In this month’s Committee Corner, we’re excited to feature Siddique Chaudhry, Sr. Manager of Global Public Sector Compliance at Snowflake and a dedicated advisor on the StateRAMP Standards & Technical Committee. With over a decade of experience in federal compliance frameworks like NIST 800-53, FISMA, and FedRAMP, Siddique has been instrumental in guiding compliance efforts that impact both public and private sector cybersecurity. His work with the CJIS-Aligned Task Force and on developing Rev. 5 compliance guidance showcases his commitment to strengthening cybersecurity standards across the board. In this spotlight, Siddique shares the benefits of joining a StateRAMP committee, the rewarding experiences he’s had so far, and his vision for the committee’s impact on the evolving landscape of cybersecurity.

____________________________________________________________________________________________________________________

Please provide a quote about your experience so far as a committee member.

I have found working with the Standards & Technical Committee to be incredibly rewarding. Bringing together compliance leaders to streamline processes has been inspiring. I’m proud to be part of a group that’s making compliance more efficient and comprehensive. Opportunities such as contributing to the CJIS-Aligned Task Force have been invaluable, creating real impact for the broader cybersecurity community. 

 

What skills and experience do you bring to your committee? 

In addition to my expertise with NIST 800-53, FISMA, and FedRAMP, I bring over a decade of experience in federal compliance frameworks. My background includes leading a Cloud Service Provider from its early stages to becoming an enterprise-level organization, achieving multiple authorizations across FedRAMP, IRAP, and DoD IL4. 

 

What benefits have you seen since joining your committee? 

As a member of the committee, I have been given the opportunity to provide feedback on new guidance before it’s released to the public, which has been an invaluable learning experience. I’ve also been invited to conferences where I’ve met other industry leaders dedicated to advancing cybersecurity standards. Collaboration and access to emerging insights have been incredibly rewarding.

 

What impact has your committee had on StateRAMP and/or the cybersecurity community? 

Our committee has made significant contributions, including creating and developing guidance on how specific Rev 5 controls apply to StateRAMP baselines. These efforts have made it easier for organizations to align with compliance requirements, ultimately strengthening cybersecurity practices across the board. 

 

In what ways do you envision your committee contributing to the community in the future? 

Looking ahead, I envision the Standards & Technical committee continuing to provide timely guidance as compliance evolves—especially as emerging areas like AI begin to shape the landscape. Our goal is to ensure that both private and public sector StateRAMP members have access to the latest standards and practical resources, helping them stay ahead in a rapidly changing field. 

 

What advice would you share with someone interested in joining a committee with StateRAMP? 

I would encourage anyone interested in learning more about StateRAMP governance to join webinars, attend conferences, and meet the StateRAMP Program Management Office (PMO) team. The staff is very welcoming and ready to help you throughout the application and engagement process. With the growth of the program, I believe there will be even more opportunities for participation, which makes it the ideal time to get involved. 

 

What has been the most memorable or rewarding moment you have experienced working with the committee so far? 

The official publication of the Rev. 5 templates and resources was one of the most rewarding experiences. As we watched our committee’s feedback be incorporated into the final documents, we saw the tangible effects of our efforts, demonstrating our commitment to improving compliance standards. 

The post Committee Corner: Meet Siddique Chaudhry appeared first on StateRAMP.

As digital infrastructures become increasingly interconnected, compliance has emerged as a critical pillar of effective cybersecurity. For government agencies responsible for protecting sensitive data and ensuring reliable services, verifying compliance among third-party vendors is essential. Vendor vetting isn’t simply about meeting regulatory standards; it’s about actively mitigating risks that could impact citizens, disrupt operations, and compromise public trust. 

Why Vendor Compliance Matters 

When governments rely on vendors for cloud services, software, and other digital resources, they also inherit potential risks that can be challenging to manage. The rise in supply chain attacks has shown that cybercriminals often target third-party providers to gain access to sensitive government data. Weak vendor security practices can create vulnerabilities across the network, placing government systems at risk. 

The consequences of working with non-compliant vendors are severe: financial losses, reputational damage, and operational disruptions are just a few risks stemming from cybersecurity incidents. To address this, agencies should prioritize vendor compliance as a core component of their cybersecurity strategy. 

The Role of Standards Like NIST and StateRAMP

Compliance standards provide a critical foundation for secure, consistent practices across vendors. Frameworks like NIST, which is the foundation of StateRAMP’s security program, offer a structured approach to managing vendor risk, helping agencies make more confident decisions when selecting partners. By aligning with widely recognized standards, StateRAMP enables state and local governments to implement effective and scalable compliance practices. 

Common Compliance Challenges for Vendors and Agencies 

1. Complexity Across Standards
   Each compliance framework has unique requirements, which can make it difficult for vendors to keep up. Agencies face the time-consuming task of verifying each vendor’s adherence to these standards.
2. Resource Limitations
   Smaller vendors may struggle to allocate the resources necessary to meet cybersecurity requirements, and Agencies lack the personnel or technology to continuously monitor vendor compliance.
3. Continuous Compliance Requirements
   Initial compliance is only the beginning; maintaining it is critical. Without regular monitoring, agencies remain vulnerable as threats evolve and vendor compliance statuses shift.

How StateRAMP Supports Compliance and Accountability 

StateRAMP provides a streamlined process that supports vendors in meeting high cybersecurity standards while easing the verification burden for agencies.
Built on the NIST framework, StateRAMP’s model ensures that vendors not only achieve but maintain compliance through: 

• Baseline Security Controls – Defined security requirements that vendors must meet to ensure comprehensive protection. 

• Independent Verification – Third-party assessments that provide objective compliance verification, promoting transparency. 

• Ongoing Monitoring – Continuous checks to ensure compliance remains current and adaptable to emerging threats. 

Through the StateRAMP Authorized Product List (APL), agencies can quickly identify vendors that meet established security requirements, reducing risk and saving time—allowing focus on mission-critical operations rather than administrative compliance tasks. 

The Strategic Value of Compliance in Vendor Relationships 

Strong vendor compliance is essential for protecting citizen data and ensuring consistent service delivery. More than just a regulatory requirement, compliance is the foundation of trust and security in vendor relationships. 

StateRAMP’s framework provides government agencies with the tools to incorporate consistent standards into their cybersecurity and procurement processes. By taking a proactive approach to vendor vetting and compliance, agencies can more effectively manage cybersecurity risks and contribute to a safer digital environment. 

Join us in prioritizing secure, compliant vendor relationships. Learn more about how StateRAMP can help your agency achieve peace of mind through standardized cybersecurity practices. 

 

The post The Role of Compliance in Vendor Vetting: Why It’s More Than a Checkbox appeared first on StateRAMP.

StateRAMP had the pleasure to host our strategic partner and newest member benefit, RAMPxchange for an informative webinar, Breaking Barriers: Simplifying Cybersecurity Procurement Through RAMPxchange. In this webinar we discussed how RAMPxchange is helping public and private sector members streamline cybersecurity procurement. For those who couldn’t attend or want a concise recap, here’s an overview of the key takeaways.

 

Addressing Critical Procurement Needs 

StateRAMP’s Executive Director, Leah McGrath, opened the webinar by discussing the ongoing challenges that members face when navigating the cybersecurity landscape. Both public sector procurement teams and private sector providers have expressed the need for a more efficient way to connect with trusted vendors and to manage cybersecurity procurement. RAMPxchange, a new marketplace spearheaded by StateRAMP and Knowledge Services, was developed in response to these needs. 

“We knew there had to be a better way to connect faster and more securely. RAMPxchange will benefit StateRAMP members by improving the entire procurement process.” – Leah McGrath

 

What is RAMPxchange? 

Kyle McGrath, Managing Director of RAMPxchange, provided a detailed introduction to the platform. RAMPxchange is an online marketplace created to help organizations — from small businesses, large enterprises, and public sector entities — procure cybersecurity products and services efficiently and securely while meeting industry compliance standards. It connects buyers with trusted, verified vendors while simplifying the often complex procurement process through advisory services, standardized templates, and post-award management tools. 

The platform allows users to: 

• Access a verified network of cybersecurity providers 

• Manage the entire procurement lifecycle, from identifying needs and awarding contracts to overseeing project milestones and managing finances, all within one platform. 

• Benefit from a dedicated advisor team that offers guidance on cybersecurity compliance and procurement strategies 

“RAMPxchange isn’t just another marketplace—it’s a complete ecosystem for managing cybersecurity procurement and vendor relationships.” – Kyle McGrath

 

Tailored Benefits for StateRAMP Members 

One of the highlights of the webinar was the announcement of special benefits available exclusively to StateRAMP members. All StateRAMP members can enjoy waived fees on RAMPxchange through May 2026, allowing them to explore the platform and its tools at no cost. 

StateRAMP members can now: 

• Test RAMPxchange’s features before annual fees may apply 

• Access a trusted network of cybersecurity suppliers 

• Simplify vendor selection and procurement processes 

• Leverage advisory support for strategic cybersecurity planning 

For those ready to explore RAMPxchange, you can register for a demo or the marketplace here.

 

Complementary Tools to Enhance Procurement Efficiency 

In addition to RAMPxchange, StateRAMP offers several resources to help members navigate cybersecurity procurement more effectively. A key tool discussed during the webinar is the Procurement Cloud Security Resource Tool, developed in collaboration with NASPO. This tool is designed to standardize and streamline the procurement process, ensuring that members are equipped to meet cybersecurity requirements across different levels of government. 

Learn more about the Procurement Cloud Security Resource Tool here.

 

How RAMPxchange Fits into StateRAMP’s Mission 

Throughout the webinar, Leah McGrath emphasized how RAMPxchange aligns with StateRAMP’s mission to drive better cybersecurity outcomes beyond just compliance. The platform helps members not only meet regulatory requirements but also improve their cybersecurity posture through strategic planning and vendor support. 

“RAMPxchange helps connect our members with providers who are verified, trusted, and ready to help them meet their cybersecurity goals—whether they’re just getting started or looking to enhance their existing security measures.” – Leah McGrath 

For those who are interested in joining StateRAMP, you can learn more about membership here.

 

Watch the Webinar and Access Resources 

If you missed the webinar, a recording and presentation slides are available for download. We encourage all members to explore these materials and reach out with any questions. These resources offer additional insights into how RAMPxchange and other tools can benefit your organization. 

• Watch the Webinar Recording 
• Download the Webinar Presentation Slides

Final Thoughts 

As RAMPxchange continues to evolve, StateRAMP invites its members to take advantage of this new member benefit and share feedback. The platform is a significant step forward in simplifying cybersecurity procurement, and we look forward to seeing how it will help our members achieve their security goals. 

For more information or to schedule a demo with an advisor, visit the RAMPxchange website. 

The post Simplifying Cybersecurity Procurement with RAMPxchange: Webinar Recap appeared first on StateRAMP.

Driving Innovation and Leadership in Cybersecurity and Compliance 

October 22, 2024 – Indianapolis, IN – StateRAMP is proud to announce A-LIGN as its first Champion member, demonstrating A-LIGN’s deep commitment to advancing strong cybersecurity programs for states, local government, education institutions and the vendors who serve them. A-LIGN’s expertise guiding organizations through the complexities of cybersecurity and compliance   will help mature secure cloud and digital adoption. 

