Cybersecurity has become a huge concern for organizations across all sectors. With cyber threats on the rise and becoming increasingly more sophisticated, the need for robust cybersecurity measures has never been more critical. As a result, organizations are requiring third-party suppliers to prioritize and verify their cybersecurity posture as they serve as the guardians of their clients’ sensitive data and systems. As the number of cybersecurity frameworks continues to grow, the challenge for businesses to navigate this complex terrain becomes ever more pronounced. In response to this growing challenge, the concept of framework harmonization emerges as a key solution for service providers seeking to enhance their security posture and operational efficiency. 

Understanding Frameworks in Cybersecurity 

Before diving into the importance of harmonization, it is essential to understand the fundamentals of cybersecurity frameworks. These frameworks are structured guidelines, best practices, and standards designed to assist organizations in managing and mitigating cybersecurity risks effectively. 

Frameworks serve as invaluable roadmaps, providing a systematic approach for organizations to identify, protect, detect, respond to, and recover from cybersecurity incidents. By offering a blueprint for implementing security controls, policies, and procedures, these frameworks ensure alignment with industry standards and regulatory requirements. 

The Challenge of Diverse Frameworks 

In the realm of cybersecurity, service providers often find themselves operating across various sectors and industries, each of which has their own set of cybersecurity frameworks that they prioritize. From NIST Cybersecurity Framework and ISO/IEC 27001 to CIS Controls and GDPR, navigating the controls and understanding the differences can be overwhelming. 

While each framework brings its strengths and focus areas, the challenge arises when service providers are required to adhere to multiple frameworks simultaneously. This diversity can lead to confusion, duplication of efforts, and inefficiencies in cybersecurity management. 

The Significance of Framework Harmonization 

These challenges for service providers are one reason framework harmonization has become increasingly significant. It involves aligning and integrating multiple cybersecurity frameworks to establish a cohesive and streamlined approach to security management. 

Benefits of Framework Harmonization for Service Providers: 

1. Streamlined Compliance Efforts: 

• By harmonizing frameworks across industries, service providers can eliminate redundant processes and controls, streamlining operations, reducing complexity, and ultimately saving costs associated with cybersecurity management.

2. Enhanced Security Posture: 

• A harmonized framework empowers service providers to leverage the strengths of different frameworks. This comprehensive approach results in a more robust security posture, covering a broader range of threats and vulnerabilities.  

3. Improved Operational Efficiency: 

• Framework harmonization enables service providers to allocate resources more effectively, focusing on areas of highest risk and priority. This ensures that cybersecurity efforts align with business objectives and increases the security posture for all organizations they are working with. 

StateRAMP Leading the Way in Framework Harmonization 

As organizations across industries and service providers alike seek solutions to the challenge of diverse cybersecurity frameworks and requirements, StateRAMP is taking the first step towards a comprehensive solution. As the trusted authority in assessing and authorizing cloud service providers (CSPs) for state and local governments, StateRAMP recognizes the importance of harmonization in the cybersecurity landscape. 

StateRAMP’s Solution to Framework Harmonization: 

StateRAMP is developing a framework harmonization initiative that aims to: 

• Align Multiple Frameworks: StateRAMP’s initiative will concentrate on harmonizing requirements in the federal, state, local and educational sectors. This will ensure that all applications share the same set of standards, reducing the cost of development and deployment. It will also make it easier for businesses to access and navigate the various markets. 
• Provide Guidance and Resources: Governments and service providers within the StateRAMP ecosystem will gain access to guidance, tools, and resources essential for implementing a harmonized framework. This will ensure that the public and private sectors are working with the same resources and focusing on the most impactful cyber areas.  
• Streamline Compliance Processes: The initiative aims to simplify compliance efforts for service providers, ensuring adherence to industry standards and regulatory requirements. 

StateRAMP’s framework harmonization initiative will empower service providers with a unified and efficient approach to cybersecurity. By aligning with StateRAMP’s harmonized standards based on NIST 800-53, service providers can enhance their security posture, streamline operations, and demonstrate a commitment to cybersecurity excellence across the industries they work in. 

Embracing Framework Harmonization for a Secure Future 

In the ever-evolving landscape of cybersecurity, framework harmonization emerges as an opportunity for better efficiency and effectiveness. Service providers play a crucial role in safeguarding their clients’ data and systems, and framework harmonization is a proactive step towards cyber resilience. 

As service providers navigate the complexities of cybersecurity, StateRAMP’s framework harmonization initiative offers a path towards a more unified and streamlined approach. By embracing framework harmonization, service providers can stay ahead of cyber threats, comply with regulatory requirements, and ensure the security and integrity of their operations. 

In the journey towards a more secure digital future, framework harmonization stands as a transformative solution for service providers committed to excellence in cybersecurity. 

The post Navigating the Cybersecurity Maze: The Power of Framework Harmonization appeared first on StateRAMP.

Let’s be honest – running a non-profit takes a certain amount of grit and gumption. With a small staff and tight budget, you’re probably outsourcing functions like web hosting and IT equipment maintenance to third-party service providers to save on time and labor. These vendors provide the crucial services you need, but understanding how to vet and select them in the first place can be daunting. Sometimes, it is easier to just sign up for one that looks moderately reputable so that you can get back to the core work of your organization. 

The problem with making a selection in this way is that trusting a third-party service provider to protect your data without verifying their security standards is a lot like sending your child to a daycare you have not ever visited. When it comes to the people we care most about, we would never consider putting them at unnecessary risk. Yet when it comes to our personal data and cybersecurity, we often skirt the needed due diligence. Unfortunately, even the cybersecurity vendor you use can introduce inadvertent cyber risk to your organization if you don’t properly vet their data protection and cybersecurity standards before handing them access to your confidential information. 

Although this security gap for third-party software in use at nonprofits has been an issue for a long time, it is a bigger problem now than it ever has been before. Through participation in the Joint Cyber Defense Collaborative’s High-Risk Communities planning effort, StateRAMP, CISA, and a host of industry and civil society partners are taking steps to address the rise in targeted cyber threats against civil society organizations for their work to advance humanitarian and democratic causes.  

Whether you represent a think-tank, NGO, or grassroots volunteer organization, your data and ability to effectively accomplish your mission remains at risk. And as a non-profit, your organization likely does not have sufficient resources to manage every third-party vendor and software product you use. 

While the onus should be on vendors to build privacy and security into the design and manufacture of their products, the current reality is that you need to vet third-party service providers and products to avoid introducing unnecessary risk into your digital ecosystem. Below, we’ve boiled down a few easy, practical steps you can take to help your organization mitigate third-party risk. You’ll get back to your organization’s core work in no time.    

Know Who is Who and What They Do 

While it sounds elementary, knowing who has access to your systems and data and what they do for your organization is the most critical step you can take. Even if it’s just creating an inventory in a simple Excel spreadsheet, equipping your organization with answers to the following questions will significantly improve your visibility and control over who has access to your systems and data:  

• Do you rely on any external organizations to perform specific tasks or services? (e.g. Who hosts your website? Do you use apps or services for Stakeholder Relationship Management, maintaining sensitive employee data, or managing your payroll?)   
• Do you know how to get in touch with these service providers if something stops working correctly? 
• Do you know what types of data your third-party providers may be storing or transmitting on your behalf?  

Next, you should assess the risks associated with the data that your third-party vendors can transmit or store. Consider the following breakdown in criticality:  

• Low impact – Loss of the data would have limited adverse impact on your organization. 
• Moderate impact – Loss of the data would have a serious negative impact on your organization. 
• High impact – Loss of the data would have a catastrophic impact on your organization.

Get to Know Your Providers  

For third-party vendors that handle moderate and high-impact data for your organization, it’s crucial that you request information on their security practices. 

The saying, “A chain is only as strong as its weakest link,” is an apt descriptor for third-party cybersecurity risk. Even if your organization has a robust cybersecurity program, your data could still be compromised if your third-party vendor experiences a data breach. To mitigate that risk, here are some key questions you should ask your third-party vendors about their security practices and policies:  

• Has your third-party service provider completed a security audit? 
• Has your third-party service provider undergone a penetration test in the past 12 months? 
• Does your third-party service provider… 
  • require phishing-resistant Multi-Factor Authentication for all administrative accounts or functions? 
  • routinely collect threat information and monitor their logs for suspicious cyber activity? 
  • have the capability to detect, contain and eradicate malicious software and intrusions? 
  • Have an Incident Response (IR) Plan? 
• Are your third-party provider’s products or services authorized by an independent organization like FedRAMP or StateRAMP?  
• Do you have an agreement with your provider such that they are obligated to notify you in the event of a breach? 

While not comprehensive, these initial questions will give you a sense of whether your third-party vendors are serious about security – theirs and yours.  

Use the Resources Around You 

The challenge with evaluating current and prospective vendors using the question set above is that they may not answer truthfully, and there isn’t always an easy way to validate whether your vendor’s claims are accurate. This brings us to the next step: using the resources around you to help.  

There are a few key things you can look for that will help you in validating the trustworthiness of third parties:  

• Consult CISA’s Website! CISA is a resource that provides cybersecurity guidance on a variety of topics, including how small and medium-sized businesses can mitigate third-party cybersecurity risks. As a starting point, check out CISA’s ICT Supply Chain Risk Management Fact Sheet. As your organization becomes more advanced in managing third-party risk, CISA’s Internet of Things Security Acquisition Guidance and Operationalizing the Vendor Supply Chain Risk Management Template for Small and Medium-Sized Businesses are also helpful resources.   
• Use FedRAMP and StateRAMP product authorization lists to gauge a product’s security posture.  

Learning about the security posture of the third-party providers you entrust with your data matters. By identifying who has access to your data and systems, and understanding more about their overall approach to security, you are taking a vital step towards protecting your organization from those threat actors who would keep you from fulfilling your organization’s mission.  

Print out this simple checklist to begin your third-party risk management journey today!

The post Low-Budget Steps Civil Society Organizations Should Take to Protect Data When Using Third-Party Service Providers appeared first on StateRAMP.

March marks National Procurement Month—a time dedicated to recognizing the pivotal role that procurement professionals play in government operations. At StateRAMP, we are proud to join in this celebration and bring awareness to the critical intersection of procurement and cybersecurity. 

