Why Now

As a top target for cyber criminalsgovernment needs to remain vigilant in protecting their most sensitive data.  

According to an August 2019 report by Barracuda Networks, nearly 66% of all ransomware attacks from January to June targeted government – and 70% of those attacks were successfulWhile ransomware isn’t new or the only form of malware, it alone was predicted to cause $11.B in damages in 2019.  

Cyber criminals have identified governments as easy targets in their exploits, and given the sensitive nature of government data, cyber security is a real threat.  

To date, most states have focused cyber security efforts on securing its internal systems and training employees.  Those are critical initial steps for protecting citizen data from cyber-attacks. However, if states do not also address cloud services, they are leaving the backdoor open to cyber criminals. While state and local governments have begun to take steps to secure their own databases, not much has been done to validate the oversight and protection of third party cloud service providers with whom they do business.  

Aware of the risks, most states have adopted requirements for third party cloud providers to meet cyber security standards developed by the National Institute of Standards & Technology, but there has not been a cost-effective way for states to efficiently verify compliance until StateRAMP™.  

StateRAMP™ was developed with procurement and IT officials in mind – to bridge the gap between the two offices and provide a framework of cyber security standards for government contractors. All too often procurement officials are challenged with procuring the best cloud services and software for the lowest price, without the tools or resources to verify cyber security compliance.  

With StateRAMP™, State procurement and IT offices can now:  

  • Ensure that third party cloud service providers meet the cyber security standards to do business with the government 
  • Reduce third party providers’ cyber risk to government, their employees, and citizens 
  • Curb cost of cyber insurance 
  • Reduce overhead in additional staffing 
  • Eliminate duplication of efforts and minimize risk management costs 
  • Enable rapid and cost-effective procurement of information systems/services for State and local governments 

Why is StateRAMP™ Needed

StateRAMP™ was created to help State governments bridge the disconnect between published policy and the procurement and Information Technology organizations.  Most government procurement organizations lack budget and cyber expertise necessary to verify stated CSP vendor prerequisites. Similarly, IT organizations lack contract oversight as well as budget and headcount needed to conduct CSP vendor compliance verification. 

StateRAMP™ provides utility for State specific cyber security standards, CSP vendor compliance and timely updates.  StateRAMP™, with verified 3rd party compliance, offers that capability for State reciprocity. StateRAMP™ helps State governments:  

  • Ensure that cloud based services have adequate information security 
  • Reduce 3rd party cloud cyber risks 
  • Reduce costs (insurance, personnel, etc.) 
  • Eliminate duplication of effort and reduce risk management costs 
  • Enable rapid and cost-effective procurement of information systems/services for States

Our Goals

StateRAMP™ was formed to help States cost effectively avoid unnecessary cyber risks.  StateRAMP™ provides State governments with a validated source for State CSP vendor 3PAO verified cloud solutions.  StateRAMP™ also provides CSP vendors a consistent cloud security framework, potentially reusable across all states.  The StateRAMP™ process reduces direct costs for both States and their CSP vendors. StateRAMP™ levels the playing field for all participants while reducing indirect costs resulting from data loss, ransomware and other cyber-attacks. 

Leveraging proven and consistent security authorizations thru the federally accepted NIST 800-53 baseline standards, StateRAMP™ ensures consistent application of those standards.  Using federal and commercially accepted security baselines, StateRAMP™ provides States application driven flexibility while retaining verified results.   

StateRAMP is designed as a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant CSP vendor security assessments.