How Does StateRAMP Compare to FedRAMP?

by Liz Huston

When the Steering Committee developed StateRAMP in 2020, they modeled it in part after the federal government’s security assessment program, FedRAMP. Building upon FedRAMP’s ten years of experience, the Steering Committee worked to develop a security review program specifically designed for state and local governments.

 

What do StateRAMP and FedRAMP have in common?

  • Both programs are built on National Institute of Standards and Technology (NIST) Special Publication 800-53 Rev. 4 requirements and are in the process of incorporating Rev. 5.
  • Both require third party assessment organization (3PAO) audits and continuous monitoring.
  • StateRAMP and FedRAMP use impact levels of low, moderate, and high that align with NIST controls.
  • They utilize verified statuses of Ready and Authorized.

How are they different?

StateRAMP is organized as a 501c(6) and is governed by a Board of Directors. Since StateRAMP is a non-profit, our mission is to promote cybersecurity best practices through education, advocacy, and policy development to support our members and improve the cyber posture of state and local governments and the citizens they serve.

In contrast, FedRAMP is funded by the Office of Management and Budget and their focus is on completing the security assessment and providing a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. StateRAMP prioritizes helping providers by supplying them with security templates and resources, reducing time to market, and eliminating barriers to access security verification.

Additionally, there are differences in the level of involvement between the organizations, the service providers completing security reviews, and the government agencies receiving security reporting. StateRAMP’s Project Management Office is designed as a shared resource between providers and government entities while the FedRAMP PMO serves purely as a reviewing body.

With StateRAMP, state and local governments have visibility into continuous monitoring reporting and the security postures of their vendors. In contrast, FedRAMP documentation is only visible to the federal agencies who work with providers, so states and local governments are unable to view verified product and/or security documentation.

Continuous monitoring is critical to preventing cyber-attacks, and StateRAMP gives states the ability to consistently check the security posture of the vendors who serve them. Giving states access to a secure repository ensures consistency in application of standards.

Additionally, if providers are unable to secure a government sponsor, StateRAMP provides an alterative option. Comprised of five government members, the StateRAMP Approvals Committee is charged with serving as the body for Government Sponsorship for StateRAMP Provisionally Authorized and Authorized statuses.

Another difference between StateRAMP and FedRAMP relates to their security statuses. StateRAMP Ready statuses do not expire, and providers do not have to have a contract with governments to receive a Ready or Authorized status. With FedRAMP, providers have 12 months once they achieve Ready to find an agency sponsor to become Authorized.

StateRAMP Ready signals that providers meet minimum requirements while Authorized means providers have a government sponsor. Building an ecosystem of providers is a priority for StateRAMP, so contracts will not expire due to the lack of a sponsoring agency.

StateRAMP’s Provisionally Authorized status is awarded by a government sponsor while FedRAMP’s Provisional status is awarded by the Joint Authorization Board. StateRAMP’s Provisionally Authorized Status shows the progression the provider is making and demonstrates that they have exceeded the minimum requirements and completed a full Security Assessment Report. However, it also indicates that they have another requirement to complete and have most likely established a timeline with their government to close out any remining security requirements.

Lastly, StateRAMP has developed a Fast Track option for companies who have FedRAMP ATO, P-ATO, or Ready status. To learn more about StateRAMP Fast Track, you can read our recent blog post, What Is StateRAMP Fast Track.

If I am a provider with FedRAMP status, why should I consider StateRAMP?

Submitting a product to StateRAMP for review will primarily benefit your state and local government clients as well as reduce the burden on your organization to provide security reporting to each individual state and maintain multiple instances of your security documentation.

By giving States access to continuous monitoring documentation, they are receiving the visibility they need to best manage risk for their constituents. Over time, more state and local governments will request access into their IaaS, PaaS, and SaaS provider’s security documentation and reporting to ensure their systems are secure.

Rather than having to submit documentation to multiple states, providers can store it in a secure repository where they can maintain a single, verified instance of their security reporting that can satisfy the needs of all their state and local government clients.

What are the benefits of StateRAMP to state and local governments?

State and local governments can benefit from the resources the centralized Project Management Office offers. StateRAMP informs states whether their vendors can deliver the services they need in a way that complies with best practices in cloud and cybersecurity. Additionally, the StateRAMP PMO serves as a partner in the verification process and works with the sponsoring government to provide transparent and accessible reporting on a consistent basis.

Governments can rely on the PMO to provide explanations and rationale for best practices as well as education on security requirements and control families. When a government begins working with a StateRAMP provider or serves as a government sponsor, the PMO will provide onboarding documentation and resources so the government members know exactly what to expect on a monthly basis and how to interpret the reporting provided by the PMO.

What is the cost?

StateRAMP’s goal is to help reduce costs for both providers and state and local governments. By standardizing security requirements in contracts and RFPs, procurement officials can have assurance their vendor pool of IaaS, PaaS, and/or SaaS solutions meet all the necessary security requirements and are actively engaged in continuous monitoring to ensure ongoing security compliance. As a result, time and money can be saved for both governments and service providers.

Every time a provider must complete a custom audit, they are delayed the time they can get to work to serve constituents. StateRAMP aims to be a shared resource for both state and local governments creating a level playing field with known standards and expectations. Since StateRAMP is organized as a non-profit and the heart of our mission is education and best practices, we exist to help strengthen the security posture of vendors.

To help providers prepare for a security assessment and PMO review, there are over 60 samples and procedures on the StateRAMP website which are reviewed and updated regularly by the StateRAMP Standards and Technical Committee. The Project Management Office exists to offer guidance and help, reducing the need for providers to hire consultants.

If you are interested in becoming a StateRAMP member, register here: https://stateramp.org/register/