develop a pre-Ready assessment or security snapshot that is akin to a gap analysis so providers can understand where they are with their cyber maturity and what they need to do to achieve StateRAMP Ready status. A Ready status means the product meets the nonprofit’s minimum mandatory requirements and most critical security controls. McGrath said she expects StateRAMP to help governments by enabling them to request that vendors complete the assessment to understand how to work together toward stronger security.
It comes down to “encouraging states and local governments to be really mindful of how you can verify your cloud security with your third-party vendors,” she said. “And oh, by the way, you don’t have to do it by yourself; we can do this together. I think [that’s] very powerful.”
Stephanie Kanowitz is a freelance writer based in northern Virginia.