The Importance of Strategic Procurement in Cybersecurity 

In today’s digital age, cybersecurity is no longer an optional layer of protection but a fundamental necessity. Government agencies and organizations must navigate a complex landscape of evolving threats, stringent compliance requirements, and a growing reliance on technology. At the heart of this challenge lies procurement—a strategic lever that can either bolster or compromise an entity’s cybersecurity posture. 

Jessica Van Eerde, StateRAMP’s Chief of Operations stated, “As a former procurement professional, I understand the incredible challenges procurement departments face in trying to balance the needs of their organization and the laws and regulations by which they are bound. This only gets more complicated in the realm of cybersecurity, where one misstep can have profound consequences, not just for the organization but for its citizens. Working together with NASPO, as well as many amazing procurement professionals working tirelessly to address this issue, has given me confidence that leveraging StateRAMP is one way to make the entire procurement process easier for everyone involved!” 

• StateRAMP’s Commitment to Cybersecurity Excellence:
  At StateRAMP, our mission is clear: to raise the bar for cybersecurity standards across the public sector. We understand that the procurement process plays a crucial role in this mission, shaping the security landscape of government agencies nationwide. 

• The NASPO/StateRAMP Task Force:
  In our pursuit of strengthening cybersecurity through procurement, StateRAMP has forged a strategic partnership with the National Association of State Procurement Officials (NASPO). Together, we have established the NASPO/StateRAMP Task Force—a collaborative effort aimed at developing best practice templates, resources, and standards for cybersecurity in procurement. 

Driving Innovation and Best Practices 

The NASPO/StateRAMP Task Force brings together a diverse group of procurement professionals, cybersecurity experts, government officials, and industry leaders. Through this partnership, we are driving innovation, sharing insights, and developing actionable strategies to enhance cybersecurity resilience in government procurement processes. 

Fay Tan, NASPO’s Deputy Chief Legal Officer added, “A practical understanding of cybersecurity standards and principles by today’s procurement specialists is quickly becoming a critical component of our profession’s body of knowledge. Collaborating with cybersecurity experts through efforts like the NASPO/StateRAMP task force gives procurement a voice in shaping these standards and establishing guidance for their implementation throughout state government.” 

• Developing Best Practices Guides:
  One of the Task Force’s key initiatives is creating comprehensive best practices guides for procurement professionals. These guides cover a range of topics, from vendor assessments and contract clauses to leveraging StateRAMP certification for enhanced security.

• Educational Webinars and Workshops:
  The Task Force regularly hosts educational webinars and workshops, providing procurement professionals with valuable insights and tools to navigate the cybersecurity landscape. These sessions delve into topics like risk management, compliance frameworks, and procurement in cybersecurity governance. 

Celebrating Procurement Excellence 

As we celebrate Procurement Month, we recognize the dedication and expertise of procurement professionals across the country. Their tireless efforts ensure transparency, fairness, and efficiency in government transactions—essential elements for a thriving democracy. 

• Spotlight on Cybersecurity Champions:
  StateRAMP and the NASPO/StateRAMP Task Force are proud to shine a spotlight on the cybersecurity champions within the procurement community. These individuals are at the forefront of integrating cybersecurity into procurement processes, safeguarding sensitive data and critical systems.

• Amplifying Procurement Month Awareness:
  Through our collaborative efforts, StateRAMP and the Task Force are amplifying awareness of Procurement Month. We invite procurement professionals, government officials, and cybersecurity enthusiasts to join us in recognizing the vital role of procurement in securing our digital future. 

Join Us in the Conversation 

As we navigate the ever-evolving landscape of cybersecurity threats, strategic procurement emerges as a powerful tool in our arsenal. StateRAMP and the NASPO/StateRAMP Task Force invite you to join us in this important conversation. 

Connect with Us: 

• Learn more about StateRAMP: stateramp.org 
• Explore NASPO’s initiatives: NASPO.org 
• Follow us on LinkedIn: StateRAMP 
• Follow NASPO on LinkedIn: NASPO 

This Procurement Month let’s celebrate the unsung heroes of procurement and their invaluable contributions to cybersecurity excellence. Together, we can shape a more secure and resilient future for government agencies and organizations nationwide. 

The post Celebrating Procurement Month: Elevating Cybersecurity through Strategic Partnerships appeared first on StateRAMP.

As the StateRAMP team evolves, we want to re-introduce ourselves to government principals, cybersecurity innovators, and private sector leaders. Get to know the StateRAMP team below and find a list of upcoming conferences where you can meet StateRAMP representatives in-person. View our Board of Directors and Standing Committees here.

StateRAMP Management Team

Executive Director, Leah McGrath

Serving as the Executive Director, Leah McGrath has been involved with StateRAMP since its formation. In 2020, she spent countless hours working alongside Steering Committee members to develop StateRAMP’s governance and policy framework. Prior to her work with StateRAMP, McGrath held leadership positions in both the public and private sector, including serving as the first deputy mayor of the City of Fishers, Indiana. During her tenure, Fishers transformed from a town into a smart, vibrant, entrepreneurial city and was named the #1 Best Place to Live in America in 2017 by Money magazine. As deputy mayor, she helped lead modernization efforts and spearheaded city-wide efforts to develop the city’s first long-range, comprehensive plan. McGrath’s 20-year career has been focused on working to improve government outcomes at the state and local level, helping shepherd government into the digital age securely and effectively for the citizens it serves. Connect with Leah!

Chief of Operations, Jessica Van Eerde

Jessica Van Eerde is StateRAMP’s Chief of Operations, where she passionately represents and supports StateRAMP’s mission and its members. A seasoned leader with over a decade of experience working with State and Local Governments, as well as in the realm of Higher Education, Jessica brings a wealth of knowledge to her role. Her expertise spans various domains, including law, procurement, and professional development. Notably, Jessica plays a pivotal role in the leadership of the TX-RAMP StateRAMP partnership, driving initiatives that optimize cybersecurity tools and resources for State, Local, and Education (SLED) organizations nationwide. Her dedication to advancing cybersecurity excellence is reflected in her strategic leadership and commitment to forging impactful collaborations. Connect with Jessica!

Government Engagement Director – Adoption Consultant, Stacey Carswell

As the Government Engagement Director for the northeast region at StateRAMP, Stacey helps participating governments adopt StateRAMP by providing guidance on process improvement, change management, and cybersecurity education. Stacey has over a decade of experience in government procurement and policy development. She continues to support public servants through education and policy development. Connect with Stacey!

 

Government Engagement Director – Strategic Relations, Chance Grubb

Chance Grubb serves as our Government Engagement Director, focusing on strategic relations. Chance possesses over 17 years of state government experience in procurement, information technology and cybersecurity. The State of Oklahoma used his expertise to establish a vendor management program, share cyber threat intelligence through the OK-ISAC, and mature a third-party security program. Connect with Chance!

 

Government Engagement Director – Education, Rebecca Kee

Rebecca Kee serves our government members as the Government Engagement Director, focusing on the integration of StateRAMP into education processes and policies. Prior to joining the StateRAMP team, Rebecca served as Chief Procurement Officer and Purchasing Agent for the City of Virginia Beach, Virginia. She has 18 years of experience in the public procurement field and has worked extensively to develop, create, and support educational programs and opportunities for the profession. Rebecca has served as Director of Procurement for the University of Arkansas at Little Rock and as the Assistant Purchasing Agent for Arlington County, Virginia. In addition, she served as an adjunct faculty at Arkansas State University. Rebecca has served in multiple NIGP roles and maintains her NIGP-CPP, CPPO and CPPB certifications. Connect with Rebecca!

Membership Development & Engagement Manager, Olivia Maple

Olivia Maple is our Membership Development & Engagement Manager who specializes in building strong relationships and curating efficient processes. Driven by creativity and communication, she takes pride in cultivating the best client experience possible. Olivia is an experienced and goal-oriented innovator with a passion for connecting with others. She graduated from Indiana University, Bloomington in 2022 with a BA in Apparel Merchandising and Marketing. When Olivia isn’t collaborating with colleagues, she can be found enjoying the outdoors with a dog by her side. Connect with Olivia!

Brand Marketing Manager, Taylor Webster

Taylor Webster serves as StateRAMP’s Brand Marketing Manager. She possesses over 5 years of experience in multiple B2B marketing disciplines, including the public and private sector. Her passion is helping businesses identify market trends and customer needs, leveraging marketing channels in an effort to foster brand loyalty and boost visibility. Taylor holds Content Creation and Salesforce certifications. She graduated from the University of Cincinnati in 2021, with a BBA in Marketing. When Taylor’s not creating, she can be found doing something active with her dog or traveling. Connect with Taylor!

StateRAMP PMO (Program Management Office)

Services Provided by Knowledge Services through PMO Charter Agreement.

Executive Advisor to StateRAMP PMO, Fred Brittain

Fred Brittain is an experienced and innovative Information Security and IT leader who served as the Chief Information Officer (CIO) for the State of Maine from 2019 to 2023. Prior to joining the state government, he spent 25 years with the University of Maine system, where he rose from leading IT for a single campus to becoming the associate CIO for the entire system. As the CIO of Maine, he was responsible for overseeing the State’s IT policies, infrastructure, cybersecurity, accessibility, and service management. He also led several initiatives to improve the state’s digital capabilities, such as increasing web traffic, enhancing online services, and bringing the State through the pandemic while still providing best in class services to the people of Maine. He was recognized as one of the Top 25 Doers, Dreamers, and Drivers by Government Technology magazine in 2023 for his achievements and vision. After leaving the state government, he joined Knowledge Services as the Vice President of Information Security in August 2023, where he continues to apply his expertise and passion for information security to improve the cyber posture of cloud service providers at the national level. Fred Brittain holds a Bachelor of Arts in Mathematics and Computer Science. He is also an avid cyclist and skier living with his family in a log cabin in rural Maine. Connect with Fred!

