Developing a Cybersecurity Strategy: A StateRAMP-Focused Approach for Service Providers Starting Their Journey

TONY BAI

Chief Solutions Officer

RISCPoint

MARTIN RIEGER

Chief Solutions Officer

StackArmor

MATT GRAHAM

Director of FedRAMP

Prescient Security

StateRAMP’s mission is to provide a standardized approach to cybersecurity verification for cloud service providers working with state and local governments, and educational institutions. Achieving compliance not only demonstrates a commitment to protecting sensitive government data but also opens doors for providers seeking to expand their footprint in the public sector. 

To shed light on how providers can successfully navigate the journey to StateRAMP compliance, we spoke with three industry experts from StateRAMP premier member organizations: Tony Bai, Chief Solutions Officer at RISCPoint; Matt Graham, Director of FedRAMP at Prescient Security; and Martin Rieger, Chief Solutions Officer at StackArmor. In this panel discussion, they share insights on the importance of compliance, the challenges providers face, and strategies for success. Whether you’re beginning your StateRAMP journey or seeking ways to enhance your compliance practices, their expertise offers valuable guidance. 

Q: What is the biggest benefit for providers starting their compliance journey with StateRAMP? How does it set the stage for managing other frameworks down the road?

Tony Bai: While business leaders’ primary motivation for StateRAMP and other standards often focuses on the benefit of accessing the state and local government markets for their cloud service offering, there is much more to recognize in the benefits of a StateRAMP implementation. As a cybersecurity professional, I believe robust cybersecurity programs provide essential benefits, particularly in creating or enhancing a provider’s overall security posture. 

StateRAMP’s basis in NIST cybersecurity guidance provides a comprehensive and detailed compliance framework to help a cloud service provider protect both their and their client’s data. The widespread acceptance of NIST cybersecurity controls (i.e., NIST 800-53) and its global recognition by other cybersecurity frameworks means a provider’s cybersecurity control implementation is already mapped to most other frameworks. This simplifies a provider’s maintenance of an overarching compliance program, enabling adaptability to nearly any cybersecurity framework they may need to address. 

Matt Graham: The biggest benefit for cloud service providers (CSPs) starting their compliance journey with StateRAMP is the speed to market. Unlike FedRAMP, which requires engagement with a Federal Agency, StateRAMP provides a streamlined path that helps CSPs enter the public sector market faster, allowing them to realize revenue on their products sooner. This accelerated process makes StateRAMP an attractive choice for companies eager to bring their solutions to market efficiently. In addition, StateRAMP’s marketplace is a powerful platform for outreach. By being listed as a compliant provider, CSPs gain visibility across a broad audience of state and local governments without intensive marketing efforts. The marketplace serves as a central hub where governments actively look for vetted and compliant cloud solutions, simplifying the discovery process for potential customers and enhancing market penetration for the providers.

Martin Rieger: StateRAMP is based on NIST SP 800-53, a widely adopted federal standard for cybersecurity. By adhering to StateRAMP, providers inherently align with many requirements found in other frameworks like FedRAMP, CMMC, and even ISO 27001. Providers gain the trust of state and local governments through a recognized certification. This credibility opens doors to broader government and enterprise markets and helps meet contractual compliance requirements set forth by the states. StateRAMP’s continuous monitoring program ensures that organizations maintain ongoing visibility into their security posture—a cornerstone of other frameworks as well. Starting with StateRAMP provides a focused, incremental path to compliance, reducing the complexity and resources required to simultaneously pursue multiple frameworks.

Q: What strategies have you seen work best for providers managing multiple frameworks like StateRAMP, FedRAMP, CMMC, and CJIS? How can they leverage overlapping controls to simplify compliance?

Tony Bai: I recommend implementing controls from the most comprehensive framework, such as StateRAMP, first and building from there. Mapping StateRAMP requirements to equivalent controls in other frameworks allows a provider to operate efficiently using the most restrictive requirements. This approach ensures that controls are implemented effectively without introducing gaps that require additional analysis and resources. The advantage of starting with StateRAMP is that most other frameworks already have mappings to it, allowing for increased consistency and reduced duplicated efforts when meeting compliance requirements. Providers should view compliance as a tool to maintain effective and operationalized cybersecurity, enabling them to focus on delivering secure and reliable services to their clients.

Matt Graham: The best strategies for managing multiple frameworks like StateRAMP, FedRAMP, CMMC, and CJIS involve leveraging overlapping controls to streamline compliance efforts. One effective approach is to engage advisors with expertise across these frameworks, enabling providers to map and satisfy multiple audits simultaneously. This minimizes redundancy and increases efficiency.

Reducing the number of audits is another key strategy. Providers can identify opportunities where a single assessment meets the requirements of multiple frameworks. By consolidating audits, providers save time, reduce costs, and alleviate audit fatigue. StateRAMP, in particular, plays a significant role by consolidating and mapping controls across frameworks, simplifying compliance management.

