Earlier this month, President Biden signed into law H.R. 7776, which includes codification of the FedRAMP program. The passage of the FedRAMP Authorization Act is something to be celebrated and recognizes the hard work by dedicated leaders at FedRAMP and its stakeholders. For more than a decade, FedRAMP has championed the importance of ongoing verification of cloud security for third-party suppliers to the federal government.
In many ways, it was the idea of FedRAMP that inspired StateRAMP’s founding Steering Committee to form StateRAMP in 2020.
StateRAMP is modeled in part after FedRAMP, both sharing control requirements based on the National Institute of Standards & Technology (NIST) SP 800-53 and both relying on independent audits by third party assessment organizations. Continuous monitoring and monthly reporting are hallmarks of both StateRAMP and FedRAMP.
Just as FedRAMP exists to serve federal agencies, StateRAMP is designed to serve non-federal agencies from states to local governments and public pre-k through higher education jurisdictions and the providers who serve them.
With the passage of the FedRAMP Authorization Act, the goals of FedRAMP and StateRAMP continue to align.
A key provision in the FedRAMP Authorization Act is the idea of Agency Acceptance of ATOs, meaning agencies can recognize a FedRAMP Authorization to Operate (ATO) without the process of issuing their own ATO.
StateRAMP is working toward the same goal among our growing list of participating government members.
StateRAMP’s standardized approach and centralized program management office allows providers to verify and report continuous monitoring once in order to serve many, giving governments shared access to critical information and enabling a more proactive approach to managing third party cyber risk.
The only way to improve cybersecurity is to go forward together.
Today, all levels of government rely on cloud products to help in the delivery and efficiency of government services. The responsibility of protecting the integrity of government and the securing of citizen data is not the government’s responsibility alone. The responsibility to ensure the highest level of cybersecurity rests also with the vendors who serve government.
Working with programs like FedRAMP and StateRAMP, cloud service providers can help make a difference in moving toward a more secure future.