StateRAMP, or the State Risk and Authorization Management Program, launched in early 2021. The organization evaluates the data security capabilities of participating cloud vendors that sell to state and local government.
But not all providers have a clear idea of how to bring their security up to the necessary levels, and governments considering procurements may want more insights into companies that have yet to achieve certification.
The new feature intends to address both concerns, said StateRAMP Executive Director Leah McGrath during a Jan. 12 webinar.
“About a year ago — as we’ve listened to input from our members, both from the provider standpoint and from our government members — there was a question of, how do we begin? How do we get started? And the Snapshot is really the answer to that question,” McGrath said.
Governments considering procurement can view StateRAMP’s list of authorized products to understand providers’ cybersecurity capabilities, compared against the same standards.
This spares agencies from having to rely on companies’ self-attestations or try to vet security claims on their own — something state and local governments may lack the capacity to do, said StateRAMP Government Engagement Director Rebecca Kee.
“As a former procurement professional … we didn’t have the bandwidth to check the 500 controls we were asking about,” Kee said.
Providers, meanwhile, are spared from undergoing a slew of different cybersecurity vetting processes if they can get one StateRAMP certification that many prospective clients will accept. Vendors pay for StateRAMP membership and evaluation, while interested governments join for free.
Currently, StateRAMP’s Authorized Product List identifies 38 products that either qualify as “authorized,” meaning they meet all requirements and have a government sponsor; “provisional,” meaning they “exceed minimum requirements” and have a government sponsor; or “ready,” meaning they meet minimum requirements.
Meanwhile, four local governments or local government agencies, two universities and 17 states participate in StateRAMP at current count.
Providers trying to obtain their first ready status may struggle to determine where they’re falling short and what steps are still needed. Prospective government buyers, too, often want to understand how close providers are to getting certified and want to understand the level of risk their agencies would be assuming if they contracted with uncertified companies.
The Security Snapshot aims to meet both those needs. It features a gap analysis, “including specific controls and requirements that are going to have a significant impact on the security state of that system,” said StateRAMP Program Management Office Director Noah Brown.
The tool also offers providers a numerical score from 0 to 60 that is intended to reflect how well they match up against minimum security criteria. The scores are private, and providers might choose to share them with prospective government clients, McGrath said.
For example, Kee said, governments might ask existing business partners for Snapshot scores so they can better see how the companies’ current security statuses affect government data and identify necessary next steps. Governments might also ask for scores as part of their requests for solicitations, letting them better evaluate companies that have not yet achieved StateRAMP certifications and understand the level of risk associated with selecting such providers.
“What it allows our government partners to do is look at those products also from a cybersecurity angle and say, ‘Is this something that we can live with? How can these products progress to a level that we are comfortable with? … How far away are they? How much time do they need?’” Kee said.
Brown said governments can trust these scores because they’re based on independent reviews, not self-attestation.
“We’re actually requiring them to provide us with artifacts … [We] actually go through and review and make sure that the things that the service provider is saying that they have in place, when it comes to security on behalf of the state and the state’s data, is actually in place,” Brown said. “… We want to be able to say we’ve seen that information, we believe it’s in place or we know for a fact it’s in place — including evaluating those artifacts, audits, any other information that we provide or are required as part of that Snapshot process.”
The Snapshot review is still less “invasive” than the audits for achieving authorized or ready certifications, Brown said. To also make the process an easier lift, the team will review audit reports providers have obtained elsewhere, to consider whether they merit adding points to the companies’ Snapshot scores.
Providers pay between $500 and $1,500 for a Security Snapshot, with the fee based on the companies’ annual revenue sizes. To get started, companies must become StateRAMP members and submit an online form; they can expect a score within about three weeks from request.
Given the fast pace of change in cloud technology, Snapshot scores are only considered relevant for 12 months, Brown said. McGrath said providers wanting to track, or demonstrate, their progress can purchase an unlimited number of new Snapshot evaluations and that StateRAMP is looking to launch a subscription service offering updated scores as often as monthly.