A-LIGN, an accredited FedRAMP Third Party Assessment Organization (3PAO) was among the first 3PAOs to register as a StateRAMP Assessor. A-LIGN delivers tailored security and compliance solutions across multiple frameworks including SOC 2, ISO 27001, CMC, and more to ensure organizations can meet their cybersecurity goals efficiently. With a track record serving over 4,000 organizations globally, A-LIGN’s expertise is well-aligned with StateRAMP’s mission of maturing security practices in the public sector. 

Leah McGrath, Executive Director of StateRAMP, said, “A-LIGN’s role as our first Champion member is a significant milestone for StateRAMP. Their pioneering leadership and strategic vision will be invaluable in growing the cyber posture of the supply chain serving our public sector today, enabling more rapid adoption of innovation and secure digital environments. A-LIGN’s holistic approach to cybersecurity will help further our mission to secure and protect citizen data and our critical infrastructure.” 

As a Champion member, A-LIGN will offer thought leadership in educational initiatives, and advise on best practices and trends in cybersecurity. This commitment to collaboration ensures that both the public and private sectors benefit from A-LIGN’s insights and leadership. 

 “A-LIGN is honored to lead the charge in fortifying cybersecurity frameworks as StateRAMP’s first Champion Member,” said Petar Besalev, EVP of Cybersecurity & Compliance at A-LIGN. “Together with StateRAMP, we are dedicated to delivering quality compliance and putting cybersecurity at the forefront of operations for state and local governments, educational institutions, and more. Our joint commitment ensures a more secure future in cloud and digital services.” 

For more information about StateRAMP and our Champion membership benefits, visit https://stateramp.org/register/.

About StateRAMP 

Founded at the beginning of 2020, StateRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to states, local governments, K12 schools and higher education. StateRAMP is a registered 501(c)(6) nonprofit membership organization comprised of government officials, service providers offering IaaS, PaaS, and/or SaaS solutions, and third-party assessment organizations. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape and critical infrastructure a safer, more secure place.

About A-LIGN 

A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs. Combining experienced auditors and audit management technology, A-LIGN provides the widest breadth and depth of services including SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI. A-LIGN is the number one issuer of SOC 2 and HITRUST and a top three FedRAMP assessor. For more information, visit a-lign.com. 

The post StateRAMP Welcomes A-LIGN as First Champion Member appeared first on StateRAMP.

In this month’s Committee Corner, we’re proud to introduce Mase Izadjoo, Chief Information Security Officer at Earthling Security and a valued member of the StateRAMP Approvals Committee. With over 25 years of experience in cybersecurity, including roles as Director of FedRAMP & Assurance Services at Coalfire and Information Security Manager at Exeter Government Services, Mase brings a wealth of knowledge to the committee. His expertise in 3PAO assessments, FedRAMP compliance, and vulnerability management has been instrumental in advancing StateRAMP’s mission to improve cybersecurity standards. In this interview, Mase shares insights into his professional journey, the advantages of participating in a StateRAMP committee, and his experiences within the cybersecurity community. 

____________________________________________________________________________________________________________________

How long have you been involved with StateRAMP? 

I’ve been involved with StateRAMP since its beginning, watching it grow from an idea into a vital platform for improving cybersecurity in state and local governments. It’s been rewarding to contribute to its mission and see its impact evolve over time. One of the challenges StateRAMP initially faced was getting buy-in from various stakeholders, including government agencies and cloud service providers, who were hesitant to adopt new standards. Additionally, establishing a comprehensive framework that could adapt to the diverse needs of different states required significant coordination and collaboration. Overcoming these hurdles was crucial to building trust and demonstrating the value of enhanced cybersecurity protocols. 

Please provide a quote about your experience so far as a committee member. 

“Being part of the StateRAMP mission has been truly exciting and rewarding. I have watched the program mature into something robust that will help drive security at the state and local government levels.” 

What skills and experience do you bring to your committee? 

With over 25 years’ experience as a cybersecurity professional and former government contractor, I bring a deep understanding of the challenges and opportunities in this space. My background includes working at NIST’s National Vulnerability Database (NVD), where my team played a key role in scoring critical vulnerabilities like Heartbleed and Shellshock CVEs. Additionally, as the CISO at Earthling Security for the past three years, I’ve led efforts to help companies navigate the complexities of 3PAO assessments and FedRAMP compliance. This experience has given me unique insights into vulnerability management and the importance of establishing strong cybersecurity frameworks, all of which I now apply in my work with StateRAMP. 

The post Committee Corner: Meet Mase Izadjoo appeared first on StateRAMP.

As we enter Cybersecurity Awareness Month, it is a fitting time to reflect on the importance of evolving our security practices. While compliance remains a necessary component, the focus must expand beyond regulatory checklists to ensure that our organizations are truly secure in the face of an ever-changing threat landscape. 

At the recent StateRAMP Cyber Summit, Nick Leiserson from the Office of the National Cyber Director (ONCD) at the White House pointed out a crucial issue: the disconnect between compliance and defense. “Convincing Congress why framework harmonization matters are crucial,” he stated. “Not having harmony in cybersecurity frameworks weakens our collective security. We spend too much time focusing on compliance and not enough on actual cyber defense.” 

This observation highlights the need to prioritize framework harmonization—the alignment of security standards across different sectors and industries—to strengthen our collective cybersecurity efforts. 3

The Gap Between Compliance and Defense 

In today’s environment, many organizations are burdened by a complex web of compliance requirements. Whether adhering to federal, state, or sector-specific frameworks, the effort to meet multiple, sometimes conflicting, regulations can lead to inefficiencies and vulnerabilities. As a result, this may cause too much focus on individual compliance rather than addressing the broader security needs required to defend against modern cyber threats. 

While compliance frameworks such as NIST SP 800-53, ISO 27001, and FedRAMP each provide important security controls, their misalignment can lead to fragmented efforts, leaving gaps in security that sophisticated threat actors can exploit. 

The answer to this challenge lies in framework harmonization, a method of aligning these disparate standards into a unified approach that emphasizes both compliance and robust cyber defense. 

Framework Harmonization: A Unified Approach to Cybersecurity 

Framework harmonization simplifies cybersecurity efforts by integrating overlapping requirements and reducing the redundancies that create inefficiencies in security programs. By focusing on the shared objectives of various frameworks, organizations can streamline their efforts to ensure that all aspects of their security programs work in unison to protect against real-world threats. 

Key benefits of framework harmonization include: 

• Enhanced Efficiency: Harmonizing frameworks reduces the administrative burden of managing multiple, redundant requirements. This allows cybersecurity teams to dedicate more resources to monitoring, responding to, and mitigating active threats. 

• Comprehensive Security: When frameworks are aligned, there are fewer gaps between compliance and defense. This ensures that every security control is implemented not just for regulatory purposes but also to provide real-world protection against cyberattacks. 

• Improved Incident Response: A harmonized security framework allows for more effective and coordinated responses to security incidents. When organizations operate under a unified set of guidelines, responses to breaches or vulnerabilities are quicker and more efficient, minimizing damage and recovery times. 

NIST SP 800-53 Rev 5: A Key Step Toward Harmonization 

October 1, 2024, marked the full implementation of aligning the StateRAMP baseline requirements to NIST SP 800-53 Revision 5, an important milestone in the journey toward greater framework harmonization. Rev 5 integrates privacy and security into a single, cohesive approach, aligning its controls with other major frameworks, including FedRAMP and StateRAMP. 

The implementation of Rev 5 for StateRAMP is particularly important for organizations working with sensitive government data. It provides updated guidelines for managing privacy and security risks, emphasizing a more unified approach to compliance and defense. By aligning with StateRAMP, organizations can streamline their security efforts while ensuring they meet the highest standards of cybersecurity and privacy protection. 

Why Framework Harmonization Matters for Cybersecurity 

In a world where cyber threats are increasingly sophisticated and widespread, organizations cannot afford to rely solely on compliance to protect their systems and data. Framework harmonization allows for a stronger, more comprehensive defense by eliminating the silos created by multiple, disjointed frameworks. 

By prioritizing harmonization, organizations are better equipped to: 

• Defend against advanced threats with a cohesive security strategy. 

• Reduce redundancies and inefficiencies in their compliance efforts. 

• Enhance collaboration across teams responsible for security, risk management, and procurement. 

 

As we reflect on the purpose of Cybersecurity Awareness Month, harmonizing cybersecurity frameworks is not just about meeting regulatory requirements—it’s about improving our collective defense against evolving threats. Through initiatives like the StateRAMP CJIS-Aligned Task Force and others, we can continue working toward a future where compliance and security are integrated, operationalizing framework harmonization and ensuring that our organizations are prepared for the challenges ahead. 

StateRAMP’s Commitment to Framework Harmonization 

At StateRAMP, we are dedicated to supporting organizations as they navigate the complexities of security frameworks. Our resources, including the Procurement Cloud Security Resource Tool, provide government procurement professionals, IT teams, and risk managers with the tools they need to work together to prioritize cybersecurity at every stage of the procurement process. In addition, StateRAMP will soon launch an option that public and private sector leaders can leverage to harmonize StateRAMP requirements with the FBI CJIS policy requirements for a streamlined approach to better security and compliance. 

As we move through Cybersecurity Awareness Month, we encourage organizations to consider how harmonizing their cybersecurity frameworks can help them strengthen their defenses and safeguard their data. Watch our recent StateRAMP Cyber Summit session on Framework Harmonization and the National Cyber Strategy to learn more about how this approach can enhance your organization’s security posture. 

The post Building a Unified Cyber Future: Why Framework Harmonization Matters appeared first on StateRAMP.

As we reflect on the past quarter, StateRAMP has made significant strides in advancing cyber security for state and local governments. From hosting impactful events to launching new initiatives and tools, the third quarter marked a period of growth, collaboration, and innovation. Here are some of the highlights: 

State & Local CISO Symposium 

On September 11th, we partnered with the Center for Digital Government to host the 2024 State & Local CISO Symposium. This event brought together key CISOs from across the nation to discuss current challenges, trends, and best practices in safeguarding public sector cloud environments. 

Inaugural 2024 StateRAMP Cyber Summit 

On September 12th, we proudly hosted the first annual StateRAMP Cyber Summit, with presenting sponsor Carahsoft. With over 350 registrants, the event attracted a wide range of stakeholders from both the public and private sectors to explore emerging trends, the role of procurement in supply chain risk management, framework harmonization, and innovations in cloud security. Planning is already underway for the 2025 StateRAMP Cyber Summit. Watch your emails for a save the date soon! For a full recap of the 2024 StateRAMP Cyber Summit, check out our recent blog post here. 

Provider Leadership Council & 3PAO Member Meeting 

On September 13th, we convened a dedicated meeting for our industry and 3PAO members. This provided a platform for discussing progress, upcoming initiatives, and member insights that will shape StateRAMP’s future. 

Launch of the NASPO/StateRAMP Procurement Task Force and Cloud Security Resource Tool 

We partnered with our partner NASPO to launch the NASPO/StateRAMP Procurement Task Force, a collaborative initiative to streamline cloud security practices across procurement policies. As part of this initiative, we also released the Procurement Cloud Security Resource Tool, aimed at guiding state and local governments in aligning with StateRAMP standards when procuring cloud services. 

