Why did your organization become a StateRAMP member?
After maintaining the highest level of compliance and security in the federal market, we wanted to provide that same level of confidence in Kahua for our state customers. We became StateRAMP authorized because – just like FedRAMP – we looked at the compliance program, and it is industry-accepted best practices for security. It is the bar. We want to prove that we mean what we say: We treat your security with the utmost importance.
What advice do you have for other providers progressing through the StateRAMP process?
Number one, do not think you can wing it. You cannot simply just say, “Hey, I’ll make a few changes, and we’re ready to go.” You have to build that security from the ground up. You must take all controls over these compliance programs and ensure they are implemented. That’s paramount. You need to do it where it all works together and works well with your system. This is what gives you a robust system.
How do you stay up to date with the evolving cybersecurity landscape?
Keeping up with what StateRAMP and FedRAMP share is the most important thing. Both provide industry updates, and FedRAMP distributes security notices, security changes and revisions. It’s an evolving compliance program. So as new controls come along, we’re adhering to them. Whether it’s mitigation techniques or an updated security concept or construct, we’re proactively looking at those.
How has StateRAMP benefited your organization so far?
We benefit from it on a bottom-line basis! We are now seeing more and more RFPs that require StateRAMP for software vendors. Without StateRAMP Authorization, you can’t even participate in the conversation. It has absolutely helped us because we are now submitting proposals and being selected based on our StateRAMP approval.
Another benefit is that it further strengthens Kahua’s controls. We revisit those controls for the compliance program, which means continuous monitoring. And so, there is another level of security that applies here.
Please share any specific challenges or lessons learned from your StateRAMP journey.
Because of our familiarity with FedRAMP, we didn’t have a lot of challenges achieving StateRAMP authorization. We had to ensure all controls were comparable to meet StateRAMP parameters. Our Kahua software packages must align with it on a monthly basis, which takes a team.
The lesson learned is making sure we have synergy with the two programs rather than not having synergy, which would create more work for administrative overhead. It is about paying attention to what we’ve signed up to do.