PMO Director, Noah Brown, CISSP-ISSMP, CEH, CCSP

Noah has 10 years of experience in the information security field, helping companies design and implement programs and initiatives that improve their cyber security posture. In his role at Knowledge Services, which has an agreement with StateRAMP to serve as the StateRAMP Program Management Office (PMO), Noah helped launch the StateRAMP PMO Review Process in 2021, designing controls, templates, and guidance.  He also serves as an advisor to the StateRAMP Standards and Technical Committee. He is passionate about helping companies achieve meaningful security for those they serve. Additionally, Noah serves in the Indiana Army National Guard as a member of the Defensive Cyber Operations Element (DCO-E) where he has helped modernize the defensive team’s functions, processes, and reporting. In this role, he has mentored team members on audit and incident response processes in real-world applications and during his past employment with the Department of Defense, he successfully conducted compliance package build and audit inspection preparations for NIST RMF, DIACAP and FISMA. Connect with Noah!

PMO Advisor, David Resler

David serves as one of StateRAMP’s PMO Directors, responsible for PMO operations and the implementation of StateRAMP Revision 5. He also serves as the Corporate Information Security Director for Knowledge Services, which provides the StateRAMP Program Management Office (PMO) staff. Prior to joining StateRAMP, David oversaw the IT Security, Data Center, and Networking groups for 14 years at Performance Assessment Network and its successor organization, PSI Services. There, David managed the NIST 800-53 compliance program and supported multiple Federal organizations including TSA, CBP, FAMS, FFDO-D, FBI, DEA, and FAA.  David holds a Bachelor of Science in Computer and Electronics Technology from Indiana State University and has over thirty years of experience in Information Technology. He is a member of the Executive Advisory Board for the Eleven Fifty Academy serving on the Cyber Security Committee. David is also one of the hosts of the monthly StateRAMP Office Hours webcast. Connect with David!

PMO Manager, Julia Miller

Julia is the StateRAMP Program Management Office (PMO) Manager. She is responsible for overseeing and managing the implementation of various StateRAMP initiatives, such as Security Package Reviews, Annual Assessments, Continuous Monitoring, and the StateRAMP Security Snapshot program. Before joining StateRAMP, Julia spent 20 years leading various projects in Information Security and IT Risk and Compliance. She gained 12 years of experience at Navient where she oversaw multiple federal contracts related to NIST SP 800-53 security compliance controls. Julia also spearheaded security projects across the entire organization, managed PCI DSS compliance, and conducted audits of third-party vendors. She holds a Risk and Information Systems Control® (CRISC®) certification. Additionally, Julia enjoys biking and traveling. Connect with Julia!

Find Us This Year

If you see a StateRAMP representative at a conference this year, please reach out! We value the feedback and input from our StateRAMP community.

• Inaugural Billington State and Local Cybersecurity Summit, March 19-20, Washington, D.C.
• State & Local CISO Symposium, September 11, Indianapolis, IN
• StateRAMP Cyber Summit with Presenting Sponsor Carahsoft, September 12, Indianapolis, IN
• Joint Provider Leadership & 3PAO Advisory Council Meeting, September 13, Indianapolis, IN

The post Meet the StateRAMP Team appeared first on StateRAMP.

Valentine’s Day, a celebration of love and affection, often involves sharing heartfelt messages, sending romantic gifts, and expressing admiration for our loved ones. In this digital age, where technology plays a significant role in our interactions, it is essential to consider cybersecurity while celebrating this special day. Just as we protect our hearts, we must also safeguard our employees’ online presence. Here are some cybersecurity tips to ensure that Cupid’s arrows don’t get intercepted by cyber threats:

1. Educate your Employee to Be Wary of Phishing Emails: 

Cybercriminals often take advantage of special occasions like Valentine’s Day to launch phishing attacks. Educate your employees to be cautious of emails claiming to offer exclusive deals, romantic e-cards, or surprise gifts. Be sure that they verify the sender’s email address and avoid clicking on suspicious links or downloading attachments from unknown sources. 

2. Ensure Strong, Unique Passwords:

Ensure that your employee’s online accounts, including social media, email, and banking accounts, are protected by strong, unique passwords. Educate them on how to avoid using common phrases or easily guessable combinations and have them consider using a reputable password manager to generate and store complex passwords securely. 

3. Require Two-Factor Authentication (2FA):

Add an extra layer of security to your accounts by requiring two-factor authentication wherever possible. This adds an additional step to the login process, such as entering a code sent to your mobile device, making it harder for unauthorized users to access your accounts even if they have your password. 

4. Prepare Yourself and Your Loved Ones:

Take the time to educate yourself and your loved ones about cybersecurity best practices. Discuss the importance of staying vigilant online, recognizing potential threats, and taking proactive steps to protect personal information. By raising awareness, you can collectively strengthen your digital defenses and enjoy a safer online experience. 

This Valentine’s Day, while you celebrate love and affection, don’t forget to prioritize cybersecurity for yourself and your organization. By following these tips, you can ensure that digital interactions remain secure, allowing you to focus on cherishing moments with your loved ones without worrying about cyber threats. Remember, a little precaution goes a long way in safeguarding Cupid’s arrows in the digital realm. 

Free Valentine’s Day Cybersecurity Cards

We want to help do our part to spread the love (and cybersecurity awareness) this Valentine’s Day with a series of infosec-inspired cards you can download below and send to your favorite cyber-sweetheart to tell them how you feel! 

Click the images below to download them for easy sharing. 

The post Safeguarding Cupid’s Arrows: Cybersecurity Tips for Valentine’s Day appeared first on StateRAMP.

In today’s growing landscape of cybersecurity and cloud services, staying ahead of the curve is not just advantageous—it’s essential. At StateRAMP we recognize the importance of continuous learning, networking, and collaboration in the pursuit of stronger cybersecurity standards and practices. We are thrilled to introduce our StateRAMP Cyber Summit with presenting sponsor Carahsoft, designed to bring organizations together and solve for what’s next.

This interactive summit features industry experts, thought leaders, government officials, and service providers allowing attendees to explore cybersecurity trends, innovations, and best practices. Through keynote presentations, panel discussions, and educational sessions, attendees will gain valuable insights, strategies, and actionable takeaways to enhance their cybersecurity posture and navigate compliance more effectively.

Our goal is to create valuable networking opportunities for attendees to connect, collaborate, and create meaningful partnerships with peers, stakeholders, and potential clients. We are committed to cultivating an ecosystem where ideas and relationships flourish, so that you walk away empowered and equipped to spark change in your own organization. The connections made can pave the way for future collaborations, business growth, and collective advancement within the cybersecurity community. Throughout the event, you’ll have opportunities to connect directly with StateRAMP staff and experts, who can help you solve problems and brainstorm innovative solutions 1:1.

Benefits of attending our summit:

• Dedicated networking, community building
• Direct collaboration with StateRAMP staff
• Diverse agenda with interactive breakouts
• Multi-market and stakeholder perspectives
• Top insights from cybersecurity experts across the industry
• 450+ attendees

Our team continues to solve for what’s next in the cybersecurity environment by offering education, policy development and a streamlined cybersecurity assessment framework to safeguard the public sector from cyber threats. It’s our duty to support service providers in reducing burdens on cybersecurity compliance and improving their overall posture. Join us at the StateRAMP Cyber Summit and unlock your cybersecurity journey’s potential.

The post StateRAMP Cyber Summit: Solving for What’s Next appeared first on StateRAMP.

During a recent interview with Nikki Rosecrans, Manager of Information Security and Compliance for Arapahoe County, Colorado, our team gained insight into local governments’ perceptions of StateRAMP. Arapahoe County became the first county in Colorado to partner with StateRAMP. In this interview, Nikki shared some insights into the benefits Arapahoe County has reaped from this partnership.

What compelled Arapahoe County to partner with StateRAMP?

“Choosing to partner with StateRAMP was undoubtedly influenced by the professionals who work there. They have a team dedicated to assessing third-party cloud service providers for risk, security, compliance, and authorization management. I found them to be friendly, easy to work with, quick to respond to questions, and extremely knowledgeable.” 

In implementing StateRAMP, where did you see the most benefit?

“In early 2023, Philip Savino, our CIO (Chief Information Officer), communicated the need to assess third-party Software-as-a-Service (SaaS) providers who transmit, process, and store essential or critical data (such as PCI, PII, PHI, and CJIS). As a solution, the leadership team and I developed a tool called STAR (SaaS Technical Assessment Review). In collaboration with other county partners, the STAR combines controls from the NIST 800-53 and SIG Lite Questionnaire. To ensure Arapahoe County’s compliance and security requirements were met, we developed a process to help our business analysts determine if a service provider requires a security assessment and how each department can request one.

I was informed in August by Chance Grubb, StateRAMP’s Government Engagement Director, that Colorado had become the 17th state to adopt StateRAMP into their technology procurement policies and processes. He and his team did a fantastic job describing the value and approach StateRAMP provides to its member organizations when it comes to Risk and Authorization Management, which immediately caught my attention. As a one-person operation, I usually spend four to ten hours assessing one SaaS provider. StateRAMP immediately appealed to me because of their standardized approach to assessing, authorizing, and monitoring cloud services and products used by state and local governments.

StateRAMP provides enhanced security, cost efficiency for vendors, and streamlines government procurement processes. It also ensures our citizens and county get reliable, uninterrupted services. Safeguarding sensitive information within our community is essential for protecting individuals’ rights and fostering trust within the community.”

Prior to StateRAMP, what challenges did you face?   

“As we are just beginning our StateRAMP process, I cannot compare much, however, I predict one challenge that will be solved through StateRAMP is the addition of dedicated PMOs (Program Management Office) and 3PAOs (third-party assessment organizations) to assess third-party vendors, rather than it being just me. Having a team of professionals solely dedicated to facilitating security and compliance audits is a huge advantage for Arapahoe County!” 

In what ways is StateRAMP cost-effective compared to having an in-house security team constantly monitoring cyber threats? 

“In the ever-evolving landscape of cyber threats, information security personnel face an unrelenting demand to stay one step ahead of these pervasive risks. The digital realm is a battleground where threats mutate and evolve rapidly, requiring security professionals to possess deep expertise and an adaptive mindset. Our roles extend beyond fortifying defenses and should encompass innovation, vigilance, and continuous learning. We must anticipate and analyze emerging risks and foster a culture of resilience within our organizations. It is a continuous effort to safeguard sensitive data, protect our infrastructure, and uphold the integrity of digital systems in an increasingly interconnected world.

