Why did your organization become a StateRAMP member?
CoSo Cloud may become a StateRAMP member for several reasons. StateRAMP provides a comprehensive security framework to improve cloud security for state and local governments. It offers a standardized approach to verifying that cloud service providers (CSPs) meet the required standards and regulations. Being StateRAMP authorized can help state and local governments protect citizen data, reduce burdens on the government, and save service providers and taxpayers money. It also promotes cybersecurity education and best practices.
What advice do you have for other providers progressing through
Understand the Security Controls, especially under the new NIST 800-53 Reva vision for your security program, and always seek ways to improve your security posture while advancing through the process.
How do you stay up to date with the evolving cybersecurity landscape?
There is no shortage of cybersecurity resources and references. We subscribe to cybersecurity and security blogs and articles from various sources. We also stay connected with cybersecurity professionals and encourage everyone to share information, successes, and lessons learned.
How has StateRAMP benefited your organization so far?
StateRAMP’s monthly Continuous Monitoring submittals encourage a different view than our monthly FedRAMP Continuous Monitoring submittals. StateRAMP asks for information and data separate from what our FedRAMP sponsors ask for.
To provide this new data, we had to create processes to deliver data monthly, strengthening our security posture.
Please share any specific challenges or lessons learned from your StateRAMP journey.
The monthly POAM Executive Summary highlighted areas where CoSo could improve, especially in the NIST 800-53 Rev 4 to Rev 5 transition. The opportunities were challenging for us because we saw metrics we had never tracked before, so we had to think of new ways to deliver the data StateRAMP was looking for. In doing so, our POAM Management maturity level grew, and our overall security posture improved.
What cybersecurity-related events, conferences, or webinars do you recommend for industry professionals?
While it’s easy to only pursue or attend events, conferences, and webinars that align with your strength and/or passion, we encourage industry professionals to step out of their comfort zones to pursue topics they have minimal knowledge of. In doing this, apassion may be discovered, or, if not, the industry professional has knowledge about a topic they previously didn’t have.
How can other members or organizations collaborate with your company on cybersecurity projects?
Is there anything else you would like to share with the StateRAMP community or the broader cybersecurity community?
The StateRAMP PMOs have been tremendous! We’ve met with them many times since achieving StateRAMP certification, and each time we leave the meeting, we’re impressed with their knowledge and willingness to collaborate with us.