Website Updates 

This quarter saw the launch of significant updates to our website, including improved user navigation and refreshed branding. These enhancements were made to ensure a more seamless experience for our users and better access to our resources. 

Committee Nominations 

We closed nominations for several of our committees this quarter, providing opportunities for members to get more involved in shaping StateRAMP’s future and governance. 

Prime Members Bi-Annual Call 

We held our first Prime Members Bi-Annual Call, an important touchpoint for sharing updates, gathering feedback, and fostering stronger collaboration among our Prime Members. 

Launch of RAMPxchange 

We introduced RAMPxchange as a new member benefit, offering an exclusive platform for collaboration, resource sharing, and networking among StateRAMP members. This initiative is part of our ongoing commitment to enhancing member value and engagement. 

What’s Next? 

As we look ahead to the next quarter, we remain focused on our mission of fostering secure cloud adoption across the public sector. We are grateful for the support of our members, partners, and sponsors who continue to drive our shared success. 

In Q4, we have several exciting initiatives lined up: 

• Late October: A webinar with our legacy member RAMPxchange, introducing the platform’s benefits to our members and the rationale behind creating this solution. 

• Mid November: The first Bi-Annual Education Series Webinar (topic TBD), aimed at delivering educational insights and resources for our community. 

• Early December: A webinar with our partner NASPO discussing the Procurement Task Force and recent progress in advancing procurement practices. 

We’re also looking forward to the Q4 Provider Leadership Council & 3PAO Member Meeting on December 5, 2024. 

Stay tuned for more updates in the coming months as we continue to build on this momentum and provide valuable resources, events, and tools to support our community. 

The post StateRAMP’s Cloud Security Progress, Third Quarter In appeared first on StateRAMP.

Indianapolis, IN – (StateRAMP) – StateRAMP proudly concluded its inaugural Cyber Summit by announcing the recipients of the 2024 StateRAMP Founders Award. This award, established to honor visionary leaders who have significantly advanced cybersecurity standards and cloud security in state and local governments, was presented to StateRAMP Co-founders, Joe Bielawski, CEO of Knowledge Services, and J.R. Sloan, Chief Information Officer for the State of Arizona. 

Joe Bielawski was recognized for his pioneering work in modernizing state-level risk management. Through his leadership at Knowledge Services, Bielawski has played a key role in fostering collaboration between state agencies and private sector partners, elevating cybersecurity standards to safeguard public sector data and critical infrastructure. 

J.R. Sloan, serving as Arizona’s Chief Information Officer, was honored for his leadership in adopting cloud technologies in government while ensuring robust cybersecurity measures. Sloan’s work has been instrumental in driving innovative, secure solutions for the public sector, perfectly aligning with the mission of StateRAMP. 

“This award reflects the spirit and vision of those who made StateRAMP possible,” said Leah McGrath, Executive Director of StateRAMP. “Joe and J.R. exemplify the dedication, innovation, and collaboration that will continue to guide our work and support the public sector in managing cybersecurity risks effectively.” 

The Founders Award was curated by the StateRAMP Board of Directors to recognize individuals whose contributions have been foundational to the success and development of StateRAMP’s mission to protect government data through cybersecurity best practices. The award celebrates those whose leadership, collaboration, and dedication have helped to shape the organization’s vision and success. 

The award is designed to recognize significant contributions to advancing cloud security standards for state and local governments. 

For more information on the StateRAMP Founders Award and its 2024 recipients, visit the official Founders Award page. 

 

About StateRAMP 

Founded at the beginning of 2020, StateRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments. StateRAMP is a registered 501(c)(6) nonprofit membership organization comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third party assessment organizations, and government officials. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.

The post StateRAMP Concludes First Inaugural Cyber Summit by Recognizing 2024 Founders Award Winners appeared first on StateRAMP.

Industry leaders, cybersecurity experts, and government officials were front row to groundbreaking discussions at the 2024 inaugural StateRAMP Cyber Summit in Indianapolis. With over 300 attendees and 30 sponsors, the event set the stage for critical conversations around safeguarding our nation’s digital infrastructure. From eye-opening keynotes to collaborative sessions, the Summit delivered actionable insights and revealed innovative solutions that will shape the future of public sector cybersecurity.

We are incredibly grateful to all our sponsors, speakers, and attendees for contributing to this milestone event. Together, we are forging a more secure, resilient future.

 

Key Announcements at the Summit

This year’s Summit saw the launch of several key initiatives designed to support our members and the broader cybersecurity community:

• RAMPxchange Launch as Member Benefit: At the Summit, StateRAMP announced its partnership with RAMPxchange, a trusted marketplace designed to help cloud service providers (CSPs) find the specific services they need to improve their StateRAMP progressing snapshot score. While StateRAMP does not endorse one company over another, this partnership simplifies the process by offering access to a secure, reliable community. Whether you’re seeking specialized services to enhance your compliance or advance your security posture, RAMPxchange connects you with the right resources to support your StateRAMP journey. As a benefit, StateRAMP members will enjoy free access and waived fees until May 2026.
• Founders Award Winners: We recognized outstanding contributions to cybersecurity through the Founders Award, presented to StateRAMP co-founders, Joe Bielawski and J.R.Sloan, for their leadership and commitment to advancing StateRAMP’s mission.
• Procurement Cloud Security Resource Tool: Launched by the NASPO/StateRAMP Procurement Task Force, this new tool offers SLED officials’ comprehensive guidance on aligning procurement practices with cybersecurity standards. The resource is designed to streamline compliance and improve collaboration between procurement, IT, and risk management teams. View here for more information.

 

Session Highlights 

Each session at the Summit provided critical insights into the most pressing issues facing public sector cybersecurity. Here are the key takeaways from the sessions:

Welcome Keynote: Dignitary

Nicholas Leiserson, Assistant National Cyber Director for Cyber Policy and Programs at the Office of National Cyber Director (ONCD), opened the StateRAMP Cyber Summit with a powerful keynote. Drawing from his extensive experience in shaping national cybersecurity policy, Nicholas underscored the critical need for a unified approach to addressing cyber threats nationwide, emphasizing the importance of collaboration between the public and private sectors. His message set the tone for the event, highlighting how strategic partnerships can help us stay ahead of evolving threats. collaboration and a strategic, forward-thinking approach to cybersecurity.

Fireside Chat: National Cyber Strategy & Framework Harmonization

Leiserson, participating in the first fireside chat, emphasized the importance of aligning cybersecurity frameworks as a priority for the Office of the National Cyber Director (ONCD). He noted that achieving this will require collaboration among a wide range of stakeholders. The speakers encouraged attendees to prioritize educating local representatives on the significance of this alignment, particularly focusing on its benefits. Currently, the lack of consistency across federal frameworks hinders state and local cybersecurity efforts, leading to unnecessary resource drain and higher costs. Leiserson highlighted how StateRAMP’s baseline requirements, which integrate NIST and the CJIS-Aligned Task Force, offer a path forward for state and local governments. In order for these efforts to be successful, there needs to be active cooperation between government leaders and industry partners.

Panel: Framework Harmonization

A distinguished panel discussed the need for harmonizing cybersecurity frameworks across all levels of government. The session explored how discrepancies in frameworks not only affect the flow of regulations from federal to state and local levels but also create challenges for providers navigating varying standards across jurisdictions. The StateRAMP CJIS-Aligned Task Force shared their ongoing efforts and recommendations aimed at streamlining these processes. This conversation reinforced the importance of a unified approach to ensuring effective and consistent cybersecurity practices nationwide.

Tenets of a Strong Cyber Risk Management Program

Experts emphasized the increasing complexity of cyber threats, particularly in cloud environments. As governments increasingly migrate to the cloud, the threat landscape has shifted—malicious actors are now targeting cloud service providers to compromise multiple organizations at once, rather than focusing on one-by-one attacks.  The panel urged governments and providers to adopt proactive strategies to mitigate these emerging risks.

Addressing Whole of State for Cybersecurity

Panelists discussed the growing momentum behind the Whole of State approach to cybersecurity, which encourages collaboration among state, local, and educational leaders. The session emphasized the need for coordinated policies, frameworks, and procedures to maximize the impact of federal grants and create sustainable improvements in state cybersecurity efforts.

Important Role Procurement Plays in Protecting Citizens

As part of this session, procurement was highlighted as one of the most crucial elements of citizen data security. Early collaboration is key—engaging attorneys and risk teams before the process begins ensures a clear understanding of the data involved and its classification. Panelists highlighted the importance of providing cloud service providers (CSPs) with a pathway to compliance, helping grow the secure marketplace. The session served as a reminder that protecting citizen data is a shared responsibility between procurement and IT, underscoring the need for cross-functional collaboration. Attendees were also introduced to the new procurement toolkit, with upcoming training opportunities to support these efforts.

Keynote Session: Remembering Our Why

Jim Corns, Executive Director, Department of Enterprise Solutions for Baltimore County Public Schools delivered an inspiring keynote that recounted his experience as a victim of a cyber-attack and the impact that it had on the district. Through this story, attendees were reminded that security is a shared responsibility—protecting citizens and their data requires collaboration across an organization. Security is not just an option; it is a requirement. Corns urged leaders to keep security at the forefront of their decisions, ensuring that it becomes an ingrained priority in all areas of operation.

 

Roundtable Discussions

In addition to the keynotes and sessions, roundtable discussions allowed attendees to engage directly with experts on emerging trends:

Ethics & Privacy Considerations in AI/ML and Emerging Trends

This roundtable delved into the ethical challenges and privacy concerns surrounding the rapid development of AI and machine learning. The discussion was led by moderators Brian O’Connor, Director of Global Security & Compliance Office and Mark Dellavalle, Vice President of Global Systems Engineering at Extreme Networks, embracing the need for robust frameworks that ensure privacy while fostering technological innovation.

Leveraging StateRAMP in Risk Management for Government

Our moderator Fadi Fadhil, SLED Field CTO at Palo Alto Networks shared practical insights on how StateRAMP can be leveraged to strengthen risk management practices across government entities. The conversation focused on integrating StateRAMP guidelines into compliance strategies to enhance cybersecurity resilience.

 

Looking Ahead 

The 2024 StateRAMP Cyber Summit was a powerful testament to the importance of collaboration, innovation, and proactive measures in the ongoing effort to protect our public sector systems. We are grateful to everyone who contributed to its success and look forward to continuing these important conversations in the year ahead.

As we reflect on the key takeaways from this year’s Summit, we are excited to build on the momentum generated and invite you to stay engaged with the StateRAMP community. Mark your calendars for the 2025 StateRAMP Cyber Summit, where we will continue advancing the future of public sector cybersecurity.

The post Everything We Discussed at the 2024 StateRAMP Cyber Summit – A Recap appeared first on StateRAMP.

 

As the reliance on cloud technology grows and cybersecurity threats become more sophisticated, securing IT products and services has transformed from an important consideration into an urgent priority for state and local governments. With the increasing complexity of procurement processes and the pressing need to enhance cyber resilience, it became evident that a new approach was necessary. Enter the NASPO/StateRAMP Procurement Task Force—a collaborative initiative established in October 2023 to address these challenges head-on. 