StateRAMP takes charge of assessing our third-party service providers for security and compliance. Adhering to regulatory requirements allows our Information Security and Compliance team to focus on other cybersecurity and information security projects such as compliance audits, restructuring our digital environment to be more accessible and inclusive to those with accessibility needs, vulnerability management, risk mitigation, incident response, and policies and procedures to safeguard our critical and essential data.” 

What will change in your day-to-day position after StateRAMP’s adoption?   

“With StateRAMP in place, I will be able to perform security assessments more rapidly, and the county will get the assurance that it is protecting the resident’s information and data. In order to ensure a consistent risk assessment and management approach across the agency, security practices are aligned with StateRAMP’s standardized framework. Furthermore, StateRAMP will allow our agency to establish solid relationships with vendors who comply with StateRAMP, resulting in more collaborative and secure partnerships.” 

What has been the most unexpected benefit or surprise you have received from StateRAMP?

“A true partnership. I have been impressed by the extended helping hands I have received from StateRAMP thus far. Any questions I have related to security, vendor, or risk have been answered. And whenever StateRAMP doesn’t have an answer, they conduct research to find one. It truly feels like StateRAMP is a part of our organization, and not a separate membership organization.” 

How do you and your team keep up with the rapidly changing landscape of cybersecurity? 

“Continuous learning, networking, and staying up to date with emerging trends, technology, and threats are essential. I am very fortunate to work for the county that I do. We have one full-time employee dedicated to cybersecurity, but with StateRAMP I have a team of 75 professionals dedicated to ensuring the security and privacy of our systems, servers, applications, and customers.

For my part, I engage with peers, belong to professional associations, and participate in online forums and committees to share knowledge and experiences. My multifaceted approach to cybersecurity training and education, networking, practical experience, and continuous learning keeps me abreast of the dynamic landscape.”

The post StateRAMP Improves Arapahoe County’s Security and Compliance appeared first on StateRAMP.

Without the unique insights and backgrounds that small business leaders bring to the table, no State, Local, and Educational (SLED) organization can truly thrive. Navigating the complexities of cybersecurity, while also competing with larger companies, can be daunting, to say the least. StateRAMP recognizes the challenges small businesses face in maintaining a comprehensive cybersecurity plan and stands as an ally, offering a pathway for leaders to strengthen their cybersecurity posture. Whether a business is traditionally underutilized, minority-owned, woman-owned, or veteran-owned, StateRAMP stands ready to provide assistance and support on your path to improving your organization’s cyber posture.

How StateRAMP’s Security Snapshot Can Aid Small Businesses

StateRAMP’s Security Snapshot levels the playing field for small businesses by providing standardized metrics. This enables SLED organizations to judge your business using the same metric as they do with larger organizations, fostering a fair evaluation.

The Security Snapshot is a gateway for small businesses to obtain an initial security maturity assessment for their cloud products. Designed to provide a comprehensive security program maturity assessment, this tool validates your product’s existing maturity against the Minimum Mandatory Requirements essential for achieving StateRAMP Ready Status. Designed to provide a comprehensive security program maturity assessment, this tool validates your product’s existing maturity against the Minimum Mandatory Requirements essential for achieving StateRAMP Ready Status. Whether you choose a Single Security Snapshot or join the Progressing Security Snapshot Program, valuable insight and consultation will be provided enabling your business to submit a competitive proposal to SLED organizations. Whether you choose a Single Security Snapshot or join the Progressing Security Snapshot Program, valuable insight and consultation will be provided enabling your business to submit a competitive proposal to SLED organizations. 

This tool supports service providers at the beginning of their cybersecurity journey and delivers crucial insights to SLED organizations as it helps them gauge the risk maturity of the cloud products they are considering.

Opting for the Progressing Snapshot Program is a strategic move for small businesses looking to grow their cyber posture. Built on trust-but-verify principles, this program employs a consultative approach to elevate your business’s cyber maturity. The Progressing Snapshot Program facilitates essential information sharing, which is vital for effective risk management in public sector organizations. With quarterly assessments and monthly consultative calls with the StateRAMP PMO Security Team, your business gains valuable insight into meeting NIST 800-53 Rev 5 standards. This guidance not only addresses gaps but prioritizes actions for enhanced security outcomes, putting your small business on the path to a well-rounded cybersecurity posture.

Pricing 

StateRAMP’s tiered pricing structure is designed to accommodate all businesses. Ensuring that small businesses have affordable entry points tailored to their specific financial capacities.  

The Security Snapshot Program is particularly designed to align with the annual revenue of each company. This means that the financial commitment is proportionate to the size and scale of the organization, ensuring that small businesses do not face undue financial burdens in their pursuit of better cyber posture. The tiered payment model reflects a commitment to bettering cybersecurity for all, reinforcing StateRAMP’s dedication to making its valuable services accessible and beneficial to the diverse landscape of small businesses. 

Where You Can Start

StateRAMP plays a pivotal role in accelerating innovation within governments by establishing a standardized process for verifying cloud security. To start, small businesses can join StateRAMP as members, gaining recognition as partners in this mission. Membership perks include participation in the Provider Leadership Council, input on policies, and access to valuable StateRAMP programs.

While there are costs associated with improving your cybersecurity posture, neglecting cybersecurity poses greater risks and even greater costs, making the investment crucial for protection against potential threats and data breaches. StateRAMP presents a strategic pathway, ensuring that cybersecurity is accessible to businesses of all sizes. By exploring StateRAMP and utilizing its resources, organizations can fortify themselves against potential threats, building trust with SLED organizations.

The post StateRAMP’s Role in Small Business Cybersecurity appeared first on StateRAMP.

As businesses evolve in the digital landscape, so do the threats they face. Investing in cybersecurity is critical, especially when doing business with State and Local Government or Educational organizations (SLED), making the importance of cybersecurity immeasurable.

One avenue to achieve your cybersecurity goals is to leverage StateRAMP, a program designed to elevate the security posture of organizations, both large and small. This blog post will explore the imperative need to invest in cybersecurity, address common concerns about the associated costs, and highlight why StateRAMP is a strategic move.

Cybersecurity: A Non-Negotiable Investment

In today’s interconnected world, the cost of not prioritizing cybersecurity is far more significant than the investment required. Data breaches, cyberattacks, and the subsequent damage to reputation can be catastrophic for any business. If cybersecurity is not in your budget today, it needs to be.

Overcome The Cost Barrier 

A common concern often raised is the perceived high cost associated with cybersecurity audits and compliance. However, consider the cost of not investing in cybersecurity. IBM’s study on the cost of a data breach, which reached an all-time high of 4.45 million USD, emphasizes the financial repercussions of inadequate security measures. It’s essential to shift the perspective from seeing it as an expense to viewing it as an investment in security, not just for your organization but for the wider community. 

The Cost Comparison of StateRAMP vs. FedRAMP 

Some may fear that the costs of complying with StateRAMP mirror those of FedRAMP. However, there are notable differences, such as the approach to FIPS requirements. StateRAMP’s flexible approach allows companies to meet best practices without exorbitant costs. Additionally, if your organization has already completed a 3PAO audit for FedRAMP, this can be leveraged through the StateRAMP Fast Track process. 

Breaking Down StateRAMP Costs

StateRAMP offers a phased approach to cybersecurity, starting with the Progressing Security Snapshot program. This program is designed to evaluate your organization’s adherence to minimum NIST controls, addressing fundamental questions such as boundary definition, MFA implementation, and employee training. For organizations who are early in their cybersecurity journey, this program offers many services at a highly competitive rate and is strongly favored by the government. The Progressing Security Snapshot is the preferred program for small businesses, as it is acknowledged for its effectiveness and affordability.

StateRAMP Ready/Authorized are two different statuses organizations can obtain at different stages in the StateRAMP verification process. StateRAMP Ready status is for organizations that need to undergo additional security and system validation. As for Authorized, this status is for organizations that have completed all security and system validation. These statuses demonstrate a commitment to robust cybersecurity practices.

Progressing Security Snapshot Program Costs:

• Annual StateRAMP Membership Fee: $500
• Monthly advisory calls and quarterly Snapshot scores: At most $1,000 a month.
• Compare with SOC 2 Type 2: An average cost of $60,000.

Ready or Authorized Costs:

• Annual StateRAMP Membership Fee: $500
• Requires an audit by an independent 3PAO. Cost varies with system complexities, impact levels, and 3PAO choices: Costs start at $70,000

Market Growth for Cost Reduction:

• Reduced fees for Ready or Authorized Review by StateRAMP PMO for smaller businesses to ensure accessibility.
• StateRAMP is actively working to expand the market, aiming to reduce costs further.
• It is recommended to obtain multiple quotes from the 39 registered 3PAOs.

The Path Forward

It is imperative to invest in cybersecurity, especially when engaging with SLED organizations. While there are costs involved, the consequences of neglecting cybersecurity far outweigh the investment required to protect against potential threats and data breaches. StateRAMP offers a strategic pathway, making security accessible to businesses of all sizes. Exploring StateRAMP and leveraging its resources helps organizations safeguard their assets against potential threats and foster trust among government and educational institutions. It’s time for organizations to embrace the evolving digital landscape and make cybersecurity a top priority.

The post StateRAMP and the Cost of Cybersecurity Ignorance appeared first on StateRAMP.

Maintaining a secure digital environment is crucial. As organizations increasingly rely on technology, the human element becomes a factor in maintaining a secure cyberspace. A simple mistake from an uninformed employee may lead to a breach of confidential information. The human element of cybersecurity is important to monitor, as careless and unintentional mistakes can negatively impact your organization. When employees are educated on cybersecurity, they can properly disregard cyber threats, such as phishing emails. These cyber factors can be monitored by adapting preventative strategies to protect your organization from further cyber threats.

Phishing Simulations 

Phishing simulations are a key tool to identify vulnerabilities. This strategy includes IT teams conducting simulated phishing emails to observe and analyze employee responses, visualizing potential weak spots. This proactive approach allows organizations to educate employees on cyber threats and test their responses regarding phishing emails. This strategy builds confidence among employees in identifying and reporting cyber threats.

