StateRAMP Progressing Security Snapshot Terms & Conditions
- Duties of PMO. The PMO shall create a repository in Box for the service provider, and request artifacts from the below list summary of criteria to be uploaded and/or screenshots taken by the PMO in the intake call. The PMO will review the artifacts collected and make a determination whether the artifacts meet or do not meet the criteria and the associated points. Points will be tallied and provided to the Service Provider in the form of a Snapshot Score letter. Score letters and points are not posted or disclosed by the PMO to any other entities without the express permission of the service provider. The Service Provider may choose to share or not share the associated snapshot score letter with state procurement. Consultative calls will be scheduled each month by the member engagement specialist between the service provider and the PMO.
StateRAMP Progressing Security Snapshot Methodology:
Snapshot scores are derived from a combination of the impact they have on the Service Provider’s ability to move forward with a StateRAMP assessment, their impact on security, and the insight and information the StateRAMP PMO can provide to the government procurement and security teams. Service Provider receive higher points for hosting in a StateRAMP Authorized IaaS as the StateRAMP PMO has direct insight into the state of security of the underlying IaaS solution. Additional, but reduced points can be awarded for leveraging a FedRAMP Authorized IaaS or the solution being FedRAMP Authorized; The rationale for reduced points is the lack of insight into continuous monitoring the StateRAMP PMO is able to provide to the government. Similarly, points can be earned for other regulatory compliance frameworks and penetration tests at a reduced scoring level, as other audit frameworks and penetration tests do not always specify parameters for controls or include a full scope of the boundary required for a penetration test. Finally, due to the overall company impact, annual security awareness training is an additional requirement for increased points as it has a direct impact on the company’s security posture. The remaining requirements for scoring at one point each include the StateRAMP minimum mandate controls. To receive points for each individual criteria, artifacts must be captured by the StateRAMP PMO and verified that they meet the requirements of the criteria in its entirety.
Summary of Required Security Controls
Is your product hosted in a StateRAMP Authorized IaaS
Is your product hosted in a FedRAMP Authorized IaaS
Is your product currently FedRAMP Authorized?
Has your product completed one of the following audits: SOC 2 Type 2, ISO 27001, CSA STAR, HITRUST
Has your product completed a penetration test?
Do you provide Security Awareness Training Annually?
Are modern cryptographic modules consistently used where cryptography is required?
Can the system support single sign on?
Does the SP scan for and consistently remediate High vulnerabilities within 30 days, Moderate vulnerabilities within 90 days, and Low vulnerabilities within 180 days?
Does the SP and system utilize an audit and event monitoring solution that can support 90 days of online storage and 365 days of event/log data?
Does the system’s external DNS solution support DNS Security (DNSSEC) to provide origin authentication and integrity verification assurances?
Does the system require multi-factor authentication (MFA) for administrative accounts and functions?
Does the system ensure secure separation of customer data?
Does the system have the capability to detect, contain, and eradicate malicious software?
Does the system protect audit information from unauthorized access, modification, and deletion?
Does the SP have the capability to recover the system to a known and functional state following an outage, breach, DoS attack, or disaster?
Does the SP maintain a current, complete, and accurate inventory of the information system software, hardware, and network components?
Does the SP employ automated mechanisms to detect inventory and configuration changes?
Does the SP follow a formal change control process that includes a security impact assessment?
Does the SP prevent unauthorized changes to the system?
Does the SP scan for configuration settings on systems in the environment?
Does the SP have an Incident Response Plan?
Does the SP have a Configuration Management Plan?
Does the SP have a Contingency Plan and a fully developed Contingency Plan test plan in accordance with NIST Special Publication 800-34?
Does the SP conduct code analysis for internally developed code?
*IaaS Only* Does the SP restrict physical system access to only authorized personnel?
*IaaS Only* Does the SP monitor and log physical access to the information system, and maintain access records?
*IaaS Only* Does the SP monitor and respond to physical intrusion alarms and surveillance equipment?
*IaaS Only* Does the system have or use alternate telecommunications providers?
*IaaS Only* Does the system have backup power generation or other redundancy?
