The Fast Track program allows providers to submit to StateRAMP PMO the same security package and 3PAO audit they have prepared for FedRAMP. Providers do not need to wait for a FedRAMP authorization to submit a package to StateRAMP for a security review. The benefit of Fast Track is the ability to reuse the same audit and documentation for both StateRAMP and the Federal Program.
Why StateRAMP Fast Track?
States and local governments are under attack and self-attestation for cybersecurity compliance is not sufficient anymore. To better manage third party risk, governments need proof. The federal government created FedRAMP to verify cloud security based on NIST 800-53 Rev. 4 standards, but the security assurances provided by FedRAMP only apply to cloud service providers conducting business with the federal government.
Due to the nature of FedRAMP, States and service providers are unable to access security packages, control implications, ConMon reporting, and authorized products. The goal of StateRAMP is to give States, local governments, special districts and public education institutions the ability to have visibility into a service provider’s security posture before the government authorizes the storage of data in the providers’ products. This not only provides transparency for governments, but it allows standardization for providers as well.
What to Expect with StateRAMP Fast Track
- Process takes weeks as opposed to months
- Video call with PMO+CSP to view submission and ConMon (if relevant)
- Provider to redact protected federal agency information as needed
- Provider will submit copies of documentation in secure portal for StateRAMP PMO
What are the StateRAMP Fast Track Steps?
1. Become a member
Regardless of whether you have a product with a federal authorization, providers must first become a StateRAMP member. After paying the membership fee, providers will have access to education, security templates, StateRAMP logo usage, and the Member Directory. StateRAMP members are eligible to participate on StateRAMP standing committees and can provide input on the annual review of security policies.
2. Engage the PMO
After joining as a StateRAMP member, service providers must complete a Security Review Request Form to engage the StateRAMP PMO. Prior to their first intake call, they can use this form to provide more information about their company and product.
3. Complete Required Documentation
Service providers should work with their third party assessment organization (3PAO) to gather and submit the required security documentation, including the provider’s federal approved security package, 90 days of continuous monitoring (if relevant), and any necessary StateRAMP templates. The security team at the StateRAMP Program Management Office accepts documents in FedRAMP formatting.
4. PMO Review
The PMO will review the service provider’s complete security package and conduct a call with the provider and their 3PAO to make any final adjustments to the submitted documentation.
5. Continuous Monitoring
Continuous monitoring is required to maintain your product’s security status and listing on StateRAMP’s Authorized Product List. Providers with a federal authorization may submit their product’s monthly reporting to the StateRAMP PMO unless otherwise specified. After the initial assessment is complete, providers must submit their annual 3PAO audit documentation using StateRAMP templates.
If the provider has information they cannot share with the PMO or POAM items that are restricted, how will the PMO handle the situation?
The PMO will handle these situations on a case-by-case basis, and will depend on what the provider is not allowed to share. If a federal agency is concerned about federally protected information, it is likely the federal agency would not wish to allow a state agency within the product boundary. On the other hand, state agencies will require the complete security information before allowing state data to be put in that space. To mitigate the situation, there will be constant communication between the PMO, service provider, and federal agency to find middle ground to ensure we are giving States what they need to make the appropriate decisions on where to house their data.
How can providers be sure data packages and dashboards are secure?
Documentation uploaded to the secure portal will be separated by CSP, and access is tightly controlled. The only people who will have access to the inside of the tenant will be a designated CSP representative and the PMO. To ensure the necessary level of privacy and security, the StateRAMP Board and Steering Committee have adopted a policy requiring the document repository be a FedRAMP Moderate platform.
Do FedRAMP-authorized 3PAOs have reciprocity for performing assessments for StateRAMP or do they have to recertify?
To be recognized by StateRAMP and added to the StateRAMP Approved Assessors list, 3PAOs must be A2LA-certified and FedRAMP-approved. Both prerequisites allowed StateRAMP to confidently utilize the existing FedRAMP 3PAO community and as a result, almost 30 organizations are included on the Approved Assessors list. 3PAOs who are interested in joining StateRAMP can register at: Register – StateRAMP.
Do providers need to be listed on the FedRAMP Marketplace before leveraging the StateRAMP Fast Track Program?
No. Providers do not need to wait for a FedRAMP authorization to submit a package to StateRAMP for a security review. The benefit of Fast Track is the ability to reuse the same audit and documentation for both StateRAMP and the Federal Program. The Fast Track program simply allows providers to submit to StateRAMP PMO the same security package and 3PAO audit they have prepared for FedRAMP.
Do providers need to be ready before they are authorized?
No, a product does not need to be Ready before it’s security package can be submitted to the PMO for an Authorization Review.
Will future FedRAMP certified products be eligible for StateRAMP Fast Track?
Our goal is to have future products be eligible for the Fast Track.
Can I use my federal agency as my sponsor to achieve StateRAMP Authorization status?
For an offering to be listed as StateRAMP Authorized on StateRAMP Authorized Product List (APL), providers can either select their own government sponsor or leverage the StateRAMP Approvals Committee.
Eligible government sponsors include any government official or employee who serves in the role of Chief Information Officer, or their designee, who represents state, local, tribal, or territorial government or public higher education institutions.
The other option for providers is to utilize the StateRAMP Approvals Committee. The StateRAMP Approvals Committee is comprised of five government officials who collectively serve as the Government Sponsor. The committee meets monthly to review security packages and recommendations from the security team at the Program Management Office and approves Authorizations. If Approvals Committee is selected, no government sponsor is required.