Password Management

Effective password management is a key strategy when limiting the human impact on cybersecurity. There are many ways to include the following best practices within your organization. 

Zero Trust Architecture ensures that users and systems undergo verification and authentication, regardless of location.

Single Sign-On (SSO) solutions streamline access while maintaining security measures.

Multi-Factor Authentication (MFA) adds an extra layer of defense, combining passwords with a second factor, such as a smartphone, an authenticator app, or a fingerprint.

Periodic audits detect password policy compliance issues. This includes password reuse and ensuring employees are changing their passwords on a frequent basis.

Account lockout policies temporarily lock accounts when there have been many failed attempts.

Password Expiry requires employees to change their passwords after a certain period of time.

Create a Culture of Accountability

While phishing simulations and the adoption of password management best practices are undeniably crucial, building a culture that motivates employees to invest their time in acquiring more knowledge and holding each other accountable is key for lasting change. It’s more than just checking off security training boxes; it’s about creating a mindset that views cybersecurity as a collective responsibility of a team. This strategy involves not just attending security training sessions but holding employees accountable for actively engaging and applying the knowledge gained. Transparency becomes an expectation in this culture, as open conversations about the importance of security create a shared understanding of the collective role in keeping your organization safe. By expecting this out of your team in daily operations, it creates resilience against cyber threats, ensuring that the human element is a proactive force, rather than a destructive force against potential cyber threats.

Prioritize Addressing the Human Element

Acknowledging the impact of the human element in cybersecurity is crucial for securing your organization. Failure to address this aspect may result in financial loss, damage to reputation, or irreversible harm. To defend against these risks, implement proactive strategies like phishing simulations, effective password management, and create a culture of cyber accountability. These measures build resilience, as it empowers your organization to stand against cyber threats.

 

 

The post The Human Element of Cybersecurity appeared first on StateRAMP.

On November 14, Leah McGrath, Executive Director of StateRAMP, presented the 2023 Staff Report to the Steering Committee. As we wrap up 2023, these Top 10 Updates serve as a reflection on the year and a glimpse into the future. Join us as we dive into the Top 10 StateRAMP updates going into the new year.

StateRAMP’s Top 10 Updates of 2023:

1. Office of the National Cybersecurity Director’s (ONCD) Request for Information on Opportunities for and Obstacles to Harmonizing Cybersecurity Regulations Office

The StateRAMP Staff collaborated with the StateRAMP Board to submit a response to the ONCD’s Request for Information (RFI) in October 2023.

2. Security Program Rev 5 Updates

StateRAMP prioritized updating our security framework based on NIST 800-53 Rev.5 (from Rev. 4). Updating this framework results in closely aligning with FedRAMP’s low and moderate impact baselines. The Rev. 5 policies and procedures will be updated on the StateRAMP website by early January. StateRAMP Ready, Authorized, and Provisional will all be required to meet Rev. 5 requirements by October 1, 2024.

3. StateRAMP Security Snapshot Criteria and Scoring Update

Launched in January 2023, the StateRAMP Security Snapshot and Progressing Snapshot Program have become highly successful. In October 2023, the StateRAMP Standards and Technical Committee updated the criteria and scoring to align with NIST 800-53 Rev. 5 and the MITRE ATT&CK framework. The new criteria prioritize the highest-scoring MITRE ATT&CK threat controls, emphasizing best practices for improved security defense. The updated Security Snapshot criteria will be effective January 1, 2024.  

4. NASPO – StateRAMP Joint Procurement Task Force

StateRAMP and strategic partner NASPO have formed a joint Task Force to enhance best practice templates and solicitation/contract language. The Task Force plans to meet from October 2023 to March 2024 and will provide recommendations and findings to the Board and Steering Committee.

5. CJIS Task Force Set to Begin in 2024

The Standards and Technical leadership, in collaboration with FBI CJIS leadership, are initiating a StateRAMP CJIS Task Force. The objective is to unite State and Local Government stakeholders with FBI CJIS guidance to develop a StateRAMP overlay to align with CJIS requirements. Even though no CJIS certification exists, the CJIS-focused overlay aims to showcase a product’s potential for compliance. Obtaining StateRAMP Authorization with this overlay would be directional, and any CJIS compliance would still be determined by the appropriate agency personnel. FBI CJIS team will serve as advisors, and outreach will begin this quarter, with Task Force starting in Q1 of 2024.  

6. TX-RAMP Partnership

TX-RAMP now recognizes StateRAMP Progressing Snapshot and StateRAMP Ready status for Provisional Status with no expiration, a change from the usual 18-month limit. StateRAMP Authorized qualifies for full TX-RAMP compliance. Discussions with DIR are ongoing to update the TX-RAMP Program Manual for pathways to full TX-RAMP compliance through StateRAMP Ready and StateRAMP Provisional. 

7. CISA Participation

StateRAMP is actively engaged in CISA’s Joint Cyber Defense Collaborative, contributing to the High-Risk Communities Protection Planning. We’ve collaborated with CISA to co–author a blog on third-party risk management. Stay up to date for its publication on the CISA site. Additionally, discussions are in action for StateRAMP to potentially join the CISA Supply Chain Task Force. 

8. 2024 Events and Collaboration

StateRAMP’s 2024 events will kick off with the inaugural StateRAMP Cyber Summit in Indianapolis on September 12th. Additionally, there are plans for a Provider Leadership Council and Leadership Retreat on September 11th and 13th. StateRAMP is also collaborating with Government Technology for strategic partnerships, involving panel discussions at GovTech’s Public Sector Cybersecurity Summits and State Digital Government Summits.  

9. 2024 Membership Updates

The Board elected to move to Tiered Memberships for Providers, Consultants, and 3PAOs in 2024. This update will provide members with options for different levels of engagement with StateRAMP that will help support the organization long-term. Additionally, all members will move to the same annual renewal date of June 1. View a summary of the 2024 Membership Update (pdf).

10. ABA Model Procurement Code

StateRAMP presented at the GW Law Summer Series 2023 during the July webinar on Reforming the ABA Model Procurement Code (MPC). Our presentation highlighted StateRAMP’s role, its alignment with emerging state and local cybersecurity strategies, and our vision for key MPC areas. As a result, we were invited to speak in a law school class on a related topic and connected with key players in the MPC reform process. 

Reflecting on a Year of Achievements as We Head into 2024

StateRAMP has demonstrated a commitment to adaptation, collaboration, and education.

The non-profit prioritizes adapting to regulatory security changes, engaging successfully in partnerships, and organizing events that emphasize education. As we gain momentum heading into 2024, these principles show StateRAMP’s dedication to continue shaping the future of cybersecurity.

The post StateRAMP 2023: Top 10 Updates appeared first on StateRAMP.

During an era defined by extensive technological advancements, the public sector faces a rapid evolution of cybersecurity challenges. Government agencies at all levels handle sensitive data, which makes them prime targets for cyberattacks. To adapt to cyber threats, government agencies must continually update their defense strategies, and understand the key components driving the evolution.

The Growing Threats to the Public Sector

One of the most significant challenges to the public sector is the growing number of daily threats they face. Cybercriminals have increased their abilities and are constantly searching for vulnerabilities. 

Since public sector organizations are targets of cybercriminals, it is crucial for organizations to consider ways to prevent cyber-attacks. Data from The State of Security 2023 provides 8 recommendations when it comes to making the best plan to build a cybersecurity-resilient organization. While cybersecurity continues to evolve in the public sector, is important to use data and analytics to optimize threat detection and response, plan for resilience, invest in resilience, embrace functional convergence, focus on the foundational, cloud security is key, invest against ransomware risk, and take a proactive stance against supply chain threats.  

Collaboration and Information Sharing

Collaboration among public sector agencies and information sharing are vital components of cybersecurity efforts. By exchanging information within a community, different organizations can come together to make well-informed decisions based on the other organization’s experiences, knowledge, and resilience capabilities. NIST encourages the sharing of cyber threat information because it is an effective way of defeating cybercriminals. To tackle the evolving landscape, NIST provides a list of recommendations when it comes to information sharing amongst organizations.  

• Identify internal sources of cyber threat information. 
• Specify the scope of information-sharing activities.  
• Establish information-sharing rules. 
• Join and participate in information-sharing efforts. 
• Actively seek to improve indicators by providing additional context or improvements. 
• Use secure workflows to publish and act upon cyber threat information. 
• Proactively establish cyber threat sharing agreements. 
• Protect the security of sensitive information.  
• Provide ongoing support for information-sharing activities. 

Legislative and Regulatory Changes

Governments are responding to the cybersecurity challenge by enacting new legislation and regulations. These measures often require public sector agencies to adhere to specific cybersecurity standards and reporting requirements. Compliance with these regulations helps ensure a baseline level of security and transparency in the public sector. Three regulatory enforcements involve risk management, governance, and data collection.

Risk Management and Governance

To strengthen data risk management, it is expected that organizations build a preparation framework in the case of a data breach. This framework includes compliance with incident response and reporting requirements, threat and vulnerability management, and identity and access management. 

Data Collection

Companies collect, share, and use data every day. This opens the door to cyber criminals when they make a mistake. Regulations are set on ways organizations should collect and use data to protect themselves from making mistakes. These regulations include the implementation of limitation and data minimization policies, controls, and monitoring of third-party access.  

Keep up With the Cybersecurity Trends to Protect Your Organization

As the public sector handles the evolving landscape of cybersecurity, staying ahead of the curve is crucial to protect government agencies and the sensitive data that they handle. Cybercriminals are becoming more sophisticated, organized, and relentless in their motives to find vulnerabilities within public sector organizations. To safeguard against these threats, it is essential for the government agencies to keep up with these trends and prepare strategies in the case of a data breach.

The post The Evolving Landscape of Cybersecurity in the Public Sector appeared first on StateRAMP.

To address recent confusion surrounding the StateRAMP Ready and Authorization review and continuous monitoring processes, we’d like to provide a clear and comprehensive explanation of what is shared and how these processes unfold. StateRAMP has been designed to bring clarity and efficiency to cloud security assessment and compliance, and understanding how it works is essential for both government entities and cloud service providers.

