To achieve StateRAMP Authorization, providers must demonstrate their product meets minimum security criteria, which aligns with the best practices of National Institute of Standards & Technology (NIST) Special Publication 800-53. This includes providing a defined boundary for their cloud product and identifying underlying technologies.
For a product to satisfy StateRAMP’s Authorization requirements, the underlying technologies must have demonstrated minimum security compliance. For many providers, this can be a challenge if they rely on technologies that are not yet StateRAMP or FedRAMP Authorized.
In May 2023, the Standards and Technical Committee approved updated Boundary Guidance that allows for StateRAMP Provisional status for cloud offerings that rely on solutions which have not yet achieved a StateRAMP or FedRAMP Authorization, so long as the suppliers complete a StateRAMP Security Snapshot for the solution to make visible the strengths and risks of the cyber posture.
Granting products Provisional status allows providers to extend the timeframe for working on their third-party solution, whether it involves achieving StateRAMP Authorization, migrating to a new solution, or hosting the solution inside their own boundary.
A product’s Provisional letter will include the tools that are not FedRAMP or StateRAMP Authorized along with their Snapshot scores. The governments can then make risk-based determinations based on the Security Snapshot scores.
“A cloud offering’s boundary is important when considering cybersecurity, because it provides visibility into the IT supply chain that can be a weak spot for bad actors to infiltrate,” explained Noah Brown, StateRAMP PMO Director. “StateRAMP’s Boundary Guidance is a novel approach to solving the costly challenge of the ‘chicken or the egg’ question that providers face today when considering their suppliers.”
The new StateRAMP Authorization Boundary Guidance supports the cybersecurity ecosystem by removing third-party barriers and allowing products to come through the process with tools that may not be FedRAMP or StateRAMP Authorized yet. Service providers can use more suppliers from the marketplace and continue to do business with states and local governments. By expanding the market, costs may be reduced.
To learn more about StateRAMP’s Authorization Boundary guidance, please visit here.