 

Why This Task Force? 

The formation of this Task Force stemmed from a recognized need to harmonize procurement practices with the rigorous demands of cybersecurity. The stakes are high; as governments across the country increasingly rely on cloud-based solutions, ensuring these products are secure is not just a priority, but a necessity. Yet, navigating the intersection of procurement and IT has often been fraught with challenges, from aligning stakeholders to ensuring compliance with complex Risk Authorization Management Programs (RAMP). 

To address these concerns, StateRAMP saw an opportunity to collaborate with the National Association of State Procurement Officials (NASPO). This strategic partnership was not by chance—NASPO’s expertise in procurement, coupled with StateRAMP’s focus on cybersecurity, provided the perfect foundation for this Task Force. Together, our goal was to create a streamlined approach that brings procurement professionals and IT experts together, ensuring that security is at the forefront of every cloud product procurement. 

“The collaborative effort of the NASPO/StateRAMP Procurement Task Force represents an important step forward in addressing the unique challenges of IT procurement and cybersecurity and enforces our commitment to enhancing the security of government digital infrastructure while streamlining the procurement process,” stated Fay Tan, Deputy Chief Legal Officer, NASPO.  “As we move toward a permanent Procurement Committee, we’re confident that this work will continue to shape the future of secure IT procurement across the nation.” 

 

The Mission and Goals 

The NASPO/StateRAMP Procurement Task Force is comprised of a diverse group of professionals from both procurement and IT communities. This robust team has worked tirelessly over the past year to review current practices, identify gaps, and develop practical tools that can be used by states and local governments across the nation. 

Our mission is clear: to provide guidance and resources that simplify the procurement of secure IT cloud products while enhancing the overall cybersecurity posture of government entities. The culmination of nearly a year’s work, the Task Force has developed a Procurement Toolkit designed to bring procurement into the IT conversation. This toolkit serves as a bridge, ensuring that all stakeholders—from procurement officers to IT professionals—are aligned in their efforts to secure critical infrastructure. 

 

Looking Ahead 

 As the work of the NASPO/StateRAMP Procurement Task Force concludes, StateRAMP is excited to announce the establishment of a Procurement Committee. This committee, composed of representatives from the public sector, along with advisors from NASPO and the private sector, will continue to foster collaboration and innovation in the procurement process, ensuring that our mission to secure IT cloud products remains a top priority. By integrating cybersecurity considerations into the procurement lifecycle, we can help governments procure IT solutions that are not only effective but also secure. 

This Task Force is more than just an initiative; it represents a commitment to safeguarding our digital future. We are excited to share the tools and resources we have developed and look forward to seeing how they will help governments across the country navigate the complexities of IT procurement with confidence. For more information on the Task Force, please visit stateramp.org/naspo-stateramp-procurement-task-force/.

 

StateRAMP would like to thank our strategic partner, NASPO, for all the excellent work in convening this task force and for their continued efforts to improve our nation’s cybersecurity.

The post NASPO/StateRAMP Procurement Task Force: Streamlining Secure IT Procurement for Government appeared first on StateRAMP.

In this month’s Committee Corner, we’re proud to introduce Ken Weeks, Chief Information Security Officer (CISO) for the State of New Hampshire and a dedicated member of the StateRAMP Approvals Committee. With over three decades of experience as a Naval Officer specializing in cryptology and information warfare, and as a former Executive Leader of Cyber Operations at the NSA, Ken brings invaluable expertise to his role on the committee. Since joining StateRAMP, Ken has played a crucial part in supporting the efficient approval of service providers, helping mitigate cybersecurity risks across the nation. In this interview, Ken shares his journey, the benefits of joining a StateRAMP committee, and the rewarding experiences he’s had as part of the cybersecurity community.

____________________________________________________________________________________________________________________

How long have you been involved with StateRAMP?

I think I’m getting close to a year, but I’m having so much fun and time flies that it may actually be a little bit longer…or shorter…

Please provide a quote about your experience so far as a committee member.

As a State CISO, I have a variety of “other duties as assigned” but I volunteered to be part of this committee when Leah asked if I was interested. Serving on the Approvals Committee is my way of supporting the management of cybersecurity risk outside the “borders” of New Hampshire. (Actually, we only have a “border” with Massachusetts and Canada. We have “State Lines” with Vermont and Maine.)

What motivated you to join your respective committee?

As more and more States, Municipalities, Higher Education institutions and K12’s move work to the Cloud for all the right reasons, it is impossible for each organization to do the required due diligence against risk to the delivery of government operations. StateRAMP does that.

What skills and experience do you bring to your committee?

I’m pretty sure I’m the least technically qualified member of the committee but I bring three decades of experience as a cryptologist and information warfare officer and member of the U.S. Intelligence Community to bear. I know bad when I smell it, that is for sure!

What benefits have you seen since joining your committee?

When you join a StateRAMP committee, you immediately expand your professional network and even for a knuckle-dragger like me, you will gain significant knowledge just by being part of the process.

What impact has your committee had on StateRAMP and/or the cybersecurity community?

This one is simple. The mere existence and process of the Approvals committee gets more products through the StateRAMP process in less time. The more efficient we are at this, the less risk we will collectively assume.

What advice would you share with someone interested in joining a committee with StateRAMP?

Just do it now. Contact StateRAMP and express an interest. Your professional network will grow and you will make a nationwide impact. This is IMPORTANT.

The post Committee Corner: Meet Ken Weeks appeared first on StateRAMP.

The post Strengthening Procurement: The Launch of the StateRAMP/NASPO Task Force appeared first on StateRAMP.

In the realm of criminal justice management, compliance with the FBI’s Criminal Justice Information Services (CJIS) standards is essential and required for safeguarding national security and public safety. Yet, the complexity of these standards often poses significant challenges for both cloud technology providers (SaaS, PaaS, and IaaS) and state and local government agencies. Recognizing this, StateRAMP is leading the charge towards greater framework harmonization, aimed at simplifying compliance and understanding of CJIS standards through an innovative Task Force. 

Understanding CJIS: 

At the heart of the CJIS Security Policy lies the mission-critical function of the CJIS Division, serving as the central repository for many vital criminal justice information services. From the National Crime Information Center (NCIC) to the Uniform Crime Reporting (UCR) program, CJIS oversees pivotal technological initiatives like the Next Generation Identification (NGI), NCIC, and the National Incident-Based Reporting System (NIBRS). This centralized hub is dedicated to optimizing the dissemination of essential criminal justice data to authorized entities, bolstering national security efforts. As a result of CJIS, state and local agencies are affected, including traditional law enforcement and judicial agencies as well as many of the administrative services provided by the government. Therefore, the CJIS Security Policy is a policy requirement that all state and local governments must understand and follow.  

The FBI CJIS Security Policy serves as the cornerstone, establishing baseline security criteria and protocols for entities accessing criminal justice information (CJI) which have been mapped to the NIST 800-53 Rev.5 Special Publication of Security and Privacy Controls for Information Systems and Organizations. The CJIS Security Policy encompasses mandates for the encryption, audit logging, transmission, processing, storage, and access of sensitive data, applicable to all organizations with authorized access to CJI. CJI is required to be protected for the full lifecycle of data during processing, transmission, access, and storage. 

Introducing StateRAMP’s CJIS-Aligned Taskforce: 

Under the guidance of StateRAMP’s Executive Director, Leah McGrath, our dedicated team is driving forward a Task Force comprised of law enforcement agencies, industry experts, and cybersecurity professionals. This collaborative effort is further enriched by the advisory role of Chris Weatherly, the FBI CJIS Information Security Officer, providing invaluable insights into CJIS standards.   

By harnessing the collective expertise of diverse stakeholders, the Task Force aims to comprehensively address the challenges encountered by providers and governments in achieving CJIS compliance. In launching this initiative, StateRAMP intends to facilitate greater harmonization of frameworks among CSP’s (Cloud Service Providers) and state, local, tribal and territorial agencies and their service providers. 

Objectives of the CJIS-Aligned Taskforce: 

The StateRAMP CJIS-aligned overlay would specify specific parameters to enhance StateRAMP’s Moderate Impact Level to align with the current Criminal Justice Information Services Security Policy. Service Providers would use the overlay specification to confirm their posture relative to CJIS security control requirements, which simplifies the process of determining a product’s likelihood for CJIS conformance for both public and private sector stakeholders.   

StateRAMP’s CJIS-Aligned Task Force is guided by several key objectives aimed at enhancing conformance with CJIS standards: 

1. Understanding Conformance Hardships: Through proactive engagement with service providers and government agencies, the Task Force seeks to gain insight into the challenges faced in meeting CJIS standards, fostering a deeper understanding of conformance issues.  
2. CJIS Standard Harmonization: By promoting framework harmonization, the Task Force simplifies the application of CJIS standards, offering clarity and direction for providers and governments. While there is not and will not be a CJIS certification, StateRAMP’s CJIS-Aligned overlay aims to indicate a product’s likelihood of meeting CJIS standards. Achieving a StateRAMP verified status with this overlay provides directional guidance, with final CJIS compliance determination resting with relevant agency personnel. The goal of this overlay is to demonstrate conformance with FBI baseline CJIS Security Policy standards, reducing uncertainty for providers and governments. This standard can be further supplemented to meet specific government requirements. StateRAMP is committed to ensuring clarity and understanding for those adhering to CJIS security policy.  
3. Improved Communication: Facilitating enhanced communication channels between CJI stakeholders and the FBI CJIS Division personnel within the public and private sector is a core focus, ensuring comprehensive discussions that address the intricacies of CJIS standards.   
4. Enhanced Education on CJIS Conformance: Recognizing the need for heightened education efforts, the Task Force is committed to delivering comprehensive resources, including blog posts, webinars, and video content, to foster a deeper understanding of the CJIS Security Policy.  

In the pursuit of these objectives, StateRAMP remains steadfast in its commitment to promoting cloud security practices and ensuring the protection of critical criminal justice information. 

Conclusion: 

As the CJIS-AlignedTask Force continues its mission, StateRAMP reaffirms its dedication to advancing framework harmonization and compliance in the realm of criminal justice information management. Through collaborative efforts and educational initiatives, we strive to empower stakeholders with the knowledge and resources needed to navigate the complexities of the CJIS Security Policy standards effectively. Together, we embark on a journey towards a safer, more secure future for all. 

The post StateRAMP’s CJIS-Aligned Taskforce: Advancing Framework Harmonization and Compliance appeared first on StateRAMP.

This month’s Committee Corner highlights Naomi Ward, an expert in Third Party Risk Management for the Commonwealth of Massachusetts and an active member of the StateRAMP committee. With over a decade of experience in internal audit and executive leadership, Naomi brings a wealth of knowledge to her role, contributing to the enhancement of risk management practices. In her interview, Naomi shares insights on her journey, her experiences as a new member of the committee, and how collaboration with professionals across states has enriched her work. She offers valuable advice for those considering joining a StateRAMP committee and emphasizes the benefits of a structured, supportive environment.

____________________________________________________________________________________________________________________

How long have you been involved with StateRAMP? 