*IaaS Only* Does the SP have service level agreements (SLAs) in place with all telecommunications providers?
- Duties of the Service Provider. The Service Provider shall provide all required documentation and fees to the PMO, at which time the PMO will start the StateRAMP Security Snapshot once all of the artifacts are uploaded to the secure portal. The Service Provider will adhere to the project timeline, agenda, and expectations outlined in the intake and scheduling email.
- Consideration. Knowledge Services shall be paid for performance of duties set forth in this document as published and agreed upon prior to performance of duties. The Service Provider enters into this agreement for a period of 1 year.
- Termination. No termination of the contract will occur within the first sixty (60) days of the agreement period. The parties may terminate this Contract with thirty (30) days’ notice to the other party, provided that payment for the Services herein are nonrefundable once Services have commenced under this Contract. Payments scheduled within the 30-day notice will be paid and services will be delivered.
- Assignment; Successors. Service Provider binds its successors and assignees to all the terms and conditions of this Contract. Service Provider may assign its right to remit payments to PMO to such third parties as the Service Provider may desire without the prior written consent of PMO, provided that the Service Provider gives written notice (including evidence of such assignment) to PMO thirty (30) days in advance of any payment so assigned. The assignment shall cover all unpaid amounts under this Contract and shall not be made to more than one party.
- Changes in Work; Work Standards. The parties shall not commence any additional work or change the scope of the work until authorized in writing by the signatories hereto. This Contract may only be amended, supplemented, or modified by a written document executed in the same manner as this Contract.
The PMO represents that the Services will be performed in a workmanlike and professional manner.
Service Provider agrees that the PMO will not be responsible for nonconformities or any errors in deliverables resulting from the PMO’s reliance on inaccurate, inauthentic or incomplete data or information provided by Service Provider. Service Provider will cooperate with the PMO, take all actions reasonably necessary to enable PMO to perform the Services, and adhere to the timeline set up at the in-take call. To that end, Service Provider will provide, on a timely basis, all information requested by the PMO to enable the PMO to provide the Services. While the PMO’s goal is to deliver a Snapshot in a timely manner, there is no guarantee of a timeframe for delivery of StateRAMP Security Snapshot scoring.
Service Provider further acknowledges and agrees that (a) any outcome of the Services is limited to a point-in-time examination, (b) the outcome of any review, audits, assessments, and the opinions, advice, recommendations and/or authorization of, PMO does not constitute any form of representation, warranty or guarantee that Service Provider’s systems are secure from every form of attack, and PMO is not making any assertions by provide Services under this Contract, (c) in examining Service Provider’s status, PMO relies upon accurate and complete information provided by Service Provider, and (d) Service Provider is solely responsible for the scope, goals and overall direction of the Services. Any jurisdiction who utilizes the StateRAMP Security Snapshot for evaluation for award of a contract or for determination of suitability for work is in no way controlled by PMO or StateRAMP. Furthermore, neither PMO nor StateRAMP is responsible for the way in which the StateRAMP Security Snapshot is evaluated or utilized by any jurisdiction or outside organization.
- No Implied Warranties. Other than those expressly contained in this Section, neither Party makes any other representations or warranties, implied, statutory or otherwise, with respect to the Services or Deliverables. PMO EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- Limitations on Liability. Neither Party nor its employees, officers and directors, on the one hand, nor PMO and its employees, officers and directors will be liable to the other Party under the Contract for commercial loss and lost profits or any consequential, incidental, indirect, punitive or special damages, or any other similar damages under any theory of liability whether in contract, tort or strict liability, however caused and regardless of legal theory or foreseeability, directly or indirectly, arising under this Contract. In no event shall liability of PMO under this Contract exceed those fees payable to PMO by Service Provider.
- Compliance with Laws. The Service Provider shall comply with all applicable federal, state, and local laws, rules, regulations, and ordinances, and all provisions required thereby to be included herein are hereby incorporated by reference. The enactment or modification of any applicable state or federal statute or the promulgation of rules or regulations thereunder after execution of this Contract shall be reviewed by PMO and the Service Provider to determine whether the provisions of this Contract require formal modification.
