What is StateRAMP?
StateRAMP Members are vital to StateRAMP’s mission of bringing state and local governments together for education of best practices and to recognize a common method for verifying the cloud security of providers offering IaaS, SaaS, and/or PaaS solutions that process, store, or transmit government data.
Why Become a StateRAMP Member?
State and local governments are under attack and cybercrime is on the rise.
For technology companies, it is inadequate to exclusively concentrate on innovation. They need to be responsible as well, which means prioritizing transparency and implementing safety controls to prevent breaches.
Cybersecurity is a shared responsibility among providers, government members and assessors. War is being fought online and as a solution, cybersecurity must become a pillar of everyone’s foundation.
VERIFY ONCE, USE MANY
For providers, the StateRAMP marketplace will deliver a process to verify a product’s security posture once, to serve many.
Once the provider is on StateRAMP’s Authorized Vendor List, states can leverage the list as a resource. Providers can work with StateRAMP and their assessor to gain access to continuous monitoring.
StateRAMP streamlines procurement for governments and providers.
Because some state and local governments do not carry out the verification process until the vendor has been selected, they choose vulnerable vendors. To alleviate friction, government agencies should incorporate security into the beginning of the acquisition process, so providers know expectations upfront.
StateRAMP would like to help develop a standardized procurement approach.
The goal is to give security officials the confidence that vendors who are awarded the contract can not only meet the service needs, but the minimum-security requirements as well. Incorporating security in the acquisition upfront levels the playing field and gives all vendors a fair chance at the business.
STANDARDIZED SECURITY REQUIREMENTS
FedRAMP Authorization is only eligible for providers conducting business with the federal government, leaving state and local providers without a common method for verification.
As a solution, our team suggests that state and local governments adopt a cyber policy requiring independent verification of their vendor’s cyber posture. Providers who wish to conduct business with that state or local government need to engage a third-party assessor for required evaluations.
Our hope is to inform government officials about a supplier’s cyber posture, so they can make risk-based decisions that are right for them.
The StateRAMP Standards and Technical Committee approved our security templates, which can be found on the website. Additionally, if providers have an offering with a FedRAMP ATO/PATO or Ready status, then that offering is eligible for the Fast-Track process.
The StateRAMP process will help state and local governments achieve the best value of service. They will receive verification that suppliers can deliver service and security.
StateRAMP will help avoid a future of 50 different verification systems, which would cost both states and vendors more money. A standardized approach can streamline procurement and ease friction in contracting for all parties.
With annual third-party audits and continuous monitoring, states and local governments can have confidence the systems are continually being monitored for ongoing threats. StateRAMP intends to evolve to not only meet threats, but also educate providers on best cybersecurity practices.
Types of Membership
THIRD PARTY ASSESSMENT ORGANIZATIONS
To be listed on the StateRAMP Approved Assessors List, 3PAOs must be A2LA-certified and FedRAMP-approved. Assessors who meet both qualifications can submit the registration form located on the Assessors page of the StateRAMP website. It is the responsibility of the provider to pay for the cost of the third-party assessment.
Any state, local, education, tribal, and territorial (SLED) government official or employee with responsibility for information security, information technology, privacy, and/or procurement may become a member of StateRAMP. There is no membership fee and individuals may join by completing the government membership application.
Service providers interested in becoming a StateRAMP member should complete the service provider membership application and submit a membership fee of $500.
Service provider membership is available for organizations offering Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and/or Software as a Service (SaaS) solutions which process, store, and/or transmit government data.
Members receive access to education, webinars, security templates, sample policies, transparent and transferrable security standards, and the ability to list verified products on the Authorized Vendor List.
To be listed on the Authorized Vendor List, providers will pay a review fee to the Program Management Office.