I have been involved with StateRAMP for 1 year. 

 

Please provide a quote about your experience so far as a committee member. 

As a new committee member, I am grateful for the structured environment that allows new members to learn and grow within the group. This supportive framework has been instrumental in my development and integration into the committee.

 

What motivated you to join your respective committee? 

My extensive background in internal audit and risk management fueled my motivation to join this committee. I saw it as an opportunity to leverage my skills and experience to contribute to a vital area of StateRAMP’s mission.

 

What advice would you share with someone interested in joining a committee with StateRAMP?  

The committee’s structure is thoughtfully designed to allow members to participate actively without feeling overwhelmed. This makes it an excellent opportunity for anyone interested in making meaningful contributions while managing their other professional responsibilities. 

 

What has been the most memorable or rewarding moment you have experienced working with the committee so far? 

One of the most rewarding experiences has been getting to know individuals in similar roles from other states. This interaction has provided valuable insights. It has been nice to realize that we all face similar challenges and continuously strive to overcome them. Our collective contributions to StateRAMP enhance our workflows and help us achieve our goals more effectively. 

The post Committee Corner: Meet Naomi Ward appeared first on StateRAMP.

As StateRAMP continues to grow, our mission is being driven by the dedicated efforts of our diverse committees. Each committee plays a pivotal role in shaping the standards, governance, and operational excellence that guide our commitment to improving cloud cybersecurity for state and local governments.

Our committees provide a valuable opportunity for the StateRAMP community to actively participate in our evolution. While each committee has unique standards and requirements, they are predominantly composed of public sector representatives, complemented by private sector members to ensure a balanced industry perspective. Having a wide range of expertise enables us to meet both industries’ needs.

In this blog, we explore the committees that make up the StateRAMP governing body, their responsibilities, and recent accomplishments.

Board of Directors

The Board of Directors is instrumental in guiding our mission, making strategic decisions, and ensuring the seamless operations of StateRAMP. The Board’s leadership ensures StateRAMP remains aligned with its mission and continues to serve both its members and stakeholders.

A major undertaking this year for StateRAMP is the StateRAMP Cyber Summit with presenting sponsor Carahsoft that will be held on September 12th, 2024, in Indianapolis, Indiana. The Board of Directors is spearheading the planning of our inaugural Summit, aiming to create a unique event that addresses real-world cybersecurity problems, fosters solution-focused discussions, and advances state and local government cybersecurity practices and framework harmonization.

Meet the Board of Directors.

Steering Committee

Formed in April 2020, the StateRAMP Steering Committee is comprised of distinguished government and industry leaders. This committee founded StateRAMP, aiming to unify public and private sector leaders in developing a streamlined approach to risk and authorization management (RAMP).

The Steering Committee’s work led to the formation of StateRAMP as a 501(c)6 nonprofit, in partnership with state government CIOs, CISOs, Chief Privacy Officers, Procurement Officials, and private industry experts who serve state governments. This essential group determines StateRAMP’s priorities and manages our operations.

Meet the Steering Committee.

Standards & Technical Committee

The Standards and Technical Committee is at the heart of maintaining and enhancing StateRAMP’s reliability, ensuring that we adhere to the highest levels of security and effective approaches. The committee provides recommendations to the Board regarding PMO policies, security standards, best practices, and assessment processes. Their diligent work ensures that our security measures and best practices remain top-notch, benefiting all members and stakeholders.

This group has been tasked with overseeing the transition to NIST 800-53 Rev. 5, which sets the standard for best practice controls essential to StateRAMP’s Security Snapshot Program and StateRAMP Authorizations. Noah Brown, StateRAMP PMO Director, emphasizes the significance of Rev. 5, stating, “Updating our control baselines was critical for safeguarding government data, as NIST 800-53 Rev. 5 represents the latest advancements in cloud security controls, aligning with current threat landscapes.” StateRAMP is scheduled to fully adopt Rev. 5 controls by October 1, 2024.

Meet the Standards and Technical Committee.

Appeals Committee

The Appeals Committee plays a key role in maintaining StateRAMP’s integrity by ensuring that conflicts and disputes are addressed in an equitable and transparent manner. Comprising of at least five members, the committee includes representation from all stakeholders and at least one Board of Directors member.

In the absence of appeals to review, the Appeals Committee collaborates closely with the Standards and Technical Committee. Recently, these committees joined efforts to assess the NIST 800-53 Rev. 5 baselines, facilitating member feedback on these updated controls. Both committees determined the update enables StateRAMP to implement the most advanced and exhaustive guidelines for cloud security.

Meet the Appeals Committee.

Approvals Committee

The Approvals Committee ensures that providers can verify their products and achieve StateRAMP Authorized status. Composed of at least five members representing state and local government and higher education, this group was formed by the StateRAMP Board and Nominating Committee to address community feedback and guarantee comprehensive product security verification.

Members of the Approvals Committee bring technical expertise and government policy knowledge to the process, carefully reviewing six to eight security packages to grant StateRAMP Authorized Status.

Meet the Approvals Committee.

Nominating Committee

The Nominating Committee identifies and recommends qualified individuals to join our Board of Directors and other leadership positions. Additionally, the committee provides recommendations on best practices for governance, ensuring the effectiveness and transparency of StateRAMP’s operations.

Recognizing the importance of procurement in our initiatives, the Nominating Committee assessed the need for championing the establishment of the Procurement Committee.

The group is instrumental in selecting suitable individuals who will drive the future of StateRAMP forward. Their dedication to identifying capable leaders ensures StateRAMP remains at the forefront of cybersecurity governance.

Meet the Nominating Committee.

Procurement Committee

We are excited to announce the formation of the Procurement Committee, which will begin its term in 2025. This new committee will play a crucial role in advising on procurement best practices for cloud cybersecurity, ensuring that our members are equipped with the most effective and efficient strategies for securing cloud services.

By leveraging the expertise and insights of this committee, we aim to enhance the procurement processes across the board, driving forward our mission to improve cybersecurity standards and practices. Nominations for this committee are now open, and we look forward to welcoming dedicated professionals who are passionate about advancing cybersecurity procurement.

2025 Nominations

We invite you to shape the future of StateRAMP by submitting nominations for the 2025 term. Your nominations ensure our committees and boards benefit from diverse expertise, driving our mission forward. Nominations are open until August 1st. If you know individuals with the right qualifications and commitment, please visit our nominations page to submit their information today.

StateRAMP offers multiple ways to engage, including the 3PAO and Advisory Council, Provider Leadership Council, and various task forces. Introduced in 2024, the 3PAO and Advisory Council facilitates quarterly collaboration among peers. The Provider Leadership Council offers a platform for providers to share insights and stay updated. Our Board of Directors also forms task forces, inviting members to contribute their expertise. Stay tuned for opportunities to participate and help shape StateRAMP’s future.

The post StateRAMP Governance: Meet Our Committees appeared first on StateRAMP.

In Committee Corner, we spotlight the dedicated individuals driving StateRAMP’s mission. This month, we’re featuring Josh Kadrmas, a Cyber Risk Analyst Team Lead for North Dakota Information Technology (NDIT) and a member of the StateRAMP Approvals Committee. With over 18 years of experience in the State of North Dakota, including roles as an Information Security Officer and now leading NDIT’s cyber risk management team, Josh brings a wealth of knowledge and expertise to the table. His work ensures that service providers meet stringent security and privacy controls, bolstering the integrity of the StateRAMP authorization process. In this interview, Josh shares what motivated him to join the Approvals Committee, the rewarding moments he’s experienced, and his passion for advancing cybersecurity in the public sector.

____________________________________________________________________________________________________________________

How long have you been involved with StateRAMP?  

I have been a committee member for over a year and our state has been associated with StateRAMP for nearly two years.  

 

Please provide a quote about your experience so far as a committee member.  

As an Approvals committee member, the journey has been enlightening to experience the great responsibility we have to properly vet security and privacy controls before a service provider is granted authorization. I’m thrilled to see all of us working together to bolster our nation’s cyber defenses – after all, cybersecurity is a shared responsibility!  

 

What motivated you to join your respective committee?  

I was curious to see first-hand the process of approving service providers and knowing our committee’s work and review is the last stop in the process for the service organization before they are approved.  

 

What has been the most memorable or rewarding moment you have experienced working with the committee so far?  

It’s rewarding to know the service providers we approve are making technological advances for so many people and doing so in a secure way with privacy principles embedded within their products. For any providers we haven’t approved, they have been mostly minor items that needed clarification with quick remediation, which is a testament they are more than a service provider: they are a partner that government entities can trust to ensure data security and availability is paramount. 

The post Committee Corner: Meet Josh Kadrmas appeared first on StateRAMP.

At StateRAMP, our mission is centered around empowering the public and private sectors to work together to defend against evolving cyber threats through a robust and accessible cybersecurity assessment framework. We understand the challenges all stakeholders face in safeguarding sensitive data and critical systems amidst increasingly sophisticated threats. To address these challenges effectively, StateRAMP provides a clear and cost efficient path for providers to meet government requirements.In our commitment to continuous improvement and better service delivery, StateRAMP has recently implemented a significant operational change: transitioning to an annual membership renewal model. This change, effective June 1st annually, replaces our previous rolling renewal system that was tied to individual joining dates. While the previous model offered flexibility, it also posed considerable administrative complexities, including managing multiple renewal dates and ensuring consistent communication with members.

Transition to a New Annual Renewal Model

The decision to shift to an annual renewal cycle was driven by feedback from our valued members and aims to streamline our administrative processes, enhance clarity, and improve predictability. By establishing a unified renewal deadline, we simplify membership management, reduce administrative workload, and provide members with a clear timeline for planning and budgeting their membership renewal well in advance.

For our current members, this transition means improved operational efficiency and a more straightforward renewal process. They can now anticipate their renewal date each year and continue to benefit from uninterrupted access to StateRAMP’s resources, including networking opportunities with peers and industry experts, and comprehensive support for cybersecurity compliance and improvement efforts.

Prospective members considering joining StateRAMP will also benefit from this streamlined approach, as they can confidently engage with us knowing exactly when their membership renewal will occur. They will gain access to our standardized cybersecurity assessment framework, designed to mitigate risks associated with cloud service adoption and enhance transparency in cybersecurity practices across state and local governments.

Commitment to Cybersecurity Excellence

StateRAMP’s transition to an annual membership renewal model marks a significant step towards enhancing member experience, operational efficiency, and service delivery. We remain committed to supporting our members in strengthening their cybersecurity defenses and fostering a more secure environment for state and local governments. Together, we can continue advancing cybersecurity standards and practices across the public sector, ensuring resilience against emerging threats.

The post Streamlining Provider & 3PAO Membership Renewals: StateRAMP’s New Annual Model appeared first on StateRAMP.

INDIANAPOLIS, IN – (StateRAMP) – StateRAMP, the leading authority in cloud security standards for state and local governments, is thrilled to announce the establishment of the StateRAMP CJIS-Aligned Task Force. This pioneering initiative signifies a landmark collaboration between StateRAMP’s members and leaders from the Federal Bureau of Investigation’s Criminal Justice Information Services (FBI CJIS). The committee, with assistance of FBI CJIS advisors, will develop a StateRAMP CJIS-aligned overlay. 

