Security is of utmost importance to government agencies because they have access to the sensitive information of millions of people. To ensure this information stays private, StateRAMP (State Risk and Authorization Management Program) offers several guidelines to help.
StateRAMP is a nonprofit launched in 2021 and modeled after FedRAMP, a government-wide program that promotes secure cloud usage across the Federal government. State and local governments created StateRAMP to extend this authorization to the relationships between cloud service providers (CSPs) and state and local governments to improve cybersecurity posture. As an independent nonprofit organization, StateRAMP has created a process for continuous cybersecurity improvement to efficiently and cost-effectively verify the cybersecurity of cloud service providers.
A main initiative is evaluating the data security capabilities of cloud solution providers that sell to state and local governments. StateRAMP ensures CSPs meet minimum security requirements and helps them obtain verification and achieve certification. These verification statuses were created by StateRAMP and must be certified by a third party. To simplify this certification process, StateRAMP has introduced “Security Snapshot.”
Hurdles to Attaining StateRAMP Verification
StateRAMP has had an Authorized Product List since 2021,updated at the end of every business day. This list is comprised of verified providers who meet the minimum security requirements and provide an independent audit conducted by a Third Party Assessment Organization (3PAO). StateRAMP recognizes three verified statuses:
- Ready: The product meets minimum requirements.
- Provisional: The product exceeds minimum requirements and has a government sponsor.
- Authorized: The product satisfies all requirements and has a government sponsor.
There are 38 cloud service offerings (CSOs), 4 local government agencies, 2 universities and 17 states that are qualified in the above three tiers.
A Simpler Future with Security Snapshot
After StateRAMP’s verification process was introduced, providers encountered several questions. For some CSPs, it wasn’t easy to know if they could achieve a StateRAMP-Ready approval. The fear that CSPs would be left with a public, poor StateRAMP score induced anxiety in starting the approval process. Many agencies were unsure if they were making progress in the right direction. To combat this, StateRAMP released a new solution in early January 2023—the “Security Snapshot.”
Security Snapshot provides detailed information on how companies can get StateRAMP-certified. The snapshot offers a preliminary numerical score that CSPs can share with prospective government clients, which will not appear on the CSP’s record.
This resource acts as an early-stage security maturity assessment tool for cloud products. The intent of the service is to provide a first step toward achieving StateRAMP security status. The criteria are designed to help agencies validate minimum requirements and provide controls and additional benchmarks that would further aid in certification.
The Security Snapshot also helps providers gain quality insight into security postures and third-party cloud solutions such as Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) products. Ultimately, it provides insights for providers and the government branches they serve.
With the introduction of Security Snapshot, CSPs can ease their concerns, knowing they will receive detailed, personalized support to help them qualify for StateRAMP’s verification.
For more information on StateRAMP’s security approach, visit our StateRAMP resource hub and watch our Carahsoft briefing at carah.io/StateRAMP.