Martin Rieger: Managing multiple compliance frameworks can be complex, but the right strategies help reduce redundancy. Leveraging overlapping controls, or common controls, is essential. Effective strategies include:

  • Unified Compliance Program: Centralized governance and common control frameworks.
  • Technology Utilization: Integrated GRC platforms and continuous monitoring automation.
  • Prioritization: Focus on the framework with the most rigorous requirements and map controls across frameworks (e.g., NIST SP 800-53).
  • Documentation: Establish a centralized repository for control documentation.
  • Engagement with Experts: Partner with advisors and experienced auditors to optimize compliance processes.

Q: How can providers ensure they maintain compliance after achieving StateRAMP Authorization? What tools and practices help make continuous monitoring more effective?

Tony Bai: It’s important to realize that achieving a StateRAMP Authorization is only the first step in the process. Once authorized, your compliance journey is just beginning. A strong commitment to continuous monitoring is key to maintaining a proactive compliance program and ensuring effective risk management. Automated tools such as vulnerability scanning, real-time log monitoring, and system configuration management are essential in maintaining effective oversight of a continuous monitoring program.

Another key strategy is to implement a strong change management process to verify that controls remain effective and documented. Inconsistencies between the implemented controls and documentation can have a detrimental effect on a provider’s annual assessment. A continuous monitoring strategy must also include regular control reviews and vulnerability scanning to identify weaknesses early. In addition, providing regular cybersecurity training for personnel helps reduce the possibility of cybersecurity incidents.

All these practices demonstrate an effective approach to continuous monitoring, ensuring the maintenance of security for a provider’s government clients.

Matt Graham: To maintain compliance after achieving StateRAMP Authorization, a consistent continuous monitoring process is essential. Providers can either manage this internally or with the support of an advisor. Effective continuous monitoring involves the use of reliable vulnerability scanning tools, maintaining an active change control board, and routinely monitoring policies and procedures to ensure they remain current and compliant.

Regular assessments, ongoing risk analysis, and swift remediation of identified issues are critical practices that help providers sustain compliance and demonstrate their commitment to security over time.

Martin Rieger: Maintaining StateRAMP Authorization requires providers to implement effective tools and practices for continuous monitoring to ensure their systems remain secure and compliant. Continuous monitoring is critical to demonstrating an ongoing commitment to security and meeting the annual and monthly requirements of StateRAMP. Below are key strategies and tools to help providers maintain compliance: 

1. Understand Continuous Monitoring Requirements

StateRAMP’s continuous monitoring process involves the following:

  • Monthly Requirements: Submission of vulnerability scans, a review of the Plan of Action and Milestones (POA&M) for any unresolved vulnerabilities, and reporting system changes that affect compliance.
  • Annual Requirements: Independent third-party assessment of controls and validation of updated security documentation, including System Security Plans (SSPs).
 
2. Establish a Governance Framework
  • Dedicated Compliance Team: Assign roles and responsibilities for compliance activities, such as vulnerability management, incident response, and documentation updates.
  • Policy and Procedure Updates: Regularly review and update security policies to reflect changes in the system or environment.

 

3. Automate Vulnerability Management

Use tools to automate vulnerability scanning, tracking, and remediation:

  • Scanning Tools: Tenable, Qualys, Rapid7, Nessus.
  • Patch Management: Automate patch deployment for OS and application vulnerabilities.
  • Remediation Tracking: Link findings from scans directly to your POA&M to streamline tracking and resolution.

 

4. Implement Continuous Monitoring Solutions

  • Security Information and Event Management (SIEM): Tools like Splunk, LogRhythm, or Microsoft Sentinel monitor logs, detect anomalies, and alert teams to potential security incidents.
  • Endpoint Detection and Response (EDR): Utilize EDR solutions to protect systems from advanced threats.

 

5. Monitor and Update the POA&M

  • Centralized Tracking: Use a single repository or GRC platform to track all POA&M items.
  • Prioritize Critical Issues: Ensure vulnerabilities with critical or high severity are resolved within StateRAMP’s required timeframes.

 

6. Engage with StateRAMP PMO and 3PAOs

  • Stay Updated: Work closely with the StateRAMP Project Management Office (PMO) to stay informed of updates to requirements.
  • Engage 3PAOs: Consult with Third-Party Assessment Organizations (3PAOs) for guidance on best practices and pre-assessment checks.

Q: In your experience, how does StateRAMP help providers align with public sector expectations? What impact has achieving StateRAMP compliance had on their ability to win government contracts?

Tony Bai: Most, if not all, public sector cybersecurity requirements are based on NIST Special Publication 800-53 control requirements. StateRAMP’s leveraging of the same 800-53 controls ensures a provider’s cybersecurity implementation is already standardized to meet public sector cyber requirements. Achieving StateRAMP authorization demonstrates a provider’s commitment and ability to manage risk, secure government data, and meet regulatory requirements.

Providers must understand that the protection of government data is the public sector’s highest priority. This emphasis explains why many states have implemented mandatory authorization processes for providers doing business with state and local governments. The advantage of StateRAMP is that it provides a unified framework accepted by multiple state and local governments as an alternative to each government entity’s individual assessment process. This saves time, money, and resources by leveraging a “do once, use many” construct for cybersecurity assessments.

