StateRAMP Rolls Out New Security Maturity Assessment Tool

by Liz Huston

StateRAMP announces a new early-stage security maturity assessment tool for cloud products. The StateRAMP Security Snapshot was approved by the StateRAMP Standards and Technical Committee and adopted by the Board as a “pre-Ready” measurement and gap analysis to provide insights for providers and the governments they serve. 

The intent of the Security Snapshot is to offer providers a first step toward achieving a verified StateRAMP security status. The criteria are designed to provide a gap analysis that validates a product’s current maturity in relation to meeting the Minimum Mandatory Requirements for StateRAMP Ready, including controls and select additional requirements that would have a significant impact on the state of the system. 

One question we have heard from our provider members is how to get started with StateRAMP. At the same time, our government members have expressed the need for a gap analysis measurement that goes beyond selfattestation and can be consistently applied across products to provide insights into risk maturity as providers work toward StateRAMP Authorization,” said Leah McGrath, Executive Director of StateRAMP.

“The StateRAMP Security Snapshot is an exciting development that answers the needs our members have expressed and helps providers take their first step toward verifying the security of their cloud products for government, said McGrath. 

Providers can begin the StateRAMP Security Snapshot process by becoming a member and submitting an online form, which will go live in January. Once a StateRAMP Security Snapshot is completed, a letter will be issued to the Provider with a product’s security maturity score. Governments will be able to request Snapshot scores from Providers to gain better insight into the security posture of thirdparty cloud solutions, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) products.

The StateRAMP Security Snapshot can be utilized throughout the procurement process, as governments may utilize the Snapshot to determine the risk associated with products being considered for procurement. The Snapshot may also be used by Governments to assess progress toward StateRAMP Authorization for products once contracted.

“I appreciate the time the Standards & Technical committee, along with the StateRAMP team, spent developing the StateRAMP Security Snapshot,” said Dan Lohrmann, Chair of the StateRAMP Standards & Technical Committee. The snapshot has been a missing piece for providers to get started, and we are excited to offer this service to providers and government.” 

The StateRAMP Security Snapshot reviews will take around three weeks to complete and will provide a moment in time representation of a product’s security maturity. StateRAMP recommends a valid Snapshot is not older than 12 months.  

The StateRAMP Security Snapshot allows us to identify gaps so we can develop resources to help service providers achieve Ready status,” said Noah Brown, StateRAMP PMO Director. “I compare the StateRAMP Security Snapshot to the 2-mile run on the Army ACFT. Before you begin a training program, you need to run two miles and score your time. Before beginning the StateRAMP Readiness Assessment Report, the snapshot can help service providers identify where they are in comparison to StateRAMP Ready requirements. 

Snapshot reviews will be available in January and fees will range from $500-$1500, based on a tiered structure. The updated fee structure can be found here. A letter is provided with the StateRAMP Security Snapshot Score. Scores are not publicly posted and any sharing of Scores is at the discretion of the provider  

Visit stateramp.org to view the criteria for StateRAMP Security Snapshots

Register for an introductory webinar here