StateRAMP Fast Track: How to Speed Up Authorization

Governmental cybersecurity is largely focused on federal government agencies. When we talk about FedRAMP, CMMC, DFARS, and other security standards, it’s almost always with an eye toward the governmental agencies and departments that comprise the federal government and the contractors and suppliers that work with them.

For private businesses and non-governmental partners, ISO 27001 provides a great security framework. What about the middle ground, though? In the United States, we have 50 different states, each with their own governments. FedRAMP and other federal security programs don’t work with state governments, which means states need to find a way to secure themselves.

Unfortunately, state governments are often left to their own devices. There are some areas where leaving decisions up to the states isn’t a bad thing, but when it comes to critical infrastructure and governmental information, leaving security standards up to the states is a crisis.

Some states introduce constant streams of legislation to try to bolster and improve their information security and cybersecurity postures. Others wait for other states to do it first and, once it’s refined, just steal and implement the ideas. Still others just ignore the problem until it becomes an immediate threat. Hundreds of state-level bills are introduced every year, to set up standards and regulations for state and lower governmental agencies, and the contractors they work with.

This is often a very difficult situation for CSPs. If you want to work with one state government, that’s fine; you can generally learn the rules, establish a secure posture, and be fine. The specific details might not be the same as they would be for another state, for ISO 27001, or for federal work, but a high enough standard will likely do the job.

If you want to work with many different state governments, though, that’s when things get tricky. Different states can have very different rules. Some demand security in places others don’t, some demand different forms of documentation even for the same things, and it all can be very messy.

FedRAMP was invented as a way to create a centralized, single point of authority for security rules for federal government contractors handling controlled unclassified information. Do 50 different states need to make their own? Should we expect CaliRAMP and MaineRAMP and TexRAMP? Well, not quite.

What is StateRAMP?

StateRAMP is the solution.

Simply going off of the names, you might assume that StateRAMP and FedRAMP are essentially identical, save for the set of government agencies and contractors they work with. The truth is, they’re similar but not quite the same.

StateRAMP is an organization founded with the goal of becoming the FedRAMP for the states. It also works beyond just state governments and will provide similar services to local county and city governments, as well as educational institutions like universities and school systems.

The biggest difference is that while FedRAMP is a federal program run by the Office of Management and Budget, StateRAMP is managed by a non-governmental organization, a nonprofit also named StateRAMP.

In terms of format and functionality, StateRAMP, like FedRAMP, bases its standards on NIST SP 800-53. They also authorize third-party assessment organizations to provide audits and validation of the security of cloud service providers looking to work with StateRAMP-covered entities.

StateRAMP has a very similar layout for security controls across impact levels, but the specific sets of controls vary slightly. StateRAMP is also slightly less stringent than FedRAMP, reflecting the “lower stakes” nature of their clients.

You can read more into the details of what StateRAMP is and how it differs from FedRAMP in our guide here.

If there’s a downside to StateRAMP, it’s that it hasn’t been adopted by all 50 states yet. Currently, only 29 states, as well as a variety of local and educational entities, have signed on. As it grows more and more established, however, you can expect broader adoption.

What is the StateRAMP Fast Track Process?

One of the biggest downsides to StateRAMP is the sheer volume that it has to handle. The country is full of small businesses that would love to work with their local or state governments, and which need to achieve StateRAMP authorization. The process can take months of work and time to proceed.

The StateRAMP Fast Track process is a sped-up version of the process for CSPs that have already passed the FedRAMP process and achieved their ATOs. It’s a way to speed up and bypass a lot of the tedium, under the assumption that StateRAMP is based on the same security controls and the same foundation as FedRAMP.

What Do You Need to Do to Fast Track StateRAMP Authorization?

To understand what goes into the StateRAMP fast track process, it’s worth understanding the normal process as well, so you can see what is cut out and what varies.

The Normal StateRAMP Process

The standard process to achieve authorization under StateRAMP looks like this.

Join the program as a member.

All cloud service providers seeking StateRAMP authorization must be members of the StateRAMP ecosystem. Membership requires annual dues and processing fees. For businesses at a million dollars of annual revenue or less, it’s $500 plus fees per year. For businesses above that, it’s $1,000.

Submit a request for a security snapshot. (Optional)

A security snapshot is a moment-in-time analysis of your current security posture. It’s meant as a baseline you can use to perform a gap analysis and determine what you need to do to go from where you are to where you need to be. You can do this on your own, though, so this step is optional. StateRAMP’s snapshot service costs $500 for businesses under $1m in annual revenue, $1,000 for businesses up to $5m in revenue, and $1,500 for businesses above that tier.

Determine your impact level.

StateRAMP and FedRAMP impact levels map roughly one to one on each other. The difference is that FedRAMP only has Low, Moderate, and High. StateRAMP has Low, Low+, Moderate, and High.

Engage a 3PAO.

Much like with FedRAMP, you need an authorized 3PAO to provide auditing and assessment to validate your security posture throughout and at the end of the process. The 3PAO’s report is what the StateRAMP program management office evaluates to determine whether or not you pass. Also, like FedRAMP, StateRAMP maintains a list of authorized 3PAOs here.

Complete a documentation review request.

The meat of the process is to improve your security to the standards set forth by the impact level and relevant NIST SP 800-53 security controls. When that is done, you collect and gather documentation to verify it all, compile it into a security assessment report, and send that to the StateRAMP project management office. However, you can’t just send this in unsolicited; you need to complete a review request form and pay the review fee.

Gain government sponsorship or committee approval.

If you want full StateRAMP authorization, you need to have a government official approve your security package. You can get approval on your own with a government entity you want to work with, or you can work with the StateRAMP approvals committee. This committee is a group of state and local government representatives and can choose to sponsor you on their behalf.

Obtain verified authorization status.

Once you have all of your ducks in a row, you have your government sponsor, you have 3PAO attestation, and you have all of your fees paid, the program management office can verify that you meet all of the requirements along the way. Once that has been done, your status will be updated to authorized on the official lists, and you will be ready to work with your sponsoring agency. Final fees are also due at this point, which range from $1,500 to $7,500, depending on annual revenue.

Begin continuous monitoring.

As we so often mention, security is a constantly moving target. Continuous monitoring is a critical part of remaining secure on an ongoing basis, and is required to maintain your authorization.

Overall, this is an eight-step process, and you can easily see how a lot of it could be duplicated work if you’ve already achieved an authority to operate with FedRAMP.

The Fast Track StateRAMP Process

Fast tracking the StateRAMP process prunes out several steps, under the assumption that if you have achieved a full authority to operate with FedRAMP, you’ll have achieved pretty much everything you need for the equivalent StateRAMP authorization.

Become a member.

Just like the normal process, you need to be a member of StateRAMP in order to achieve authorization under the program.

Engage the StateRAMP program management office.

Unlike with the normal process, where you need to work with a 3PAO, the assumption is you already have one. So, instead, you will need to complete a security review request form and engage the StateRAMP program management office directly.

Complete your documentation.

Similar to the normal process, you will need a packet of your documentation to submit to the program management office. Unlike the normal process, you probably already have this work done and just need to compile it along the StateRAMP guidelines rather than the FedRAMP guidelines. It is, comparatively, very little work.

Undergo the PMO review.

You have your security posture, you have your connection with the program management office, all you need is for the office to review your security. There’s generally no reason you should fail this if you’ve passed the FedRAMP audit, so it should go smoothly.

Implement continuous monitoring.

However, “implement” isn’t accurate; again, since you need continuous monitoring in place for FedRAMP, you will already have this done; you just need to keep up with submitting documentation to StateRAMP as well as FedRAMP.

Common Questions About the StateRAMP Fast Track Process

There are a few common questions that come up with the StateRAMP fast track.

One potential issue is if you have information or POAM items that are restricted and not allowed to be shared with third parties, it leaves a gap in your documentation. How can you handle this? Generally, the PMO will simply make a decision, based on available information and circumstances. Sometimes it means you aren’t allowed to work with entities other than the federal agencies that approve you. Other times, it’s fine, or you may need special security information. They handle it on a case-by-case basis.

Sometimes, a CSP might wonder if they can use their federal government agency as a sponsor for their StateRAMP approval. Unfortunately, this doesn’t work because your sponsoring agency needs to be part of the StateRAMP program; by definition, federal agencies are not.

You may also wonder if there’s a discount for going through the fast track process rather than the regular process. The answer here is no, but also kind of yes. There are no discounts for the fees and membership dues. However, since you don’t need to pay an additional 3PAO fee or for snapshots, you save that money.

Is StateRAMP worth it? That depends on what you’re looking to get out of government contracts and who you want to work with. Generally speaking, as long as you’re simply broadening your potential customer base, improving your security, and aren’t compromising on other standards, it’s a good option. If you’re in a state that doesn’t currently work with StateRAMP, though, it might not be worthwhile.

We can help, whether you’re looking to go through the normal StateRAMP process or the fast track process. The Ignyte Platform was designed to be a system-agnostic, collaborative platform where documentation, artifacts, and proof of security controls can be stored and easily pulled for reports.

If you’re curious whether or not the Ignyte platform will work for you, feel free to drop us a line; we’re more than happy to talk about it. You can also simply book a demo and talk to us in a dedicated meeting about your needs, and what we can do for you. We know our way around FedRAMP, and we can definitely help with StateRAMP if you’re aiming for small government agencies as well. Let us know!

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/security/stateramp-fast-track-authorization/