If a provider has a product, service, or offering with a federal authorization (ATO, P-ATO, or Ready status) that offering is eligible for the StateRAMP Fast Track process. Providers will partner with the StateRAMP Project Management Office (PMO) to provide and authenticate the necessary security documentation they’ve already completed for federal authorization.
Why StateRAMP Fast Track?
States and local governments are under attack and self-attestation for cybersecurity compliance is not sufficient anymore. To better manage third party risk, governments need proof. The federal government created FedRAMP to verify cloud security based on NIST 800-53 Rev. 4 standards, but the security assurances provided by FedRAMP only apply to cloud service providers conducting business with the federal government.
Due to the nature of FedRAMP, States and service providers are unable to access security packages, control implications, ConMon reporting, and authorized products. The goal of StateRAMP is to give States the ability to see a service provider’s security package before the government authorizes the storage of state data in the providers’ products. This not only provides transparency for governments, but it allows standardization for providers as well.
What to Expect with StateRAMP Fast Track
- Process takes weeks as opposed to months
- Video call with PMO+CSP to view submission and ConMon
- Provider to redact protected federal agency information as needed
- Provider will submit copies of documentation in secure portal for StateRAMP PMO
What are the StateRAMP Fast Track Steps?
1. Become a member
Regardless of whether you have a product with a federal authorization, providers must first become a StateRAMP member. After paying the membership fee, providers will have access to education, security templates, StateRAMP logo usage, the Member Directory, and become eligible to participate on StateRAMP standing committees.
2. Engage the PMO
Provider members with an accepted federal authorization status can engage the StateRAMP PMO. The accepted statuses are Ready, ATO, and P-ATO. The table below outlines the costs associated with the different security reviews which would allow provider members to list their offerings on the StateRAMP Authorized Vendor List.
3. Complete Required Documentation
Service providers should work with their third party assessment organization (3PAO) to gather and submit the required security documentation, including the provider’s federal approved security package, 90 days of continuous monitoring, and any necessary StateRAMP templates.
4. PMO Review
The PMO will review the service provider’s complete security package and conduct a call with the provider and their 3PAO to make any final adjustments to the submitted documentation.
5. Continuous Monitoring
Continuous monitoring is required to maintain your product’s security status and listing on StateRAMP’s Authorized Vendor List. Providers with a federal authorization may submit their product’s monthly reporting to the StateRAMP PMO unless otherwise specified. After the initial assessment is complete, providers must submit their annual 3PAO audit documentation using StateRAMP templates.
If the provider has information they cannot share with the PMO or POAM items that are restricted, how will the PMO handle the situation?
The PMO will handle these situations on a case-by-case basis, and will depend on what the provider is not allowed to share. If a federal agency is concerned about federally protected information, it is likely the federal agency would not wish to allow a state agency within the product boundary. On the other hand, state agencies will require the complete security information before allowing state data to be put in that space. To mitigate the situation, there will be constant communication between the PMO, service provider, and federal agency to find middle ground to ensure we are giving states what they need to make the appropriate decisions about where to house their data.
How can providers be sure data packages and dashboards are secure?
Documentation uploaded to the secure portal will be separated by CSP, and access is tightly controlled. The only people who will have access to the inside of the tenant will be a designated CSP representative and the PMO. To ensure the necessary level of privacy and security, the StateRAMP Board and Steering Committee have adopted a policy requiring the document repository be a FedRAMP Moderate platform.
Do FedRAMP-authorized 3PAOs have reciprocity for performing assessments for StateRAMP or do they have to recertify?
To be recognized by StateRAMP and added to the StateRAMP Approved Assessors list, 3PAOs must be A2LA-certified and FedRAMP-approved. Both prerequisites allowed StateRAMP to confidently utilize the existing FedRAMP 3PAO community and as a result, almost 30 organizations are included on the Approved Assessors list. 3PAOs who are interested in joining StateRAMP can fill out the registration form here.
Do providers need to be ready before they are authorized?
No, a product does not need to be Ready before it’s security package can be submitted to the PMO and government sponsor to obtain an Authorized status.
Will future FedRAMP certified products be eligible for StateRAMP Fast Track?
Our goal is to have future products be eligible for the Fast Track.