Why did your organization become a StateRAMP member?
Mimecast chose to become a StateRAMP member because we want to help public sector organizations reduce cyber risk. We help close security and continuity gaps by defending against the biggest sources of cyber risk. We have a dedicated team of professionals solely focused on helping public sector organizations work protected.
What advice do you have for other providers progressing through the StateRAMP process?
- For first-timers, allow more time for the audit because the level of assurance is higher than that of SOC2. Think of it more as a marathon rather than a sprint.
- Manage expectations internally to get ahead of things and partner with relevant subject matter experts in the business as early as possible (i.e. CISO, Product and Engineering).
- Establish a good working relationship with your 3PAO as they are a huge part of your assessment and learning journey.
Please share any specific challenges or lessons learned from your StateRAMP journey.
Mimecast was ahead of the game with our well-established and innovative consolidated audit program for external assurance. However, there were upgrades we needed to make to meet higher standards such as:
- The StateRAMP audit process sets a high bar for the required technical detail of evidence collected during continuous monitoring.
- 3PAO auditors are technically competent information security professionals, so we had to prepare for detailed examinations of how our cloud platforms were configured, and a deep dive into our code base.
- We augmented our internal training program for our auditors to include hands-on technical mentoring, with Product and Engineering, on how our products and services are designed and built.
