After FedRAMP’s initial launch in 2011, its program management office initiated a discovery phase in 2021 to engage with users and stakeholders, gathering feedback and uncovering pain points in the existing marketplace system to help shape the redesign. With last year’s redesign, the new interface reduces the clicks needed to access information about cloud service providers, making it easier for users to navigate and find relevant services. Agencies can more easily find and understand which cloud products have already been reviewed and authorized for use by agencies, so that they can use them without having to do their own review.
The marketplace features a list of federal agencies using FedRAMP-authorized tools and FedRAMP-recognized assessors/auditors that can perform assessments for agencies seeking approved cloud products. There are currently 327 FedRAMP-authorized cloud products within the Marketplace, according to the release.
As FedRAMP strengthened the look and feel of its current program, a state government version of its plan called StateRAMP has been gaining ground over the last four years. Created in 2020, the platform was modeled after the federal version to develop a security review program designed for state and local governments.
How do the two programs differ? There are several fundamental differences. StateRAMP is overseen by a board of directors and operates as a nonprofit entity with the primary objective of advancing cybersecurity best practices through education, advocacy and policy development. It’s not officially affiliated with the U.S. government, but like FedRAMP, uses National Institute of Standards and Technology requirements to create a list of authorized vendors.
In contrast, FedRAMP generally centers on executing security assessments and offering strategies for the adoption of cloud services. Variations between the two also exist in the level of engagement among the organizations, the involvement of service providers in security reviews, and the role of government agencies in receiving security reporting.
Membership in StateRAMP is voluntary, and any government official or employee with responsibility for information security, information technology, privacy and/or procurement can become a StateRAMP Government Member.
Since FedRAMP’s program is part of the General Services Administration, utilizing the service is not voluntary. Federal agencies must use the program when searching for a cloud-deployed product or service.
However, the goals of both are essentially to raise security standards to prevent bad actors from infiltrating government systems. Both establish a foundational level of security across all agencies and programs, which promotes interoperability and aligns with states' efforts to standardize specific regulatory frameworks.
These types of regulations are also often a prerequisite for obtaining grants, emphasizing the critical role both could play in the broader landscape of cybersecurity implementation for local, state and federal governments.