Martin Rieger: StateRAMP plays a crucial role in helping providers align with public sector expectations by setting a standardized framework for security and compliance that is specifically tailored to meet the needs of state and local governments. Over the last decade, we have seen city, state, and local government contracts requesting FedRAMP compliance, but not every system is designed for federal use.

This is where StateRAMP addresses the gap by satisfying a similar set of expectations. Achieving StateRAMP compliance has a tangible impact on a provider’s ability to win government contracts, as it demonstrates trustworthiness, commitment to data protection, and readiness to operate within the rigorous cybersecurity requirements of the public sector.

Q: Can you share any success stories or common pitfalls providers should avoid when pursuing StateRAMP compliance? How can a provider ensure a smooth journey through the process?

Tony Bai: Proper planning and preparation are key. This ensures your organization is well-prepared and educated on what it takes to effectively and efficiently navigate the journey to StateRAMP, avoiding wasted time and resources. It is widely understood that an experienced and skilled 3PAO assessor is necessary but remember that a 3PAO assessor cannot advise on how best to meet cybersecurity controls.

Having a trusted and experienced advisor, separate from your 3PAO, is a key factor for success. Such an advisor can provide critical insights and expertise around public sector cybersecurity—knowledge that most providers may not already possess.

As with any public sector cybersecurity framework, documentation is a critical component but is often underestimated. Providers may prioritize technical implementations, such as external tooling or encryption, over documentation, but both are equally important. Incomplete or improper documentation can jeopardize an authorization assessment as much as poorly implemented technical controls can.

Martin Rieger: Providers pursuing StateRAMP compliance often face common pitfalls, including underestimating the initial effort required, failing to prioritize documentation, and overlooking continuous monitoring. Compliance is not merely about passing an audit; it involves aligning operational processes, technical controls, and documentation with NIST SP 800-53 standards. Conducting a gap analysis early helps identify areas needing attention and allocate sufficient resources. Providers must also maintain thorough, up-to-date documentation using tools like centralized repositories or GRC platforms, as StateRAMP places significant emphasis on this aspect.

Another frequent issue is treating compliance as a one-time event rather than an ongoing commitment. Implementing a robust continuous monitoring program with automated tools for vulnerability scanning, log management, and incident response is essential to sustain compliance. A strong, comprehensive System Security Plan (SSP) is critical, outlining system architecture, control implementations, and detailed descriptions to aid assessors. Delaying engagement with a qualified 3PAO often leads to surprises during the assessment, so early collaboration for a readiness assessment is highly recommended.

Finally, providers must budget adequately for compliance, considering costs for tools, resources, and third-party assessments. To ensure a smooth journey, providers should perform gap analyses, map existing compliance efforts to StateRAMP requirements, and invest in tools that simplify compliance processes. Stakeholder training, prioritizing high-impact controls, and continuous monitoring are vital. Engaging with the StateRAMP PMO through webinars and working groups keeps providers informed and aligned with best practices, ultimately setting them up for success in achieving and maintaining compliance.

Key Takeaways for Providers Navigating the StateRAMP Compliance Journey

StateRAMP compliance isn’t just about meeting cybersecurity standards—it’s about building trust with public sector partners, safeguarding government data, and creating opportunities for business growth. As these StateRAMP premier member organizations highlight, preparation, documentation, and ongoing monitoring are essential to achieving and maintaining compliance.

By avoiding common pitfalls and leveraging resources such as a strong 3PAO partnership and robust internal processes, providers can ensure a smoother journey to authorization. Staying engaged with StateRAMP initiatives and prioritizing continuous improvement further solidifies long-term success.

As the public sector continues to prioritize cybersecurity, aligning with frameworks like StateRAMP will remain a cornerstone for providers. Ready to start or enhance your compliance journey? Explore the tools and resources available at StateRAMP.org and join a growing community dedicated to advancing public sector cybersecurity.

Meet Our Panelists

Tony Bai is RISCPoint’s Chief Solutions Officer and a graduate of the Air Force Institute of Technology. Tony served as the USAF Cyber Defense and Cybersecurity SME and has led a Top 3 FedRAMP 3PAO practice. Tony has 30 years’ cyber experience in both government and federal contracting and maintains a wide range of certifications including CISSP, CCSP, CISM, and others.

Martin Rieger, Chief Solutions Officer at stackArmor, is a DOD and Federal Cloud Security Expert, who delivers solutions to a broad range of complex problems and meets the mission. He is a results-driven IT leader with over 25 years of experience in security assessments and authorizations, continuous monitoring, project management, risk assessments, development of security test plans, system security reviews, and physical security assessments. 

Matt Graham, Director of FedRAMP at Prescient Security, is a highly accomplished and experienced lead security analyst with expertise in cyber security assessment. He excels in analyzing security controls and evaluating risk. With a diverse skill set in sales, client relations, financial management, and more, Matt is a proactive leader known for fostering team collaboration. He has exceptional communication, problem-solving, and technical skills. As a Certified 3PAO Senior FedRAMP Assessor, Matt is dedicated to ensuring robust security measures. He is a driving force in safeguarding digital infrastructures and protecting against emerging threats.