So in order to describe the overall programs and to answer some basic questions regarding FedRAMP and StateRAMP, I asked Jason Oksenhendler, a cloud security expert with experience with both programs if he was willing to talk to me about important cloud security compliance questions.
Jason is currently vice president of cloud compliance at Merlin Cyber. Previously, he worked for almost six years with Coalfire as director, FedRAMP/StateRAMP/NIST advisory subject matter expert.
I have worked with Jason for several years on the StateRAMP technical committee, and he brings a wealth of knowledge and expertise to all FedRAMP and StateRAMP topics.
Dan Lohrmann (DL): You’ve been in government technology compliance regulations for most of your career. In your view, why are these security regulations so important?
Jason Oksenhendler (JO): Thanks for pointing out that I am old, Dan.
The regulations are not just important — they are critical. If public and private industry continue to make security an afterthought and not a top-five priority, the amount they’re going to pay initially won’t even measure what they’ll shell out for lawsuits. Security must be in everything. Period. It should have its own line item in the annual budget. Given the day and age in which we live, in my honest opinion, security is no longer an option.
DL: How has FedRAMP evolved since it first became required for federal agencies?
JO: The biggest change is that this once-small program coming out of the second floor of General Services Administration (GSA) over on 18th and F in D.C. is now a law. That’s an incredible accomplishment and I was glad to have my three years on the Joint Authorization Board (JAB) representing GSA.
FedRAMP 2013 and FedRAMP 2023 are two very different FedRAMPs. The current incarnation, like everything else, has its bumps and bruises, but there are a ton of intelligent subject matter experts at the PMO and GSA, Department of Homeland Security (DHS) and Department of Defense (DoD) who work to make authorizations happen. FedRAMP now is more efficient, and I suspect, now that it’s a law, will become more efficient.
Back in the day, the information system security officers (ISSOs) were go-betweens for the JAB and CSP. I was one of those ISSOs who then became a JAB-TR for GSA reviewing continuous monitoring packages for authorized CSPs. I love FedRAMP. I’ve made a career out of it. It's not for the faint of heart. It has an appropriate balance of security based on the data types that flow into and out of the system. It requires time, patience, money and people. It’s a commitment.
When I used to lead gap analyses at a previous job, I would always get asked, “How are we supposed to do this? The costs are astronomical. You know what my CFO is going to say?” I would politely acknowledge the very real and truthful concerns. I did. I do. I still do. However, I never heard a CFO complain about the company’s return on investment after their pipeline became robust.
DL: How is StateRAMP similar to FedRAMP?
JO: The concepts are the same: Do once, use many times. The control baselines are similar for the most part minus the federal government-centric specifics. The goals are the same insofar as raising security standards to prevent bad actors from wreaking havoc in government and industry. There are sponsors: federal agencies for FedRAMP and state/local government/educational institutions for StateRAMP. FedRAMP to me is the gold standard in the civilian world. To see how StateRAMP has morphed into the program that it is happened very much like FedRAMP. It started slow, but gradually ramped up.
DL: How is StateRAMP different than FedRAMP?
JO: Well, the obvious — StateRAMP targets the SLED market whereas FedRAMP targets the federal government. The biggest difference I would say, and I hope this changes in due time, but there’s no reciprocity between StateRAMP and FedRAMP. With a FedRAMP authorization to operate (ATO) package, a service provider can apply through the StateRAMP Fast Track Program and after an intake and package review, a service provider will receive a StateRAMP ATO. But, if you have a StateRAMP ATO, that means you’ve gone through either the StateRAMP Ready or full StateRAMP assessment; service providers cannot receive FedRAMP Ready or a FedRAMP ATO. After attending the StateRAMP summit a few months ago and hearing the positive remarks from major security players in the federal government, I am hopeful that this will come to fruition at some point.
DL: What are the biggest changes that you see coming to StateRAMP in the coming year?
JO: Growth. Adoption. More growth and more adoption. State governments, local governments and education institutions can no longer say, "There’s no platform for us to implement to guide us or help us" — there is. It’s robust, practical, crystal clear and ready for the taking. So I encourage all to start looking into StateRAMP. When all 50 states turn one color on the adoption map, that will be a momentous occasion.
DL: How would you respond to a government leader who thinks StateRAMP requirements are too expensive or too bureaucratic to implement (with too much paperwork)?
JO: Security is not an option. It’s a requirement. If there’s no line item in your budget for it, don’t complain when your organization is on the front cover and home page of the Washington Post. You must spend money to make money. It’s an investment. And it’ll cost a lot less to implement StateRAMP than to pay attorneys by the hour.
DL: You’ve worked for several different service providers. Can you describe the different roles played and services available to assist both governments and companies seeking to become StateRAMP certified?
JO: The advice is the same: Perform due diligence. StateRAMP is a very attainable and FedRAMP is attainable as well. But it requires money, people, planning and an executive sponsor. Both the FedRAMP and StateRAMP websites are great sources of information as are the respective PMOs. If you are strategic about implementing either framework, the end result will speak for itself.
DL: Is there anything else you want to add?
JO: It’s time to make security a priority. I’m in the middle of reading your book and the scenario at the beginning is enough to make a CIO or CISO have a panic or anxiety attack. Bad actors are not going away. It’s a simple concept. We can’t control what they do, but we can control what we do, and that’s really a call to action for everyone, industry, government, education — literally everyone to make security a priority. Even at home … how many of you have never changed your router password from the default? Make security a priority.