- Confidentiality of Information; Legal Requests. The parties understand and agree that data, materials, and information disclosed may contain confidential and protected information. The parties covenant that data, material, and information gathered, based upon or disclosed for the purpose of this Contract will not be disclosed to or discussed with third parties without the prior written consent of the disclosing party.
If either party is requested or required by deposition or written questions, interrogatories, requests for production of documents, subpoena, investigative demand or similar process to disclose any information originating with the other party, the party in receipt of such request or requirement will provide prompt written notice to the other party and will cooperate with the other party’s efforts to obtain an appropriate protective order or other reasonable assurance that such information will be accorded confidential treatment that the other party may deem necessary.
- Disputes. Should any disputes arise with respect to this Contract, the Service Provider and PMO agree to act immediately to resolve such disputes. Time is of the essence in the resolution of disputes. PMO agrees that, the existence of a dispute notwithstanding, it will continue without delay to carry out all of its responsibilities under this Contract that are not affected by the dispute. The Service Provider may not withhold payments on disputed items.
- Force Majeure. In the event that either party is unable to perform any of its obligations under this Contract or to enjoy any of its benefits because of natural disaster or decrees of governmental bodies not the fault of the affected party (hereinafter referred to as a “Force Majeure Event”), the party who has been so affected shall immediately or as soon as is reasonably possible under the circumstances give notice to the other party and shall do everything possible to resume performance. Upon receipt of such notice, all obligations under this Contract shall be immediately suspended. If the period of nonperformance exceeds thirty (30) days from the receipt of notice of the Force Majeure Event, the party whose ability to perform has not been so affected may, by giving written notice, terminate this Contract.
- Governing Law. This Contract shall be governed, construed, and enforced in accordance with the laws of the State of Indiana, without regard to its conflict of laws rules. Suit, if any, must be brought in the State of Indiana.
- Merger; Modification; Waiver of Rights. This Contract constitutes the entire agreement between the parties. No understandings, agreements, or representations, oral or written, not specified within this Contract will be valid provisions of this Contract. This Contract may not be modified, supplemented, or amended, except by written agreement signed by all necessary parties. No right conferred on either party under this Contract shall be deemed waived, and no breach of this Contract excused, unless such waiver is in writing and signed by the party claimed to have waived such right.
- Ownership of Documents and Materials.
A. Service Provider Materials Provided to PMO; Ownership Remains with the Service Provider. All documents, records, programs, applications, code, data, algorithms, film, tape, articles, memoranda, and other materials delivered to PMO by the Service Provider in the performance of this Contract (the “Service Provider Materials”) shall be and remain the property of the Service Provider. Use of the Service Provider Materials, other than related to contract performance by PMO, without the prior written consent of the Service Provider, is prohibited. During the performance of this Contract, PMO shall be responsible for any loss of or damage to the Service Provider Materials while the Service Provider Materials are in the possession of PMO. Any loss or damage thereto shall be restored at PMO’s expense. PMO shall provide the Service Provider full, immediate, and unrestricted access to the Service Provider Materials during the term of this Contract.
B. PMO Materials Provided to the Service Provider; Ownership Remains with PMO. All documents, records, programs, applications, code, data, algorithms, film, tape, articles, memoranda, and other materials delivered to the Service Provider by PMO in the performance of this Contract (the “PMO Materials”) shall be and remain the property of PMO. Use of the PMO Materials, other than related to contract performance by the Service Provider, without the prior written consent of PMO, is prohibited. During the performance of this Contract, the Service Provider shall be responsible for any loss of or damage to the PMO Materials while the PMO Materials are in the possession of the Service Provider. Any loss or damage thereto shall be restored at the Service Provider’s expense. The Service Provider shall provide PMO full, immediate, and unrestricted access to the PMO Materials during the term of this Contract.
- Penalties/Interest/Attorney’s Fees. PMO will in good faith perform its required obligations hereunder and does not agree to pay any penalties, liquidated damages, interest, or attorney’s fees.
- Reference to the Service Provider in PMO Marketing. Service Provider agrees that the PMO may refer to Service Provider in a published list of StateRAMP Authorized service providers.