StateRAMP is aiming to bring the federal process for vetting the cybersecurity of tech companies and products to the state and local government level. Recently, the organization outlined how it will work for vendors.
StateRAMP, which is aiming to transpose the federal government’s process for certifying the security of technology to state and local government, will soon start assessing IT companies and products.
But how will StateRAMP work for those companies?
The organization, which is incorporated as a nonprofit, recently outlined the process at a virtual event for prospective industry partners. Here are some of the biggest takeaways:
The organization is setting up a reciprocity system allowing companies that have already gone through FedRAMP to run through the StateRAMP process with relative ease. For products with an Authority to Operate (ATO) certificate, a Provisional ATO or those designated FedRAMP Ready, there will be three steps:
Those with a low-impact designation under FedRAMP will fall into StateRAMP’s Category 1. Moderate-impact products will be listed as Category 3, while high-impact products will be listed as Category 3+.
StateRAMP’s Category 2 is for low-impact products with some moderate-impact control baselines.
“There’s certain controls that quite honestly are written into NIST and are part of the FedRAMP baseline that would not apply to a state government,” said Noah Brown, CISO of the managed services provider Knowledge Services, during the webinar. “So I would say that if you’re fully complying with FedRAMP Moderate, you’re not going to run into any surprises coming to a StateRAMP Category 3.”
The organization is also only using third-party assessment organizations that are already working with FedRAMP. So far, about 20 3PAOs from FedRAMP have signed up for StateRAMP.
Companies can either achieve a Ready, Authorized or Provisional status under StateRAMP, none of which are necessarily steps to each other. A “Ready” designation is the only one that doesn’t require a sponsoring government, and requires that the vendor meets minimum requirements and goes through a third-party audit for readiness.
Authorization requires a sponsor, and the vendor must meet all the requirements for its impact tier, as well as go through a third-party security audit.
Provisional status means a vendor has a sponsor and has met minimum requirement as well as some, but not all, of the requirements for its impact tier.
Governments can join StateRAMP for free, but for vendors there will be a $500 annual membership fee.
Vendors will also need to pay $2,500 for the PMO to conduct a review for Ready status, or $5,000 for an authorization review. Continuous monitoring will be another $5,000 per year.
“Continuous monitoring will be centralized through the StateRAMP PMO, versus maintained by the states or agencies as you see in FedRAMP,” said Leah McGrath, StateRAMP’s executive director, during the webinar. “And that centralization is what allows service providers to benefit from that ‘do once, use many’ approach, and it also allows state and local governments to have that single point of contact or reference for the continuous monitoring reporting. It also ensures that there is consistency of application across the standards.”
There will be a fee for any companies that are coming to StateRAMP from FedRAMP for converting documents to StateRAMP’s templates, which will vary from vendor to vendor.
The organization plans to open up membership to vendors starting in April. It hopes to begin the FedRAMP reciprocity process in May, and then publish its first list of authorized products in June.
Never miss a story with the daily Govtech Today Newsletter.