StateRAMP is the latest major compliance program to splash onto the news headlines... and I’m pretty excited about it! Designed as a standardized approach to security authorizations for Cloud products at the state level, StateRAMP tackles the same problem and is intended as an extension to the well-known FedRAMP program.
In contrast to CMMC, which has been transparent about being established in response to vendors claiming half-truths on their NIST 800-171 self-assessments, StateRAMP is not cracking down on vendors, but instead working to extend their reach. Cloud Service Providers (CSPs) with existing FedRAMP authorizations are being encouraged to cooperate with StateRAMP and join the 501(c)(6) membership-based non-profit organization in order to make their security documents available to state agencies and open doors for streamlined contracts at the state level.
The current pain point is that FedRAMP packages are only available for review by federal agencies. The mantra of “verify once, re-use many times” only applies if the buyer is at the federal level, in this case. If you’re a state CIO, you don’t get to leverage the work already done and you have to start from scratch on your risk assessment, other than what documentation the vendor can provide unofficially and the simple knowledge that somebody has issued a FedRAMP ATO. The new StateRAMP program aims to rectify this and makes a ton of sense, especially when you think of the sheer number of state agencies that can benefit from the pre-screening and expertise of the 3rd party auditors.
Speaking of independent auditors, 3PAOs trained and certified to act as Advisor or Auditor for FedRAMP will also be authorized to act in the same capacities for StateRAMP, which should help eliminate lengthy onboarding issues that have plagued other programs. StateRAMP is working from the premise that reciprocity and extension are of primary importance, and it shows.
It is also my understanding that documentation packages will need to be re-submitted and re-audited in order to receive a StateRAMP ATO. This is a big positive for the end users, as problematic POA&Ms will go under the microscope once more. I have not received confirmation yet, but I have heard that 3PAOs will not be allowed to audit the submission for StateRAMP if they were already involved in the FedRAMP audit, in the interest of getting fresh eyes. This would be another net win on behalf of the procuring agencies. If an issue snuck through FedRAMP, it’s certainly unlikely to get waved through a second time by a second 3PAO.
I see this as a significant opportunity for Cloud Service Providers to get more ROI out of their FedRAMP investment. They will get to double down, with minimal relative additional spend, to have a potential competitive edge at the state level. This is all good news for vendors that have already embraced FedRAMP.
Is it possible that other CSPs will get squeezed?
Specifically the ones that may have eschewed FedRAMP because of the effort required?
Particularly the vendors that have focused on selling to the SLED market instead, to strategically avoid FedRAMP requirements in federal contracts?
Maybe.
That said, if the vendor is already meeting the relevant requirements, namely the NIST 800-53 standards, which have already become more common at the state level in recent years, this would just be an effort to formalize it and then they could open up Federal revenue streams via reciprocity. Differentiation and heavily nuanced distinctions between contracting with Federal and state agencies creates difficulty and redundant work.
I think this trend toward a level of uniformity and standardization is valuable as the Public Sector moves toward greater efficiency in procurement. We heavily favor streamlined and repeatable actions in procurement in the interest of getting the best, latest, and most relevant technology into the hands of government users, especially when it’s possible to deploy COTS (commercial off-the-shelf) solutions that can make a significant difference quickly… but I would love to hear your opinions about the effects of StateRAMP. Please reach out via social media or comment when I share links to this blog post!
One last note - I would strongly recommend checking out the resources on StateRAMP’s website, and their webinar on Friday, April 30th, hosted with Carahsoft. (Register even if you can’t attend. The recording and presentation slides should be available shortly afterwards.)
Happy hunting!