The Federal Risk and Authorization Management Program – better known as FedRAMP – is a Federal government-wide program that standardizes security assessment authorization and continuous monitoring for cloud products and services. StateRAMP – established a decade or so later – shares a similar vision to enable state and local governments (SLG) to find solutions to cybersecurity hurdles and standardize the procurement approach to secure cloud services.
Because both programs are aiming at the same results, their approaches to helping government organizations also might be expected to perform in parallel.
However, FedRAMP’s security documentation regulations – which leaves state and local agencies without authorization to directly access this documentation – presents difficulties to SLGs when pursuing StateRAMP compliance, but also opportunities to find work-arounds.
During a GCN-organized event on March 7, StateRAMP Director Leah McGrath and Brian Conrad, FedRAMP’s acting director, along Chris Teale from GCN, tackled these and other security issues during a webinar entitled, Leveraging our Differences: StateRAMP and FedRAMP.
FedRAMP was established back in 2011. Then in 2020, in an effort to mimic many of the best practices of FedRAMP, StateRAMP was founded.
Moderator Teale opened the session commenting how governments at all levels are top targets for malicious actors. “Cybersecurity is a critical focus on the minds of every technology leader. Still, the path to cybersecurity remains different at each level of government,” he said.
Teale sat down with the two program leaders to better understand their similarities, differences, and how they leverage these realities to better inform their work.
Trying to modernize public sector technology while keeping up with cybersecurity threats can feel overwhelming. Governments want to take advantage of the power and flexibility of innovations in areas like cloud computing, but at the same time limited resources place a strain on reviewing new vendors.
Ergo, the RAMP twins – both are good news as cybersecurity frameworks/programs like StateRAMP and FedRAMP streamline cloud service procurement. Government organizations can also gain more assurance over their cybersecurity by choosing from vetted vendors.
One rub, however: FedRAMP does not allow anyone outside of the Federal government to access their secure portal, according to StateRAMP’s McGrath.
If states are requiring a FedRAMP authorization for provider vendors, then they are doing so without visibility into FedRAMP documentation or the associated continuous monitoring reporting. Further, requiring FedRAMP for state or local government work significantly limits the pool of potential cloud service suppliers, due to the limitations and requirements to become FedRAMP authorized. Those requirements include, McGrath said, having a Federal contract/sponsor.
Using a rather nifty alternative, however, StateRAMP has left the decision of document sharing to the provider, who can provision access to SLG government officials to view providers’ security documentation and reporting. StateRAMP’s centralized approach for the program management office and technology platform is what allows providers the ability to give governments access to StateRAMP’s secure portal, McGrath said.
Given the alignment between requirements for FedRAMP and StateRAMP, StateRAMP does have a fast track process for providers who already have a FedRAMP status or who have completed a FedRAMP audit (RAR/SAR) so that providers can avoid duplication of work and submit the same package and audit to StateRAMP that they did to FedRAMP. The FedRAMP PMO has stated this sharing of provider documents is permitted, according to McGraph.
Consequently, SLGs need not concern themselves about “reinventing the wheel” when it comes to applying for StateRAMP authorization as a follow-up to their existing FedRAMP compliance.
Frankly, it’s nice to see intergovernmental cooperation which in some areas, unfortunately, can be rather rare.