Federal

So, what's StateRAMP?

February 22, 2022 • Jacob Nix

You may have heard that State and Local governments have their own approach to Authorization – also known as StateRAMP. So, let's talk about it.

Here’s everything you need to know.

What is it?

StateRAMP is a consortium of cybersecurity officials across the public and private sectors, who have come together to “promote cybersecurity best practices through education, advocacy, and policy development.” Formed in late 2020, the organization is charged with assisting state and local governments in vetting third party vendors’ cyber and cloud security posture. As such, it has leveraged the structure from its federal counterpart FedRAMP basing the methodology holistically on FedRAMP’s framework. This will allow state and local governments to be able to authorize vendors that do not work with Federal Agencies using a baseline that follows the stringent example set at the Federal Level, where State and Local governmental organizations do not have the ability to act as Federal sponsors to Cloud Service Providers.

What does it do?

StateRAMP has 4 key goals, as set forth in its Start Guide:

  1. Help state and local governments protect citizen data.
  2. Save taxpayer and service provider dollars with a “verify once, serve many” model.
  3. Lessen the burdens on the government.
  4. Promote education and best practices in cybersecurity among those it serves in industry and the government communities.

Why was it created?

It’s no secret that government agencies are under constant threat of cybersecurity attacks. In 2020 alone, 79 ransomware attacks on local, state, and national governments amounted to an estimated $18.88 billion in damage, impacting 71 million people in the process. The FedRAMP authorization program was created to create security guidelines for cloud vendors working with the government, and while the framework has continued to mature and established itself as a beacon of security standards, it only applies to the Federal government. State and local governments therefore did not have guidelines of their own, and, thus, StateRAMP was born.

Implications for the future

As the potential for cybersecurity attacks continue to increase across all government levels, it is only natural that StateRAMP will eventually become a key framework for cloud service providers who do work with any State and Local governments. Arizona recently announced its statewide pilot of the program, and other state and local government entities are sure to follow suit.

Want to learn more about StateRAMP and if authorization is appropriate for your business? Get in touch with a member of our team below.

Looking for help acquiring your own StateRAMP authorization? Get in touch with a member of our team below.