Is StateRAMP for You? Here Are a Few Facts Worth Knowing

If you’re a cloud software vendor who wants to sell — or has already sold — to federal government agencies, it’s likely that you’re already aware of FedRAMP compliance. But cyberattacks aren’t just limited to the federal government.  

With more people working from home and moving to the cloud now than ever before, news of attacks on state and local governments seem to be a common occurrence these days. Previously, there wasn’t a clear, standardized approach to the cybersecurity standards required from cloud software providers offering solutions to state and local governments. But all that may change with the introduction of StateRAMP.  

Founded in early 2020, a non-profit organization called StateRAMP was formed to bring states together and create a common method to verify security and manage risk from third-party solutions. While StateRAMP is just getting off the ground, it’s worth understanding it if you’re interested in selling to state and local governments or if you’re already certified for FedRAMP.  

In a nutshell, the StateRAMP organization brings together state & local governments, cloud service providers, and assessment organizations to reduce risk by standardizing an approach for verifying and monitoring security postures. 

It turns out that FedRAMP has blazed the trail for StateRAMP, as many of the processes and procedures mirror that of FedRAMP. In fact, both adhere to the complex controls outlined in the NIST SP 800-53 Revision 4 addressing all major known security risks for information systems and cloud systems.  

If your cloud software is FedRAMP Moderate certified today, then you’re in good shape to be at StateRAMP Category 3. You can use your FedRAMP ATO to achieve StateRAMP reciprocity, but additional items need to be submitted to the StateRAMP PMO. You’ll also need to become a member of StateRAMP by paying an annual fee in addition to the other fees associated with becoming and remaining StateRAMP authorization. And of course, a StateRAMP certified 3PAO will need to conduct an official assessment when you’re ready.  

Remember, for those software vendors who have achieved FedRAMP compliance but have not yet secured a federal agency sponsor, the StateRAMP reciprocity can allow a state agency to sponsor you.  

For more frequently asked questions and answers, check out StateRAMP’s FAQ page. 

Anitian can help get you ready.  

The longest and most grueling part of the FedRAMP (and/or StateRAMP) processes is getting ready for the audit by the 3PAO. Taking a do-it-yourself or consulting services approach typically takes 18-24 months to prepare, design, build, configure, and document all the components needed to pass a FedRAMP (or StateRAMP) audit and achieve your Authority to Operate (ATO) for your cloud application in AWS or Azure. The costs can be surprising as well, rising near $2M for many implementations.  

That’s where Anitian comes in.  

The Anitian Compliance Automation Platform can have you FedRAMP and StateRAMP audit-ready in 60 days – and at half the cost – by leveraging a complete, pre-engineered cloud security environment that runs in your AWS or Azure account. The Anitian platform wraps around an application in hours to make existing or new cloud applications secure and compliant in days, rather than months or years. Ready to get started? Schedule a demo with the Anitian team today.