The StateRAMP CJIS-aligned overlay will specify parameters to enhance StateRAMP’s Moderate Impact Level, aligning it with current Criminal Justice Information Services Security Policy. Service Providers will use the overlay specification to confirm their posture relative to CJIS security control requirements, simplifying the process of determining a product’s likelihood of CJIS conformance for both public and private sector stakeholders. 

The primary objective of this collaboration is to assemble state and local government leaders, StateRAMP approved assessors and provider members, alongside the expert guidance of FBI CJIS leadership. Together, they will craft an overlay to StateRAMP baseline controls that aligns seamlessly with CJIS requirements, ensuring robust security measures tailored to the unique needs of the criminal justice community. 

“While there will be no official CJIS certification, the StateRAMP CJIS-aligned overlay represents a significant step forward in providing clear guidance on a product’s likelihood for CJIS conformity,” said Leah McGrath, Executive Director of StateRAMP. “Achieving a StateRAMP Authorization with the CJIS-aligned overlay will offer invaluable directional guidance, empowering agencies to make informed decisions about their cloud security solutions.” 

The task force, comprised of StateRAMP provider members, government representatives, and advisors from FBI CJIS Division, will spearhead the development of this critical overlay. Building upon the foundation laid by StateRAMP’s Standards and Technical Committee, this initiative marks a pivotal moment in furthering framework harmonization of cloud security practices tailored to the needs of state and local governments. 

“We appreciate the ongoing leadership of the FBI CJIS Division that has made this overlay a tangible possibility,” added McGrath. 

In addition to its core objectives, the Task Force aims to enhance awareness and acceptance of the CJIS overlay by incorporating insights from industry thought leaders. StateRAMP remains steadfast in its commitment to promoting greater harmonization in cloud security practices, ensuring vendors and government agencies receive comprehensive guidance to achieve CJIS compliance effectively.

To support these efforts, we invite you to participate in our CJIS-Aligned Task Force Survey. Your insights and feedback are crucial in shaping the development of the CJIS-aligned overlay, ensuring it meets the needs and challenges faced by the criminal justice community.

For more information about the StateRAMP CJIS-Aligned Task Force and to join this groundbreaking initiative, visit stateramp.org/stateramp-cjis-aligned-task-force/.

About StateRAMP

StateRAMP is the premier authority in cloud security standards for state and local governments. By providing a standardized approach to assessing and authorizing cloud services, StateRAMP empowers government agencies to navigate the complexities of cloud security with confidence. Learn more at stateramp.org. 

The post StateRAMP Launches CJIS-Aligned Task Force to Advance Framework Harmonization and Compliance appeared first on StateRAMP.

Government agencies and contractors often find themselves navigating a complex maze of regulatory cybersecurity standards. Recognizing this challenge, StateRAMP and TX-RAMP have forged a strategic partnership aimed at simplifying the compliance journey for Cloud Service Providers (CSPs) while ensuring robust security protocols for state and local government entities. 

A Unified Approach to Compliance 

At its core, the collaboration between StateRAMP and TX-RAMP embodies a commitment to a unified approach to compliance. Modeled after the esteemed Federal Risk and Authorization Management Program (FedRAMP), StateRAMP offers a standardized methodology for assessing security, obtaining authorization, and implementing continuous monitoring for cloud products and services utilized by state and local governments nationwide. Complementing this framework, TX-RAMP focuses specifically on upholding cybersecurity standards within Texas state agencies and vendor networks. 

Key Benefits for CSPs 

Through this partnership, CSPs stand to reap several key benefits. Firstly, by aligning with StateRAMP, providers gain access to a streamlined pathway for satisfying TX-RAMP requirements. This not only reduces the burden of navigating disparate regulatory frameworks but also affords providers the opportunity to leverage StateRAMP’s nationwide reach, ensuring compliance across multiple jurisdictions. 

Additionally, CSPs benefit from dedicated support and resources provided by StateRAMP. With a designated point of contact available to address inquiries and facilitate communication with TX-RAMP, providers can navigate compliance challenges with confidence and clarity. 

Navigating the Compliance Landscape 

For CSPs seeking to fulfill TX-RAMP requirements, the partnership offers three distinct pathways: 

Progressing Snapshot Program: Enrolling in the StateRAMP Progressing Security Snapshot program enables providers to obtain provisional certification for their products, facilitating business engagements with Texas agencies. As an added benefit, utilization of this program to obtain TX-RAMP provisional certification removes the 18–month standard expiration date on that certification status.

StateRAMP Ready Status: CSPs achieving StateRAMP Ready Status can seamlessly transition to TX-RAMP Level 1 status, ensuring continued compatibility with Texas agency contracts.

StateRAMP Authorized Status: Securing StateRAMP Authorized Status empowers CSPs to attain TX-RAMP Level 2 status, meeting the stringent requirements set forth by Texas agencies seeking the highest level of verification. Additionally, if your product meets the Authorization requirements, but one of the product’s interconnected technologies is not StateRAMP or FedRAMP Authorized your product may achieve a StateRAMP Provisional Status which allows your product to qualify for either TX-RAMP Level 1 or Level 2 status, depending on the needs of the contract. 

Empowering Compliance Efforts 

The collaboration between StateRAMP and TX-RAMP represents a significant advancement in the realm of cybersecurity compliance within the Texas state government sphere. By embracing StateRAMP’s standardized approach and leveraging its resources, organizations can not only meet TX-RAMP requirements but also enhance their overall security posture, safeguarding critical data and infrastructure against emerging threats. 

The partnership between StateRAMP and TX-RAMP not only streamlines compliance efforts but also opens doors for CSPs to verify once and serve many, ensuring robust cybersecurity measures for state and local government entities. 

Conclusion 

In an era marked by escalating cybersecurity challenges, collaborative initiatives like the partnership between StateRAMP and TX-RAMP offer a beacon of hope. By providing clear pathways to compliance and steadfast support, this partnership empowers CSPs to navigate the compliance landscape effectively, fortifying security measures for state and local government entities across Texas. 

The post Navigating Compliance: StateRAMP’s Collaborative Effort with TX-RAMP appeared first on StateRAMP.

Cybersecurity has become a huge concern for organizations across all sectors. With cyber threats on the rise and becoming increasingly more sophisticated, the need for robust cybersecurity measures has never been more critical. As a result, organizations are requiring third-party suppliers to prioritize and verify their cybersecurity posture as they serve as the guardians of their clients’ sensitive data and systems. As the number of cybersecurity frameworks continues to grow, the challenge for businesses to navigate this complex terrain becomes ever more pronounced. In response to this growing challenge, the concept of framework harmonization emerges as a key solution for service providers seeking to enhance their security posture and operational efficiency. 

Understanding Frameworks in Cybersecurity 

Before diving into the importance of harmonization, it is essential to understand the fundamentals of cybersecurity frameworks. These frameworks are structured guidelines, best practices, and standards designed to assist organizations in managing and mitigating cybersecurity risks effectively. 

Frameworks serve as invaluable roadmaps, providing a systematic approach for organizations to identify, protect, detect, respond to, and recover from cybersecurity incidents. By offering a blueprint for implementing security controls, policies, and procedures, these frameworks ensure alignment with industry standards and regulatory requirements. 

The Challenge of Diverse Frameworks 

In the realm of cybersecurity, service providers often find themselves operating across various sectors and industries, each of which has their own set of cybersecurity frameworks that they prioritize. From NIST Cybersecurity Framework and ISO/IEC 27001 to CIS Controls and GDPR, navigating the controls and understanding the differences can be overwhelming. 

While each framework brings its strengths and focus areas, the challenge arises when service providers are required to adhere to multiple frameworks simultaneously. This diversity can lead to confusion, duplication of efforts, and inefficiencies in cybersecurity management. 

The Significance of Framework Harmonization 

These challenges for service providers are one reason framework harmonization has become increasingly significant. It involves aligning and integrating multiple cybersecurity frameworks to establish a cohesive and streamlined approach to security management. 

Benefits of Framework Harmonization for Service Providers: 

1. Streamlined Compliance Efforts: 

• By harmonizing frameworks across industries, service providers can eliminate redundant processes and controls, streamlining operations, reducing complexity, and ultimately saving costs associated with cybersecurity management.

2. Enhanced Security Posture: 

• A harmonized framework empowers service providers to leverage the strengths of different frameworks. This comprehensive approach results in a more robust security posture, covering a broader range of threats and vulnerabilities.  

3. Improved Operational Efficiency: 

• Framework harmonization enables service providers to allocate resources more effectively, focusing on areas of highest risk and priority. This ensures that cybersecurity efforts align with business objectives and increases the security posture for all organizations they are working with. 

StateRAMP Leading the Way in Framework Harmonization 

As organizations across industries and service providers alike seek solutions to the challenge of diverse cybersecurity frameworks and requirements, StateRAMP is taking the first step towards a comprehensive solution. As the trusted authority in assessing and authorizing cloud service providers (CSPs) for state and local governments, StateRAMP recognizes the importance of harmonization in the cybersecurity landscape. 

StateRAMP’s Solution to Framework Harmonization: 

StateRAMP is developing a framework harmonization initiative that aims to: 

• Align Multiple Frameworks: StateRAMP’s initiative will concentrate on harmonizing requirements in the federal, state, local and educational sectors. This will ensure that all applications share the same set of standards, reducing the cost of development and deployment. It will also make it easier for businesses to access and navigate the various markets. 
• Provide Guidance and Resources: Governments and service providers within the StateRAMP ecosystem will gain access to guidance, tools, and resources essential for implementing a harmonized framework. This will ensure that the public and private sectors are working with the same resources and focusing on the most impactful cyber areas.  
• Streamline Compliance Processes: The initiative aims to simplify compliance efforts for service providers, ensuring adherence to industry standards and regulatory requirements. 

StateRAMP’s framework harmonization initiative will empower service providers with a unified and efficient approach to cybersecurity. By aligning with StateRAMP’s harmonized standards based on NIST 800-53, service providers can enhance their security posture, streamline operations, and demonstrate a commitment to cybersecurity excellence across the industries they work in. 

Embracing Framework Harmonization for a Secure Future 

In the ever-evolving landscape of cybersecurity, framework harmonization emerges as an opportunity for better efficiency and effectiveness. Service providers play a crucial role in safeguarding their clients’ data and systems, and framework harmonization is a proactive step towards cyber resilience. 

As service providers navigate the complexities of cybersecurity, StateRAMP’s framework harmonization initiative offers a path towards a more unified and streamlined approach. By embracing framework harmonization, service providers can stay ahead of cyber threats, comply with regulatory requirements, and ensure the security and integrity of their operations. 

In the journey towards a more secure digital future, framework harmonization stands as a transformative solution for service providers committed to excellence in cybersecurity. 

The post Navigating the Cybersecurity Maze: The Power of Framework Harmonization appeared first on StateRAMP.

Let’s be honest – running a non-profit takes a certain amount of grit and gumption. With a small staff and tight budget, you’re probably outsourcing functions like web hosting and IT equipment maintenance to third-party service providers to save on time and labor. These vendors provide the crucial services you need, but understanding how to vet and select them in the first place can be daunting. Sometimes, it is easier to just sign up for one that looks moderately reputable so that you can get back to the core work of your organization. 