Review Process Overview

During the StateRAMP review process, documents such as the System Security Plan (see full list of documentation here) are required from the cloud service provider. These documents are then uploaded into a FedRAMP-moderate portal, where access is restricted to the StateRAMP Program Management Office (PMO). This controlled environment ensures the confidentiality and security of the documentation.

Government Access

Government entities have the option to request access to these documents. To do so, they must submit a request through a designated form. While the PMO will handle sharing the requests for access, all decision–making power as to whether to approve or deny the request lies with the service provider. Upon approval, government entities are granted viewer-access only. If the government entities do not access the portal within a year, they will be automatically removed. To maintain a streamlined and up-to-date process, it is the responsibility of government entities to promptly inform the StateRAMP staff if any individuals need to be removed from the access list. Providers do have an option to only share executive summary with government entities.  

Continuous Monitoring Process

The continuous monitoring process mirrors the review process. Providers are required to upload continuous monitoring scan results, inventory documentation, and Plan of Action and Milestones (POAM) documents. Then, the StateRAMP PMO prepares an executive summary. Government entities, once granted access, have the flexibility to access the entire documentation package or choose to review only the executive summary. This flexibility is designed to accommodate the specific needs of each government entity. What the government entity has access to is based on what was initially requested and approved through the request process. If an event should occur, there will be a proactive notification to governments who have been granted access, as outlined in our Continuous Monitoring Escalation Guide.

Sponsorship

For products under review with Authorization status, a government sponsor or review by the StateRAMP Approvals Committee is required. In either situation, the StateRAMP PMO does the validation and verification that the security package meets the StateRAMP requirements for Authorization. The government sponsor or Approvals Committee is then provisioned access to review the PMO’s Executive Summary and recommendation for status award.  Authorizing officials, in either case, receive access to the entire documentation package and continuous monitoring information. However, it’s crucial to note that their access is limited to the duration of their determination process. Once they have made their decision, the PMO will migrate the documents out of the shared folder and into the archives, marking the completion of the sponsor’s review. 

The same guidance applies to products going through the Fast Track Process as well, only they will submit their templates in FedRAMP formatting. This process is aimed at enhancing the efficiency and transparency of cloud procurement and compliance. It ensures that government entities and cloud service providers have clear guidelines and a standardized framework for evaluating cloud security. By offering clarity in shared access and detailed documentation requirements, StateRAMP strives to streamline and simplify cloud security assessments, making it a valuable resource for modernization and secure cloud adoption. 

The post Clarifying StateRAMP Review and Continuous Monitoring Processes appeared first on StateRAMP.

As Government agencies are increasingly storing and processing sensitive data in the cloud, they have a strong responsibility to protect this sensitive data, which can include personal information, financial data, and intellectual property. Additionally, public-facing applications or “cloud” was recently listed as the number one attack vector for malicious actors. These applications often provide services to the public, so interruptions don’t just put data at risk, they can severely disrupt society. As a result, it is critical for government agencies to ensure the security of their cloud data and systems.

One of the best ways to do this is to require cloud vendors to engage with StateRAMP and obtain a StateRAMP security status. This is because the controls outlined in the NIST SP 800-53 Revision 4 address all major known security risks for information systems and cloud systems. With StateRAMP, governments can be confident that their third-party cloud service providers meet and maintain the government’s published cybersecurity policies. As well as ensuring that data is being stored and processed in a secure environment, StateRAMP provides a standardized approach to assessing and verifying the security of cloud vendors. Our team can help you get started with implementing StateRAMP by incorporating standard language into your procurements and contracts.

There are many benefits to StateRAMP authorization, including:

Improved security

StateRAMP helps organizations identify and mitigate security risks by building upon the foundational principles of confidentiality, integrity, and availability, also known as the CIA triad, a model designed to guide policies for information security within an organization. This helps to protect sensitive data and systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

The Importance of StateRAMP Authorization for Government Agencies

StateRAMP can help organizations reduce the time and resources they spend on compliance with federal and state privacy and security laws.

Increased Efficiency

StateRAMP can help organizations streamline their security operations and improve their overall security posture.

Enhanced Visibility

StateRAMP provides organizations with a comprehensive view of the security posture of their vendors. By leveraging StateRAMP’s authorization process, organizations are better able to make informed decisions on managing risk and improving their security overall.

Build Trust With the Public

StateRAMP demonstrates to the public that the organization is committed to protecting sensitive data. This can help to build trust and confidence in the organization.

Improved Procurement Process

StateRAMP can help organizations to streamline their procurement processes. Agencies avoid the need to conduct their own security assessments, saving them time and money, while ensuring that assessments are conducted consistently and accurately, affording more objectivity to the procurement process.

StateRAMP authorization is a valuable tool for government agencies that are looking to secure their cloud data and systems. By requiring cloud vendors to be StateRAMP authorized, agencies can be confident that their data is being stored and processed in a secure environment. This can help to protect the privacy of citizens, the integrity of government operations, and the financial security of the government. If you are interested in learning more about StateRAMP, please reach out to get@stateramp.org.

The post The Importance of StateRAMP Authorization for Government Agencies appeared first on StateRAMP.

Securing cloud services and protecting consumer data is extremely important in today’s technology landscape. As more businesses rely on cloud infrastructure, it becomes increasingly important for providers to avoid common security compliance mistakes that could lead to financial losses, jeopardize customer trust, and compromise sensitive information. In this blog post, we will explore some of the most common cloud security compliance mistakes made by providers and provide insights on how to avoid them.

Lacking a Clear Understanding of Compliance Requirements

A common mistake made by service providers is a lack of clear understanding of compliance requirements. Each industry and location may have specific compliance standards such as HIPAA for healthcare organizations or SOC2 for financial companies. Non-compliance can result in legal consequences, reputational damage, and loss of customer trust.

To avoid this mistake, service providers should have their security teams thoroughly review applicable compliance frameworks, monitor changes in regulations and ensure adherence to all necessary compliance requirements.

Inadequate Incident Response

Another critical mistake is having an inadequate incident response plan. Service providers must understand potential breach sources, monitor systems to detect breaches promptly, and have effective measures in place to respond to breaches.

To begin, service providers should familiarize themselves with NIST 800-53 Rev. 5 Incident Response controls. These controls prioritize detection, reporting, response, and continuity of operations. Employing additional security technologies like firewalls, antivirus solutions, and intrusion prevention systems can create a layered defense against data breaches.

Neglecting Regular Security Assessments and Audits

Neglecting regular security assessments and audits is another significant pitfall. Cloud security regulations evolve over time, and failure to adapt controls may lead to non-compliance. Continuously monitoring and assessing your security system helps identify weaknesses and potential risks.

Lack of Employee Awareness and Training

Lack of employee awareness and training is an avoidable mistake. All employees should understand the consequences and causes of data breaches and be trained to recognize and report threats such as phishing e-mails, unauthorized access, and insider threats. Educating employees on cloud security best practices, including access controls, is essential to mitigating the risk of data breaches.

Insufficient Transparency and Communication

Finally, another significant mistake made by cloud service providers is a lack of transparency and effective communication with customers regarding security and compliance measures. Failure to provide clear information about security controls, data handling practices, and compliance certifications can lead to customer uncertainty and mistrust.

Providers should prioritize transparency by clearly documenting and sharing information about their security practices and compliance certifications to avoid this mistake. Develop comprehensive documentation, including security policies, incident response plans, and compliance reports. Regularly communicate with customers about security updates, vulnerabilities, and ongoing compliance efforts to foster trust and confidence.

How StateRAMP Can Help

StateRAMP dedicates itself to promoting cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve. With StateRAMP, CSPs can become educated on how to better secure their system and further protect the valuable data given to them by their clients. With services like continuous monitoring and the Security Snapshot, the CSP can be confident in its system and those it serves.

The post Cloud Security Compliance Mistakes and How to Avoid Them appeared first on StateRAMP.

Cloud computing has become a critical part of government IT infrastructure. In fact, a recent survey found that 95% of state and local governments are using cloud services in some capacity. The move to the cloud has many benefits for governments, including cost savings, increased agility, and improved security. However, cloud procurement can be a complex and time-consuming process. Streamlining, by definition, is the act of altering a process to make it simpler or more efficient. That’s where StateRAMP comes in.

StateRAMP is a shared service resource that provides a standardized cloud security assessment and compliance program that helps governments streamline their cloud procurement process. There are several ways in which StateRAMP can help the cloud procurement process:

Objective Standard

StateRAMP provides a single, standardized assessment that can be used to evaluate cloud service providers, limiting the time and resources necessary to verify cloud security packages or relying on self-attestation. This helps governments to quickly and easily identify cloud providers that follow industry best practices and ensures an “apples-to-apples” comparison of providers during the procurement process.

Cost-Savings

The StateRAMP program also greatly accelerates the acquisition process by creating a common language around procurement to guide decision-makers and procurement teams through the complex matrix of cloud and cyber. This process can often be fragmented between state and local government. The cloud procurement toolkit that StateRAMP provides includes templates for contracts, RFPs, and other procurement documents. This helps governments to save time and money on their cloud procurement process.

Increased Competition

StateRAMP’s process ensures that all vendors are receiving the same information and are on a level playing field, which increases competition. StateRAMP allows for cyber policies to be met from the beginning with clear terms and expectations through to the contracting process and may reduce the incidence of protests based on subjective security assessment reviews.

Improved Security

StateRAMP’s cloud security assessment provides a comprehensive view of a cloud provider’s security posture. This information can be used to make informed decisions about which cloud providers to use and prevents the need to “rip and replace” systems down the road.

StateRAMP is a valuable resource for governments that are looking to address the security risk from cloud environments. Through the program, state and local governments receive unbiased validation that StateRAMP-authorized cloud solutions are secure and capable of safely storing government and citizen data. For resource-strapped public sector organizations, the program can help streamline modernization and cloud decision-making, allowing previously overwhelming decisions to become achievable. If you are interested in learning more about how StateRAMP can streamline your cloud procurement process, please reach out to get@stateramp.org.

