StateRAMP 2023: Top 10 Updates

by Maddie Moore

On November 14, Leah McGrath, Executive Director of StateRAMP, presented the 2023 Staff Report to the Steering Committee. As we wrap up 2023, these Top 10 Updates serve as a reflection on the year and a glimpse into the future. Join us as we dive into the Top 10 StateRAMP updates going into the new year.

StateRAMP’s Top 10 Updates of 2023:

1. Office of the National Cybersecurity Director’s (ONCD) Request for Information on Opportunities for and Obstacles to Harmonizing Cybersecurity Regulations Office

The StateRAMP Staff collaborated with the StateRAMP Board to submit a response to the ONCD’s Request for Information (RFI) in October 2023.

2. Security Program Rev 5 Updates

StateRAMP prioritized updating our security framework based on NIST 800-53 Rev.5 (from Rev. 4). Updating this framework results in closely aligning with FedRAMP’s low and moderate impact baselines. The Rev. 5 policies and procedures will be updated on the StateRAMP website by early January. StateRAMP Ready, Provisionally Authorized, and Authorized will all be required to meet Rev. 5 requirements by October 1, 2024.

3. StateRAMP Security Snapshot Criteria and Scoring Update

Launched in January 2023, the StateRAMP Security Snapshot and Progressing Snapshot Program have become highly successful. In October 2023, the StateRAMP Standards and Technical Committee updated the criteria and scoring to align with NIST 800-53 Rev. 5 and the MITRE ATT&CK framework. The new criteria prioritize the highest-scoring MITRE ATT&CK threat controls, emphasizing best practices for improved security defense. The updated Security Snapshot criteria will be effective January 1, 2024.  

4. NASPO – StateRAMP Joint Procurement Task Force

StateRAMP and strategic partner NASPO have formed a joint Task Force to enhance best practice templates and solicitation/contract language. The Task Force plans to meet from October 2023 to March 2024 and will provide recommendations and findings to the Board and Steering Committee.

5. CJIS Task Force Set to Begin in 2024

The Standards and Technical leadership, in collaboration with FBI CJIS leadership, are initiating a StateRAMP CJIS Task Force. The objective is to unite State and Local Government stakeholders with FBI CJIS guidance to develop a StateRAMP overlay to align with CJIS requirements. Even though no CJIS certification exists, the CJIS-focused overlay aims to showcase a product’s potential for compliance. Obtaining StateRAMP Authorization with this overlay would be directional, and any CJIS compliance would still be determined by the appropriate agency personnel. FBI CJIS team will serve as advisors, and outreach will begin this quarter, with Task Force starting in Q1 of 2024.  

6. TX-RAMP Partnership

TX-RAMP now recognizes StateRAMP Progressing Snapshot and StateRAMP Ready status for Provisionally Authorized Status with no expiration, a change from the usual 18-month limit. StateRAMP Authorized qualifies for full TX-RAMP compliance. Discussions with DIR are ongoing to update the TX-RAMP Program Manual for pathways to full TX-RAMP compliance through StateRAMP Ready and StateRAMP Provisionally Authorized. 

7. CISA Participation

StateRAMP is actively engaged in CISA’s Joint Cyber Defense Collaborative, contributing to the High-Risk Communities Protection Planning. We’ve collaborated with CISA to coauthor a blog on third-party risk management. Stay up to date for its publication on the CISA site. Additionally, discussions are in action for StateRAMP to potentially join the CISA Supply Chain Task Force. 

8. 2024 Events and Collaboration

StateRAMP’s 2024 events will kick off with the inaugural StateRAMP Cyber Summit in Indianapolis on September 12th. Additionally, there are plans for a Provider Leadership Council and Leadership Retreat on September 11th and 13th

9. 2024 Membership Updates

The Board elected to move to Tiered Memberships for Providers, Consultants, and 3PAOs in 2024. This update will provide members with options for different levels of engagement with StateRAMP that will help support the organization long-term. Additionally, all members will move to the same annual renewal date of June 1. View a summary of the 2024 Membership Update (pdf).

10. ABA Model Procurement Code

StateRAMP presented at the GW Law Summer Series 2023 during the July webinar on Reforming the ABA Model Procurement Code (MPC). Our presentation highlighted StateRAMP’s role, its alignment with emerging state and local cybersecurity strategies, and our vision for key MPC areas. As a result, we were invited to speak in a law school class on a related topic and connected with key players in the MPC reform process. 

Reflecting on a Year of Achievements as We Head into 2024

StateRAMP has demonstrated a commitment to adaptation, collaboration, and education.

The non-profit prioritizes adapting to regulatory security changes, engaging successfully in partnerships, and organizing events that emphasize education. As we gain momentum heading into 2024, these principles show StateRAMP’s dedication to continue shaping the future of cybersecurity.