The problem with making a selection in this way is that trusting a third-party service provider to protect your data without verifying their security standards is a lot like sending your child to a daycare you have not ever visited. When it comes to the people we care most about, we would never consider putting them at unnecessary risk. Yet when it comes to our personal data and cybersecurity, we often skirt the needed due diligence. Unfortunately, even the cybersecurity vendor you use can introduce inadvertent cyber risk to your organization if you don’t properly vet their data protection and cybersecurity standards before handing them access to your confidential information. 

Although this security gap for third-party software in use at nonprofits has been an issue for a long time, it is a bigger problem now than it ever has been before. Through participation in the Joint Cyber Defense Collaborative’s High-Risk Communities planning effort, StateRAMP, CISA, and a host of industry and civil society partners are taking steps to address the rise in targeted cyber threats against civil society organizations for their work to advance humanitarian and democratic causes.  

Whether you represent a think-tank, NGO, or grassroots volunteer organization, your data and ability to effectively accomplish your mission remains at risk. And as a non-profit, your organization likely does not have sufficient resources to manage every third-party vendor and software product you use. 

While the onus should be on vendors to build privacy and security into the design and manufacture of their products, the current reality is that you need to vet third-party service providers and products to avoid introducing unnecessary risk into your digital ecosystem. Below, we’ve boiled down a few easy, practical steps you can take to help your organization mitigate third-party risk. You’ll get back to your organization’s core work in no time.    

Know Who is Who and What They Do 

While it sounds elementary, knowing who has access to your systems and data and what they do for your organization is the most critical step you can take. Even if it’s just creating an inventory in a simple Excel spreadsheet, equipping your organization with answers to the following questions will significantly improve your visibility and control over who has access to your systems and data:  

• Do you rely on any external organizations to perform specific tasks or services? (e.g. Who hosts your website? Do you use apps or services for Stakeholder Relationship Management, maintaining sensitive employee data, or managing your payroll?)   
• Do you know how to get in touch with these service providers if something stops working correctly? 
• Do you know what types of data your third-party providers may be storing or transmitting on your behalf?  

Next, you should assess the risks associated with the data that your third-party vendors can transmit or store. Consider the following breakdown in criticality:  

• Low impact – Loss of the data would have limited adverse impact on your organization. 
• Moderate impact – Loss of the data would have a serious negative impact on your organization. 
• High impact – Loss of the data would have a catastrophic impact on your organization.

Get to Know Your Providers  

For third-party vendors that handle moderate and high-impact data for your organization, it’s crucial that you request information on their security practices. 

The saying, “A chain is only as strong as its weakest link,” is an apt descriptor for third-party cybersecurity risk. Even if your organization has a robust cybersecurity program, your data could still be compromised if your third-party vendor experiences a data breach. To mitigate that risk, here are some key questions you should ask your third-party vendors about their security practices and policies:  

• Has your third-party service provider completed a security audit? 
• Has your third-party service provider undergone a penetration test in the past 12 months? 
• Does your third-party service provider… 
  • require phishing-resistant Multi-Factor Authentication for all administrative accounts or functions? 
  • routinely collect threat information and monitor their logs for suspicious cyber activity? 
  • have the capability to detect, contain and eradicate malicious software and intrusions? 
  • Have an Incident Response (IR) Plan? 
• Are your third-party provider’s products or services authorized by an independent organization like FedRAMP or StateRAMP?  
• Do you have an agreement with your provider such that they are obligated to notify you in the event of a breach? 

While not comprehensive, these initial questions will give you a sense of whether your third-party vendors are serious about security – theirs and yours.  

Use the Resources Around You 

The challenge with evaluating current and prospective vendors using the question set above is that they may not answer truthfully, and there isn’t always an easy way to validate whether your vendor’s claims are accurate. This brings us to the next step: using the resources around you to help.  

There are a few key things you can look for that will help you in validating the trustworthiness of third parties:  

• Consult CISA’s Website! CISA is a resource that provides cybersecurity guidance on a variety of topics, including how small and medium-sized businesses can mitigate third-party cybersecurity risks. As a starting point, check out CISA’s ICT Supply Chain Risk Management Fact Sheet. As your organization becomes more advanced in managing third-party risk, CISA’s Internet of Things Security Acquisition Guidance and Operationalizing the Vendor Supply Chain Risk Management Template for Small and Medium-Sized Businesses are also helpful resources.   
• Use FedRAMP and StateRAMP product authorization lists to gauge a product’s security posture.  

Learning about the security posture of the third-party providers you entrust with your data matters. By identifying who has access to your data and systems, and understanding more about their overall approach to security, you are taking a vital step towards protecting your organization from those threat actors who would keep you from fulfilling your organization’s mission.  

Print out this simple checklist to begin your third-party risk management journey today!

The post Low-Budget Steps Civil Society Organizations Should Take to Protect Data When Using Third-Party Service Providers appeared first on StateRAMP.

March marks National Procurement Month—a time dedicated to recognizing the pivotal role that procurement professionals play in government operations. At StateRAMP, we are proud to join in this celebration and bring awareness to the critical intersection of procurement and cybersecurity. 

The Importance of Strategic Procurement in Cybersecurity 

In today’s digital age, cybersecurity is no longer an optional layer of protection but a fundamental necessity. Government agencies and organizations must navigate a complex landscape of evolving threats, stringent compliance requirements, and a growing reliance on technology. At the heart of this challenge lies procurement—a strategic lever that can either bolster or compromise an entity’s cybersecurity posture. 

Jessica Van Eerde, StateRAMP’s Chief of Operations stated, “As a former procurement professional, I understand the incredible challenges procurement departments face in trying to balance the needs of their organization and the laws and regulations by which they are bound. This only gets more complicated in the realm of cybersecurity, where one misstep can have profound consequences, not just for the organization but for its citizens. Working together with NASPO, as well as many amazing procurement professionals working tirelessly to address this issue, has given me confidence that leveraging StateRAMP is one way to make the entire procurement process easier for everyone involved!” 

• StateRAMP’s Commitment to Cybersecurity Excellence:
  At StateRAMP, our mission is clear: to raise the bar for cybersecurity standards across the public sector. We understand that the procurement process plays a crucial role in this mission, shaping the security landscape of government agencies nationwide. 

• The NASPO/StateRAMP Task Force:
  In our pursuit of strengthening cybersecurity through procurement, StateRAMP has forged a strategic partnership with the National Association of State Procurement Officials (NASPO). Together, we have established the NASPO/StateRAMP Task Force—a collaborative effort aimed at developing best practice templates, resources, and standards for cybersecurity in procurement. 

Driving Innovation and Best Practices 

The NASPO/StateRAMP Task Force brings together a diverse group of procurement professionals, cybersecurity experts, government officials, and industry leaders. Through this partnership, we are driving innovation, sharing insights, and developing actionable strategies to enhance cybersecurity resilience in government procurement processes. 

Fay Tan, NASPO’s Deputy Chief Legal Officer added, “A practical understanding of cybersecurity standards and principles by today’s procurement specialists is quickly becoming a critical component of our profession’s body of knowledge. Collaborating with cybersecurity experts through efforts like the NASPO/StateRAMP task force gives procurement a voice in shaping these standards and establishing guidance for their implementation throughout state government.” 

• Developing Best Practices Guides:
  One of the Task Force’s key initiatives is creating comprehensive best practices guides for procurement professionals. These guides cover a range of topics, from vendor assessments and contract clauses to leveraging StateRAMP certification for enhanced security.

• Educational Webinars and Workshops:
  The Task Force regularly hosts educational webinars and workshops, providing procurement professionals with valuable insights and tools to navigate the cybersecurity landscape. These sessions delve into topics like risk management, compliance frameworks, and procurement in cybersecurity governance. 

Celebrating Procurement Excellence 

As we celebrate Procurement Month, we recognize the dedication and expertise of procurement professionals across the country. Their tireless efforts ensure transparency, fairness, and efficiency in government transactions—essential elements for a thriving democracy. 

• Spotlight on Cybersecurity Champions:
  StateRAMP and the NASPO/StateRAMP Task Force are proud to shine a spotlight on the cybersecurity champions within the procurement community. These individuals are at the forefront of integrating cybersecurity into procurement processes, safeguarding sensitive data and critical systems.

• Amplifying Procurement Month Awareness:
  Through our collaborative efforts, StateRAMP and the Task Force are amplifying awareness of Procurement Month. We invite procurement professionals, government officials, and cybersecurity enthusiasts to join us in recognizing the vital role of procurement in securing our digital future. 

Join Us in the Conversation 

As we navigate the ever-evolving landscape of cybersecurity threats, strategic procurement emerges as a powerful tool in our arsenal. StateRAMP and the NASPO/StateRAMP Task Force invite you to join us in this important conversation. 

Connect with Us: 

• Learn more about StateRAMP: stateramp.org 
• Explore NASPO’s initiatives: NASPO.org 
• Follow us on LinkedIn: StateRAMP 
• Follow NASPO on LinkedIn: NASPO 

This Procurement Month let’s celebrate the unsung heroes of procurement and their invaluable contributions to cybersecurity excellence. Together, we can shape a more secure and resilient future for government agencies and organizations nationwide. 

The post Celebrating Procurement Month: Elevating Cybersecurity through Strategic Partnerships appeared first on StateRAMP.

As the StateRAMP team evolves, we want to re-introduce ourselves to government principals, cybersecurity innovators, and private sector leaders. Get to know the StateRAMP team below and find a list of upcoming conferences where you can meet StateRAMP representatives in-person. View our Board of Directors and Standing Committees here.

StateRAMP Management Team

Executive Director, Leah McGrath

Serving as the Executive Director, Leah McGrath has been involved with StateRAMP since its formation. In 2020, she spent countless hours working alongside Steering Committee members to develop StateRAMP’s governance and policy framework. Prior to her work with StateRAMP, McGrath held leadership positions in both the public and private sector, including serving as the first deputy mayor of the City of Fishers, Indiana. During her tenure, Fishers transformed from a town into a smart, vibrant, entrepreneurial city and was named the #1 Best Place to Live in America in 2017 by Money magazine. As deputy mayor, she helped lead modernization efforts and spearheaded city-wide efforts to develop the city’s first long-range, comprehensive plan. McGrath’s 20-year career has been focused on working to improve government outcomes at the state and local level, helping shepherd government into the digital age securely and effectively for the citizens it serves. Connect with Leah!

Chief of Operations, Jessica Van Eerde

Jessica Van Eerde is StateRAMP’s Chief of Operations, where she passionately represents and supports StateRAMP’s mission and its members. A seasoned leader with over a decade of experience working with State and Local Governments, as well as in the realm of Higher Education, Jessica brings a wealth of knowledge to her role. Her expertise spans various domains, including law, procurement, and professional development. Notably, Jessica plays a pivotal role in the leadership of the TX-RAMP StateRAMP partnership, driving initiatives that optimize cybersecurity tools and resources for State, Local, and Education (SLED) organizations nationwide. Her dedication to advancing cybersecurity excellence is reflected in her strategic leadership and commitment to forging impactful collaborations. Connect with Jessica!