The post Streamlining Cloud Procurement with StateRAMP appeared first on StateRAMP.

The increasing frequency and severity of cyber threats has become a significant concern for our nation’s security. During the Keynote Panel at the StateRAMP Symposium, panelists highlighted the current state of cyber threats and emphasized the need for effective solutions. This blog post explores the three key strategies our panelists presented as effective ways to enhance our nation’s cybersecurity and protect against malicious actors.  

1. Foster Collaboration & Public-Private Partnerships 

Panelists highlighted the importance of information sharing and professional intimacy between federal, state, and local governments. Sean Connelly, Senior Cybersecurity Architect and Trusted Internet Connections (TIC) Program Manager for the Cybersecurity & Infrastructure Security Agency shared that collaborative efforts and effective communication channels are crucial to address the ever-evolving cyber threats. Building strong public-private partnerships allows the government to leverage the expertise and resources of the private sector, leading to more robust cybersecurity measures. 

2. Embrace Zero-Trust Principles 

Zero-trust principles offer a strategic approach to prevent data breaches and keep other cyber-attacks from being successful. By challenging the notion of trust, organizations can enhance their security posture. John Kindervag, founder of Zero Trust and Senior Vice President of Cybersecurity Strategy at ON2IT, challenged the audience to identify the most important components to their organization. For example, when Kindervag talked to hospital executives, they shared that elevators are the most crucial system in their network.  

Kindervag’s example of prioritizing the protection of critical systems illustrates the importance of identifying and safeguarding vital components. Recognizing that the entire organization depends on a functional network underscores the need for a comprehensive zero-trust strategy.   

3. Take Immediate Action  

It is crucial to take immediate action rather than waiting for the perfect plan. Phil Stupak, Director of Federal Cybersecurity at the Office of the National Cyber Director in the Executive Office of the President, emphasized the importance of encouraging employees to do the right thing while cultivating a slightly higher risk tolerance. Stupak acknowledged that right now, cybersecurity professionals are so risk averse that they don’t want to try anything different. The fear of making mistakes should not hinder progress, and organizations should embrace experimentation and continuous improvement. Implementing incentive structures that empower individuals will contribute to a stronger cybersecurity posture.  

Protecting our nation against cyber threats requires collaborative efforts, zero-trust principles, and immediate action. By fostering collaboration and public-private partnerships, we can leverage collective expertise and resources. Embracing zero-trust principles allows organizations to identify and protect critical systems, mitigating the risk of data breaches. Finally, taking immediate action and embracing experimentation contributes to continuous improvement and resilience in the face of evolving threats. With these strategies, we can enhance our nation’s cybersecurity and protect our critical infrastructure, intellectual property, and national security. Indiana Congressman Jim Banks encouraged attendees to make a difference by sharing their ideas with their representatives in the capitol. As John Kindervag reminded the audience, “we are all cyber warriors!”

The post Enhancing National Cybersecurity: 3 Key Strategies to Combat Cyber Threats appeared first on StateRAMP.

In collaboration with its members from the public and private sectors, StateRAMP has made significant strides in enhancing its security measures. After several months of joint committee work sessions, the Standards and Technical Committee has approved updates to the StateRAMP Baseline Controls, incorporating a subset of the latest update to NIST 800-53 (a special publication by the National Institute of Standards & Technology).  This update aligns StateRAMP with the most current and comprehensive security guidelines for cloud cybersecurity. 

NIST 800-53 Rev. 5 is widely recognized as a catalog of best practice controls and sub-controls. These baselines serve as the foundation for StateRAMP’s Security Snapshot Program and StateRAMP Authorizations, ensuring robust security measures are in place. 

According to Noah Brown, StateRAMP PMO Director, “Updating our control baselines was crucial for protecting government data as NIST 800-53 Rev. 5 is the next evolution in cloud security controls and allows Service Providers to implement controls that are relevant to the current threat landscape.”

The StateRAMP Standards & Technical Committee and Appeals Committee reviewed the baselines this winter and StateRAMP members had an opportunity to provide their feedback on the proposed baseline controls.  

Sean Hughes, Assistant Secretary for Technology, Security, and Operations/Chief Operating Officer of Massachusetts Executive Office of Technology Services and Security and Chair of the Standards & Technical Committee said, “The integration of NIST 800-53 Rev 5 into the baseline controls by StateRAMP’s Standards & Technical Committee is a testament to their commitment to upholding the highest standards of cybersecurity. Together, they have established a robust foundation for organizations seeking StateRAMP Authorization, setting the stage for enhanced protection and trust in the digital realm.”  

The Standards & Technical Committee has asked for public input again to guide the implementation of Rev. 5 and the timing of the new requirements, which will be rolled out later this year. Please provide your feedback here.  

Dan Lohrmann, Field Chief Information Security Officer, Public Sector at Presidio & Vice Chair of the StateRAMP Standards & Technical Committee, noted “The incorporation of NIST 800-53 Rev 5 into StateRAMP’s baseline controls marks a significant milestone in elevating the cybersecurity standards for government entities. By embracing the latest advancements in security practices, StateRAMP reinforces its commitment to staying at the forefront of cyber defense.” 

“The adoption of NIST 800-53 Rev. 5 is an important step toward the harmonization of other federal requirements that flow down to state and local governments, such as requirements related to Criminal Justice Information Services, Healthcare and Medicaid Management Information Systems, Tax Information and Cloud Security Guidelines and more,” said Leah McGrath, Executive Director, StateRAMP. “We are very thankful for the time and leadership our PMO Team and Committee Members dedicated to help guide this process.” 

View Rev. 5 Baseline Controls here. If you have control-specific questions, please attend Office Hours every Wednesday from 2:30-3:30 pm EST. 

The post NIST 800-53 Rev. 5 Updates to Security Baselines appeared first on StateRAMP.

To achieve StateRAMP Authorization, providers must demonstrate their product meets minimum security criteria, which aligns with the best practices of National Institute of Standards & Technology (NIST) Special Publication 800-53. This includes providing a defined boundary for their cloud product and identifying underlying technologies.  

For a product to satisfy StateRAMP’s Authorization requirements, the underlying technologies must have demonstrated minimum security compliance. For many providers, this can be a challenge if they rely on technologies that are not yet StateRAMP or FedRAMP Authorized.   

In May 2023, the Standards and Technical Committee approved updated Boundary Guidance that allows for StateRAMP Provisional status for cloud offerings that rely on solutions which have not yet achieved a StateRAMP or FedRAMP Authorization, so long as the suppliers complete a StateRAMP Security Snapshot for the solution to make visible the strengths and risks of the cyber posture.   

Granting products Provisional status allows providers to extend the timeframe for working on their third-party solution, whether it involves achieving StateRAMP Authorization, migrating to a new solution, or hosting the solution inside their own boundary. 

A product’s Provisional letter will include the tools that are not FedRAMP or StateRAMP Authorized along with their Snapshot scores. The governments can then make risk-based determinations based on the Security Snapshot scores.  

“A cloud offering’s boundary is important when considering cybersecurity, because it provides visibility into the IT supply chain that can be a weak spot for bad actors to infiltrate,” explained Noah Brown, StateRAMP PMO Director. “StateRAMP’s Boundary Guidance is a novel approach to solving the costly challenge of the ‘chicken or the egg’ question that providers face today when considering their suppliers.”  

The new StateRAMP Authorization Boundary Guidance supports the cybersecurity ecosystem by removing third-party barriers and allowing products to come through the process with tools that may not be FedRAMP or StateRAMP Authorized yet. Service providers can use more suppliers from the marketplace and continue to do business with states and local governments. By expanding the market, costs may be reduced.  

To learn more about StateRAMP’s Authorization Boundary guidance, please visit here.

The post Boundary Guidance Breaks Traditional Barriers appeared first on StateRAMP.

MGM National Harbor, MD – StateRAMP, a non-profit organization focused on improving cybersecurity and reducing supply chain risk in state and local government, hosted its inaugural symposium on May 3, 2023, at the MGM National Harbor. The event brought together more than 120 attendees, including government officials, cybersecurity professionals, and industry leaders.

The symposium featured two panels of experts who discussed the most pressing cybersecurity challenges facing the public sector today. The keynote panel, titled “Securing our Nation Against Cyber Threats,” included U.S. Congressman Jim Banks (IN), Sean Connelly from the Cybersecurity and Infrastructure Security Agency (CISA), Phil Stupak from the Office of the National Cyber Director, and John Kindervag from the ON2IT Group. The panel was moderated by Leah McGrath, the Executive Director of StateRAMP.

The keynote panel discussed the increasing frequency and sophistication of cyber threats facing the public sector and the steps that must be taken to protect critical infrastructure and sensitive data. The panelists emphasized the need for collaboration and partnership among government agencies, private sector companies, and cybersecurity experts to develop effective strategies to combat cyber threats. They encouraged attendees to continue experimenting and to take meaningful steps even when there is not a defined roadmap.

The second panel, titled “Evolution of StateRAMP: Partnering to Progress Supplier Cyber Risk Management,” featured a group of StateRAMP board members and industry leaders who discussed the progress that StateRAMP has made in improving supplier risk management and the challenges that still need to be addressed. The panel included J.R. Sloan, the StateRAMP Board President and CIO of the State of Arizona, Dugan Petty, a StateRAMP board member, James Grant, the CIO of the State of Florida, Joe Bielawski, the President of Knowledge Services, and Stephen Kovac, the StateRAMP Provider Leadership Council Chair and Zscaler Chief Compliance Officer. The panel was also moderated by Leah McGrath.

The StateRAMP panel discussed the importance of standardizing cybersecurity requirements for government suppliers and the role that StateRAMP is playing in this process. The panelists explained how important it is to keep StateRAMP business-friendly and how they will work to continue to harmonize various compliance standards. Additionally, they emphasized the importance of information sharing and how the StateRAMP Security Snapshot allows public institutions to identify where suppliers are in their cybersecurity journey.

“The StateRAMP symposium was a great success, and we were thrilled to have such a diverse and knowledgeable group of experts participate in the event,” said Leah McGrath, the Executive Director of StateRAMP. “We believe that the discussions and insights shared at the symposium will help to improve cybersecurity and reduce supply chain risk in state and local government.”

