StateRAMP Fundamentals & StateRAMP Fast Track

StateRAMP is a non-profit organization that launched in early 2021 with the goal of providing a standardized approach to cloud cybersecurity authorization for State and Local governments. You might ask, why create another governing body when a proven framework for the federal government like FedRAMP exists? We get it, each industry and governing body needs to be a special snowflake. Before we jump to conclusions, let’s dive into the StateRAMP program to see if cloud service providers (CSP) should be paying attention for future business opportunity.

Table of Contents

StateRAMP Fundamentals & StateRAMP Fast Track

StateRAMP is a non-profit organization that launched in early 2021 with the goal of providing a standardized approach to cloud cybersecurity authorization for State and Local governments.  You might ask, why create another governing body when a proven framework for the federal government like FedRAMP exists?  We get it, each industry and governing body needs to be a special snowflake.  Before we jump to conclusions, let’s dive into the StateRAMP program to see if cloud service providers (CSP) should be paying attention for future business opportunity.

What is StateRAMP?

As noted above, StateRAMP launched in early 2021 and has been making progress since then.  The StateRAMP mission and charter is below;

“StateRAMP provides a standardized approach to cybersecurity assessment, authorization, and continuous monitoring.  StateRAMP is an independent, not-for-profit, public-private partnership providing an efficient and cost-effective solution for verifying the cybersecurity profile of service providers on behalf of State and Local governments.  StateRAMP’s purpose is (1) to help State and Local government protect citizen data; (2) save taxpayer and service provider dollars with a “verify once, serve many” model; (3) to lessen the burdens on Government; and (4) promote education and best practices in cybersecurity among those it serves in industry and the government communities.”

StateRAMP vs. FedRAMP?

The question has been asked, why even have a StateRAMP program when FedRAMP exists?  The same argument could also be made for CMMC, other frameworks.  The FedRAMP program was designed for the Federal Government and downstream contractors. StateRAMP is designed for State and Local Government even though similar in nature with the NIST 800-53 common thread.   

One of the bigger impacts we’ve seen is that cloud service provider (CSP) FedRAMP authorization packages (inclusive of ConMon) are restricted to the Federal Government, so State and Local entities have not had the requested insights and ongoing visibility.   

“If leveraging FedRAMP authorizations, State and Local entities do not the visibility into the FedRAMP package (inclusive of ConMon)”

While very similar in nature from a security requirement perspective (NIST 800-53) – there are a few key variables outlined below….

We’ve also seen FedRAMP leveraged by different State and Local cloud solicitations in the past, as in a hard RFP requirement for a cloud service provider, but the FedRAMP package and ConMon were not available in most cases.   Given the evolving digital threats that all government entities face, the expectation of more customer ongoing visibility is going to be required.  Therein lies the business case for StateRAMP and why there has been momentum over the past year.

StateRAMP Authorization Paths

There are two main StateRAMP authorization paths to consider for your organization.   A cloud service offering without an existing FedRAMP ATO or a cloud service offering with a FedRAMP ATO (consider StateRAMP Fast Track).     Figure 2 below outlines the StateRAMP submission path without a prior FedRAMP authorization.

Figure 2 – StateRAMP Workflow (no FedRAMP ATO)

StateRAMP Fast Track? (Leveraged FedRAMP)

For those CSP’s that have an existing FedRAMP ATO – good news!  You can leverage your existing FedRAMP ATO with the StateRAMP Program but will need to undergo a review and negotiate terms for the reciprocity terms.  See Figure 3 below outlines the engagement lifecycle for the FedRAMP Fast Track program.

Figure 3 - StateRAMP Workflow (existing FedRAMP ATO)

StateRAMP Marketplace (CSP system status)

StateRAMP does have a cloud marketplace that is conceptually similar to the FedRAMP marketplace.  However, the StateRAMP marketplace designations vary significantly from each other.  The StateRAMP marketplace is found through the StateRAMP hosted Authorized Vendor List (AVL).  The AVL designations are further outlined below;

Progressing Offerings

  • Active: is working towards StateRAMP Ready
  • In Process: is working towards StateRAMP Authorized
  • Pending: has submitted a security package to the StateRAMP Program Management Office (PMO) and is awaiting a determination for a verified status

Verified Offerings

StateRAMP recognizes offerings in the process of working toward a verified offering. To be listed in progress, the provider must be engaged with a 3PAO for an independent audit.

  • Ready: meets minimum StateRAMP requirements
  • Provisional: exceeds minimum requirements and includes a government sponsor
  • Authorized: satisfies all requirements and includes a government sponsor

Is StateRAMP here to stay?

The question we hear most from CSP”s about StateRAMP is around state level reciprocity. If we undergo StateRAMP evaluations, will other states accept it.  Interesting update to the program in terms of state interaction.  In fact, most recently StateRAMP PMO posted that at least 10 states and local municipalities are working with StateRAMP to validate cybersecurity posture of their third-party suppliers. That’s approximately 20% of US states/municipalities are actively participating in the program with many more discussions underway.  

“StateRAMP PMO has announced that at least 10 State and Local municipalities are work with StateRAMP PMO for third-party suppliers.  That’s 20% and growing in terms of a US footprint”

I remember a similar question being asked when the FedRAMP program started over 10 years ago.  Time will tell on the adoption but should be closely considered especially if you’re seeing the indicators from a business side and have the respective business pipeline.

Making the Business Case?

In the eyes of the cloud service provider, embracing cyber/regulatory requirements by industry is a hard reality.  In many cases, the sales proposition is over before it started.  If you don’t have regulatory authorizations for your cloud service offering, you won’t be considered.    

First point, make sure your organization is committed to expanding into State and Local governments.  This doesn’t happen overnight and the sales cycles can be long (similar to Federal Government), the organization must be committed.    If you already are, do you have a sales pipeline that represents at least a 5-10x pipeline multiple for the necessary investment in StateRAMP (or FedRAMP via StateRAMP Fast Track)?    

Lets assume you can check those boxes, fastest path to a StateRAMP authorization is leveraging an existing FedRAMP ATO (if appliable).   Leverage the StateRAMP FastTrack program and as outlined in Figure 3 above, this will ensure the most reciprocity from your initial investment to StateRAMP.  If you don’t have an existing FedRAMP authorization and but the business need still exists, Figure 2 process flow will apply.  You will need to undergo a full StateRAMP 3PAO assessment process similar to FedRAMP.

Lastly, having additional regulatory approvals/authorizations will open doors into the government marketplace.  Cloud service providers pursuing State and Local government business should consider StateRAMP as a possible option, assuming the right organizational commitment is there and you see the business requirements flowing down via State and Local solicitations.