Government Engagement Director – Adoption Consultant, Stacey Carswell

As the Government Engagement Director for the northeast region at StateRAMP, Stacey helps participating governments adopt StateRAMP by providing guidance on process improvement, change management, and cybersecurity education. Stacey has over a decade of experience in government procurement and policy development. She continues to support public servants through education and policy development. Connect with Stacey!

 

Government Engagement Director – Strategic Relations, Chance Grubb

Chance Grubb serves as our Government Engagement Director, focusing on strategic relations. Chance possesses over 17 years of state government experience in procurement, information technology and cybersecurity. The State of Oklahoma used his expertise to establish a vendor management program, share cyber threat intelligence through the OK-ISAC, and mature a third-party security program. Connect with Chance!

 

Government Engagement Director – Education, Rebecca Kee

Rebecca Kee serves our government members as the Government Engagement Director, focusing on the integration of StateRAMP into education processes and policies. Prior to joining the StateRAMP team, Rebecca served as Chief Procurement Officer and Purchasing Agent for the City of Virginia Beach, Virginia. She has 18 years of experience in the public procurement field and has worked extensively to develop, create, and support educational programs and opportunities for the profession. Rebecca has served as Director of Procurement for the University of Arkansas at Little Rock and as the Assistant Purchasing Agent for Arlington County, Virginia. In addition, she served as an adjunct faculty at Arkansas State University. Rebecca has served in multiple NIGP roles and maintains her NIGP-CPP, CPPO and CPPB certifications. Connect with Rebecca!

Membership Development & Engagement Manager, Olivia Maple

Olivia Maple is our Membership Development & Engagement Manager who specializes in building strong relationships and curating efficient processes. Driven by creativity and communication, she takes pride in cultivating the best client experience possible. Olivia is an experienced and goal-oriented innovator with a passion for connecting with others. She graduated from Indiana University, Bloomington in 2022 with a BA in Apparel Merchandising and Marketing. When Olivia isn’t collaborating with colleagues, she can be found enjoying the outdoors with a dog by her side. Connect with Olivia!

Brand Marketing Manager, Taylor Webster

Taylor Webster serves as StateRAMP’s Brand Marketing Manager. She possesses over 5 years of experience in multiple B2B marketing disciplines, including the public and private sector. Her passion is helping businesses identify market trends and customer needs, leveraging marketing channels in an effort to foster brand loyalty and boost visibility. Taylor holds Content Creation and Salesforce certifications. She graduated from the University of Cincinnati in 2021, with a BBA in Marketing. When Taylor’s not creating, she can be found doing something active with her dog or traveling. Connect with Taylor!

StateRAMP PMO (Program Management Office)

Services Provided by Knowledge Services through PMO Charter Agreement.

Executive Advisor to StateRAMP PMO, Fred Brittain

Fred Brittain is an experienced and innovative Information Security and IT leader who served as the Chief Information Officer (CIO) for the State of Maine from 2019 to 2023. Prior to joining the state government, he spent 25 years with the University of Maine system, where he rose from leading IT for a single campus to becoming the associate CIO for the entire system. As the CIO of Maine, he was responsible for overseeing the State’s IT policies, infrastructure, cybersecurity, accessibility, and service management. He also led several initiatives to improve the state’s digital capabilities, such as increasing web traffic, enhancing online services, and bringing the State through the pandemic while still providing best in class services to the people of Maine. He was recognized as one of the Top 25 Doers, Dreamers, and Drivers by Government Technology magazine in 2023 for his achievements and vision. After leaving the state government, he joined Knowledge Services as the Vice President of Information Security in August 2023, where he continues to apply his expertise and passion for information security to improve the cyber posture of cloud service providers at the national level. Fred Brittain holds a Bachelor of Arts in Mathematics and Computer Science. He is also an avid cyclist and skier living with his family in a log cabin in rural Maine. Connect with Fred!

PMO Director, Noah Brown, CISSP-ISSMP, CEH, CCSP

Noah has 10 years of experience in the information security field, helping companies design and implement programs and initiatives that improve their cyber security posture. In his role at Knowledge Services, which has an agreement with StateRAMP to serve as the StateRAMP Program Management Office (PMO), Noah helped launch the StateRAMP PMO Review Process in 2021, designing controls, templates, and guidance.  He also serves as an advisor to the StateRAMP Standards and Technical Committee. He is passionate about helping companies achieve meaningful security for those they serve. Additionally, Noah serves in the Indiana Army National Guard as a member of the Defensive Cyber Operations Element (DCO-E) where he has helped modernize the defensive team’s functions, processes, and reporting. In this role, he has mentored team members on audit and incident response processes in real-world applications and during his past employment with the Department of Defense, he successfully conducted compliance package build and audit inspection preparations for NIST RMF, DIACAP and FISMA. Connect with Noah!

PMO Advisor, David Resler

David serves as one of StateRAMP’s PMO Directors, responsible for PMO operations and the implementation of StateRAMP Revision 5. He also serves as the Corporate Information Security Director for Knowledge Services, which provides the StateRAMP Program Management Office (PMO) staff. Prior to joining StateRAMP, David oversaw the IT Security, Data Center, and Networking groups for 14 years at Performance Assessment Network and its successor organization, PSI Services. There, David managed the NIST 800-53 compliance program and supported multiple Federal organizations including TSA, CBP, FAMS, FFDO-D, FBI, DEA, and FAA.  David holds a Bachelor of Science in Computer and Electronics Technology from Indiana State University and has over thirty years of experience in Information Technology. He is a member of the Executive Advisory Board for the Eleven Fifty Academy serving on the Cyber Security Committee. David is also one of the hosts of the monthly StateRAMP Office Hours webcast. Connect with David!

PMO Manager, Julia Miller

Julia is the StateRAMP Program Management Office (PMO) Manager. She is responsible for overseeing and managing the implementation of various StateRAMP initiatives, such as Security Package Reviews, Annual Assessments, Continuous Monitoring, and the StateRAMP Security Snapshot program. Before joining StateRAMP, Julia spent 20 years leading various projects in Information Security and IT Risk and Compliance. She gained 12 years of experience at Navient where she oversaw multiple federal contracts related to NIST SP 800-53 security compliance controls. Julia also spearheaded security projects across the entire organization, managed PCI DSS compliance, and conducted audits of third-party vendors. She holds a Risk and Information Systems Control® (CRISC®) certification. Additionally, Julia enjoys biking and traveling. Connect with Julia!

Find Us This Year

If you see a StateRAMP representative at a conference this year, please reach out! We value the feedback and input from our StateRAMP community.

• Inaugural Billington State and Local Cybersecurity Summit, March 19-20, Washington, D.C.
• State & Local CISO Symposium, September 11, Indianapolis, IN
• StateRAMP Cyber Summit with Presenting Sponsor Carahsoft, September 12, Indianapolis, IN
• Joint Provider Leadership & 3PAO Advisory Council Meeting, September 13, Indianapolis, IN

The post Meet the StateRAMP Team appeared first on StateRAMP.

Valentine’s Day, a celebration of love and affection, often involves sharing heartfelt messages, sending romantic gifts, and expressing admiration for our loved ones. In this digital age, where technology plays a significant role in our interactions, it is essential to consider cybersecurity while celebrating this special day. Just as we protect our hearts, we must also safeguard our employees’ online presence. Here are some cybersecurity tips to ensure that Cupid’s arrows don’t get intercepted by cyber threats:

1. Educate your Employee to Be Wary of Phishing Emails: 

Cybercriminals often take advantage of special occasions like Valentine’s Day to launch phishing attacks. Educate your employees to be cautious of emails claiming to offer exclusive deals, romantic e-cards, or surprise gifts. Be sure that they verify the sender’s email address and avoid clicking on suspicious links or downloading attachments from unknown sources. 

2. Ensure Strong, Unique Passwords:

Ensure that your employee’s online accounts, including social media, email, and banking accounts, are protected by strong, unique passwords. Educate them on how to avoid using common phrases or easily guessable combinations and have them consider using a reputable password manager to generate and store complex passwords securely. 

3. Require Two-Factor Authentication (2FA):

Add an extra layer of security to your accounts by requiring two-factor authentication wherever possible. This adds an additional step to the login process, such as entering a code sent to your mobile device, making it harder for unauthorized users to access your accounts even if they have your password. 

4. Prepare Yourself and Your Loved Ones:

Take the time to educate yourself and your loved ones about cybersecurity best practices. Discuss the importance of staying vigilant online, recognizing potential threats, and taking proactive steps to protect personal information. By raising awareness, you can collectively strengthen your digital defenses and enjoy a safer online experience. 

This Valentine’s Day, while you celebrate love and affection, don’t forget to prioritize cybersecurity for yourself and your organization. By following these tips, you can ensure that digital interactions remain secure, allowing you to focus on cherishing moments with your loved ones without worrying about cyber threats. Remember, a little precaution goes a long way in safeguarding Cupid’s arrows in the digital realm. 

Free Valentine’s Day Cybersecurity Cards

We want to help do our part to spread the love (and cybersecurity awareness) this Valentine’s Day with a series of infosec-inspired cards you can download below and send to your favorite cyber-sweetheart to tell them how you feel! 

Click the images below to download them for easy sharing. 

The post Safeguarding Cupid’s Arrows: Cybersecurity Tips for Valentine’s Day appeared first on StateRAMP.

In today’s growing landscape of cybersecurity and cloud services, staying ahead of the curve is not just advantageous—it’s essential. At StateRAMP we recognize the importance of continuous learning, networking, and collaboration in the pursuit of stronger cybersecurity standards and practices. We are thrilled to introduce our StateRAMP Cyber Summit with presenting sponsor Carahsoft, designed to bring organizations together and solve for what’s next.

This interactive summit features industry experts, thought leaders, government officials, and service providers allowing attendees to explore cybersecurity trends, innovations, and best practices. Through keynote presentations, panel discussions, and educational sessions, attendees will gain valuable insights, strategies, and actionable takeaways to enhance their cybersecurity posture and navigate compliance more effectively.

Our goal is to create valuable networking opportunities for attendees to connect, collaborate, and create meaningful partnerships with peers, stakeholders, and potential clients. We are committed to cultivating an ecosystem where ideas and relationships flourish, so that you walk away empowered and equipped to spark change in your own organization. The connections made can pave the way for future collaborations, business growth, and collective advancement within the cybersecurity community. Throughout the event, you’ll have opportunities to connect directly with StateRAMP staff and experts, who can help you solve problems and brainstorm innovative solutions 1:1.

Benefits of attending our summit:

• Dedicated networking, community building
• Direct collaboration with StateRAMP staff
• Diverse agenda with interactive breakouts
• Multi-market and stakeholder perspectives
• Top insights from cybersecurity experts across the industry
• 450+ attendees

Our team continues to solve for what’s next in the cybersecurity environment by offering education, policy development and a streamlined cybersecurity assessment framework to safeguard the public sector from cyber threats. It’s our duty to support service providers in reducing burdens on cybersecurity compliance and improving their overall posture. Join us at the StateRAMP Cyber Summit and unlock your cybersecurity journey’s potential.

The post StateRAMP Cyber Summit: Solving for What’s Next appeared first on StateRAMP.