The success of the StateRAMP Symposium reflects the dedication of the organization and its stakeholders in creating a more secure digital landscape for state and local governments. The discussions and insights shared during the event will undoubtedly contribute to the ongoing efforts to strengthen cybersecurity defenses and mitigate supply chain risks.

As StateRAMP continues its mission to provide a standardized approach to cybersecurity assessments and authorizations, it remains a vital resource for governments, suppliers, and cybersecurity professionals. By working collaboratively and staying at the forefront of emerging threats and best practices, StateRAMP is poised to make a lasting impact on cybersecurity in the public sector.

The post StateRAMP Symposium Brings Together Leading Cybersecurity Experts to Discuss Cyber Threats and Supplier Risk Management appeared first on StateRAMP.

Our team expanded at the end of 2022, and we are thrilled to start the new year with unique perspectives and exciting updates! Read below to dive deeper into a recap of 2022 and to learn more about what’s to come for StateRAMP in 2023.

Overview of 2022

Formalization of StateRAMP Approvals Committee

At the beginning of 2022, StateRAMP’s Board of Directors and Nominating Committee formed the StateRAMP Approvals Committee, which offers service providers another option for government sponsorship. The committee reviews security packages on a monthly basis and since beginning reviews, the StateRAMP Approvals Committee has sponsored 13 products.

“We are so grateful for the members of our StateRAMP Approvals Committee. The committee streamlines sponsorship, allowing more service providers to achieve StateRAMP Authorization and broadening the pool of secure cloud service offerings for government,” said Leah McGrath, StateRAMP Executive Director. You can read more about the StateRAMP Approvals Committee here.

Additionally, 2022 was the first year StateRAMP accepted nominations from our members. We had an incredible response with 53 people submitting nominations for our 4 standing committees and Board of Directors. We are grateful for the cybersecurity community’s dedication to protecting government data.

Expanded Membership  

In 2022, 17 states, 4 local governments and 2 higher education institutions publicly recognized StateRAMP. To increase understanding of StateRAMP’s direct value, the StateRAMP team attended dozens of conferences and speaking engagements across the country, establishing several new strategic partnerships, such as National Association of State Procurement Officials (NASPO), National Association of State Chief Information Officers (NASCIO), and K12 Security Information eXchange (K12 Six). The feedback from the 23 engaged jurisdictions provided insight into how StateRAMP can better serve the government in years to come.

At the end of 2022, StateRAMP had 139 service provider members representing 1,295 people. There were 37 products on the Authorized Product List and 42 on the Progressing Product List.

Introduction of StateRAMP Security Snapshot

After listening to our members’ feedback, our team developed a new, early-stage security maturity assessment tool for cloud products. The StateRAMP Security Snapshot was approved by the StateRAMP Standards & Technical Committee and adopted by the Board as a “pre-Ready” measurement.

The StateRAMP Security Snapshot offers providers the first step toward achieving a verified StateRAMP security status by providing them with a gap analysis that validates a product’s current maturity in relation to meeting Minimum Mandatory Requirements for StateRAMP Ready.

“The StateRAMP Security Snapshot will allow us to identify gaps so we can develop resources to help service providers achieve Ready status,” said Noah Brown, StateRAMP PMO Director.

For governments, the StateRAMP Security Snapshot can be utilized throughout the procurement process, as governments may utilize the Snapshot to clearly determine the risk associated for products being considered for procurement.

What’s In Store for 2023

Transition to NIST 800-53 Revision 5

2023 marks a significant year for StateRAMP, as the Standards & Technical committee will evaluate how to incorporate NIST 800-53 Rev. 5 into StateRAMP’s security requirements. StateRAMP’s baseline controls are the foundations of StateRAMP’s security requirements and during the month of February, we plan to invite all members to provide their feedback on the new baseline.

“The Standards & Technical Committee is currently working through the transition to NIST 800-53 Revision 5 requirements. Updating our control baselines will be crucial for protecting government data as Rev 5 is based on updated threat intelligence, places an emphasis on privacy, and adds more controls surrounding supply chain risk management,” said Noah Brown, PMO Director.

New Councils

The StateRAMP team is preparing to launch two new councils: StateRAMP’s Provider Leadership Council and 3PAO Advisory Council. The councils will promote information sharing among public and private-sector members, providing expertise and advice to StateRAMP

Every service provider member and StateRAMP-registered 3PAO will designate one representative to serve on these critical councils. The councils will conduct virtual meetings twice a year with ad hoc meetings as needed. Stay tuned for more information on how to get involved.

Continued StateRAMP Implementation Among Governments

This year, our team aims not only for more government adoption, but also complete StateRAMP implementation within participating governments. The launch of StateRAMP Security Snapshot and Fast Track Government Implementation will allow governments to place StateRAMP requirements into their solicitations and contracts, rapidly improving the cyber posture of all levels of government. Click here for more information on how to get started.

Overall, we are excited about what’s to come for StateRAMP this year! Our team will be at numerous conferences and meetings throughout the year, which can be found at stateramp.org/events. If you have any questions, please contact us at info@stateramp.org.

The post What’s Next for StateRAMP in 2023 appeared first on StateRAMP.

Earlier this month, President Biden signed into law H.R. 7776, which includes codification of the FedRAMP program. The passage of the FedRAMP Authorization Act is something to be celebrated and recognizes the hard work by dedicated leaders at FedRAMP and its stakeholders.  For more than a decade, FedRAMP has championed the importance of ongoing verification of cloud security for third-party suppliers to the federal government.  

In many ways, it was the idea of FedRAMP that inspired StateRAMP’s founding Steering Committee to form StateRAMP in 2020. 

StateRAMP is modeled in part after FedRAMP, both sharing control requirements based on the National Institute of Standards & Technology (NIST) SP 800-53 and both relying on independent audits by third party assessment organizations. Continuous monitoring and monthly reporting are hallmarks of both StateRAMP and FedRAMP.  

Just as FedRAMP exists to serve federal agencies, StateRAMP is designed to serve non-federal agencies from states to local governments and public pre-k through higher education jurisdictions and the providers who serve them. 

With the passage of the FedRAMP Authorization Act, the goals of FedRAMP and StateRAMP continue to align. 

A key provision in the FedRAMP Authorization Act is the idea of Agency Acceptance of ATOs, meaning agencies can recognize a FedRAMP Authorization to Operate (ATO) without the process of issuing their own ATO.   

StateRAMP is working toward the same goal among our growing list of participating government members.  

StateRAMP’s standardized approach and centralized program management office allows providers to verify and report continuous monitoring once in order to serve many, giving governments shared access to critical information and enabling a more proactive approach to managing third party cyber risk.  

The only way to improve cybersecurity is to go forward together. 

Today, all levels of government rely on cloud products to help in the delivery and efficiency of government services. The responsibility of protecting the integrity of government and the securing of citizen data is not the government’s responsibility alone. The responsibility to ensure the highest level of cybersecurity rests also with the vendors who serve government.  

Working with programs like FedRAMP and StateRAMP, cloud service providers can help make a difference in moving toward a more secure future.   

The post StateRAMP Celebrates the Passage of FedRAMP Authorization Act appeared first on StateRAMP.

StateRAMP announces a new early-stage security maturity assessment tool for cloud products. The StateRAMP Security Snapshot was approved by the StateRAMP Standards and Technical Committee and adopted by the Board as a “pre-Ready” measurement and gap analysis to provide insights for providers and the governments they serve. 

The intent of the Security Snapshot is to offer providers a first step toward achieving a verified StateRAMP security status. The criteria are designed to provide a gap analysis that validates a product’s current maturity in relation to meeting the Minimum Mandatory Requirements for StateRAMP Ready, including controls and select additional requirements that would have a significant impact on the state of the system. 

“One question we have heard from our provider members is how to get started with StateRAMP. At the same time, our government members have expressed the need for a gap analysis measurement that goes beyond self–attestation and can be consistently applied across products to provide insights into risk maturity as providers work toward StateRAMP Authorization,” said Leah McGrath, Executive Director of StateRAMP.

“The StateRAMP Security Snapshot is an exciting development that answers the needs our members have expressed and helps providers take their first step toward verifying the security of their cloud products for government,” said McGrath. 

Providers can begin the StateRAMP Security Snapshot process by becoming a member and submitting an online form, which will go live in January. Once a StateRAMP Security Snapshot is completed, a letter will be issued to the Provider with a product’s security maturity score. Governments will be able to request Snapshot scores from Providers to gain better insight into the security posture of third–party cloud solutions, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) products.

The StateRAMP Security Snapshot can be utilized throughout the procurement process, as governments may utilize the Snapshot to determine the risk associated with products being considered for procurement. The Snapshot may also be used by Governments to assess progress toward StateRAMP Authorization for products once contracted.

“I appreciate the time the Standards & Technical committee, along with the StateRAMP team, spent developing the StateRAMP Security Snapshot,” said Dan Lohrmann, Chair of the StateRAMP Standards & Technical Committee. “The snapshot has been a missing piece for providers to get started, and we are excited to offer this service to providers and government.” 

The StateRAMP Security Snapshot reviews will take around three weeks to complete and will provide a moment in time representation of a product’s security maturity. StateRAMP recommends a valid Snapshot is not older than 12 months.  

“The StateRAMP Security Snapshot allows us to identify gaps so we can develop resources to help service providers achieve Ready status,” said Noah Brown, StateRAMP PMO Director. “I compare the StateRAMP Security Snapshot to the 2-mile run on the Army ACFT. Before you begin a training program, you need to run two miles and score your time. Before beginning the StateRAMP Readiness Assessment Report, the snapshot can help service providers identify where they are in comparison to StateRAMP Ready requirements.” 

Snapshot reviews will be available in January and fees will range from $500-$1500, based on a tiered structure. The updated fee structure can be found here. A letter is provided with the StateRAMP Security Snapshot Score. Scores are not publicly posted and any sharing of Scores is at the discretion of the provider.   

Visit stateramp.org to view the criteria for StateRAMP Security Snapshots. 

Register for an introductory webinar here. 

The post StateRAMP Rolls Out New Security Maturity Assessment Tool appeared first on StateRAMP.