StateRAMP Improves Arapahoe County’s Security and Compliance

by Bradley Spurlock

During a recent interview with Nikki Rosecrans, Manager of Information Security and Compliance for Arapahoe County, Colorado, our team gained insight into local governmentsperceptions of StateRAMP. Arapahoe County became the first county in Colorado to partner with StateRAMP. In this interview, Nikki shared some insights into the benefits Arapahoe County has reaped from this partnership.

What compelled Arapahoe County to partner with StateRAMP?

Choosing to partner with StateRAMP was undoubtedly influenced by the professionals who work there. They have a team dedicated to assessing third-party cloud service providers for risk, security, compliance, and authorization management. I found them to be friendly, easy to work with, quick to respond to questions, and extremely knowledgeable. 

In implementing StateRAMP, where did you see the most benefit?

“In early 2023, Philip Savino, our CIO (Chief Information Officer), communicated the need to assess third-party Software-as-a-Service (SaaS) providers who transmit, process, and store essential or critical data (such as PCI, PII, PHI, and CJIS). As a solution, the leadership team and I developed a tool called STAR (SaaS Technical Assessment Review). In collaboration with other county partners, the STAR combines controls from the NIST 800-53 and SIG Lite Questionnaire. To ensure Arapahoe County’s compliance and security requirements were met, we developed a process to help our business analysts determine if a service provider requires a security assessment and how each department can request one.

I was informed in August by Chance Grubb, StateRAMP’s Government Engagement Director, that Colorado had become the 17th state to adopt StateRAMP into their technology procurement policies and processes. He and his team did a fantastic job describing the value and approach StateRAMP provides to its member organizations when it comes to Risk and Authorization Management, which immediately caught my attention. As a one-person operation, I usually spend four to ten hours assessing one SaaS provider. StateRAMP immediately appealed to me because of their standardized approach to assessing, authorizing, and monitoring cloud services and products used by state and local governments.

StateRAMP provides enhanced security, cost efficiency for vendors, and streamlines government procurement processes. It also ensures our citizens and county get reliable, uninterrupted services. Safeguarding sensitive information within our community is essential for protecting individuals’ rights and fostering trust within the community.”

Prior to StateRAMP, what challenges did you face?   

“As we are just beginning our StateRAMP process, I cannot compare much, however, I predict one challenge that will be solved through StateRAMP is the addition of dedicated PMOs (Program Management Office) and 3PAOs (third-party assessment organizations) to assess third-party vendors, rather than it being just me. Having a team of professionals solely dedicated to facilitating security and compliance audits is a huge advantage for Arapahoe County!” 

In what ways is StateRAMP cost-effective compared to having an in-house security team constantly monitoring cyber threats? 

“In the ever-evolving landscape of cyber threats, information security personnel face an unrelenting demand to stay one step ahead of these pervasive risks. The digital realm is a battleground where threats mutate and evolve rapidly, requiring security professionals to possess deep expertise and an adaptive mindset. Our roles extend beyond fortifying defenses and should encompass innovation, vigilance, and continuous learning. We must anticipate and analyze emerging risks and foster a culture of resilience within our organizations. It is a continuous effort to safeguard sensitive data, protect our infrastructure, and uphold the integrity of digital systems in an increasingly interconnected world.

StateRAMP takes charge of assessing our third-party service providers for security and compliance. Adhering to regulatory requirements allows our Information Security and Compliance team to focus on other cybersecurity and information security projects such as compliance audits, restructuring our digital environment to be more accessible and inclusive to those with accessibility needs, vulnerability management, risk mitigation, incident response, and policies and procedures to safeguard our critical and essential data.” 

What will change in your day-to-day position after StateRAMP’s adoption?   

“With StateRAMP in place, I will be able to perform security assessments more rapidly, and the county will get the assurance that it is protecting the resident’s information and data. In order to ensure a consistent risk assessment and management approach across the agency, security practices are aligned with StateRAMP’s standardized framework. Furthermore, StateRAMP will allow our agency to establish solid relationships with vendors who comply with StateRAMP, resulting in more collaborative and secure partnerships.” 

What has been the most unexpected benefit or surprise you have received from StateRAMP?

“A true partnership. I have been impressed by the extended helping hands I have received from StateRAMP thus far. Any questions I have related to security, vendor, or risk have been answered. And whenever StateRAMP doesn’t have an answer, they conduct research to find one. It truly feels like StateRAMP is a part of our organization, and not a separate membership organization.” 

How do you and your team keep up with the rapidly changing landscape of cybersecurity? 

“Continuous learning, networking, and staying up to date with emerging trends, technology, and threats are essential. I am very fortunate to work for the county that I do. We have one full-time employee dedicated to cybersecurity, but with StateRAMP I have a team of 75 professionals dedicated to ensuring the security and privacy of our systems, servers, applications, and customers.

For my part, I engage with peers, belong to professional associations, and participate in online forums and committees to share knowledge and experiences. My multifaceted approach to cybersecurity training and education, networking, practical experience, and continuous learning keeps me abreast of the dynamic landscape.”

Share this post: