StateRAMP, made up of a consortium of public- and private-sector cybersecurity officials, is a new organization charged with vetting the cybersecurity structure of third-party vendors, much like the Federal Risk and Authorization Management Program (FedRAMP) already accomplishes for technology contracts with the federal government.
“We identified the things within the FedRAMP structure that says, that’s great, they’ve done the work,” said Joe Bielawski, president of Knowledge Services and a member of the board of directors for StateRAMP. Knowledge Services, a managed services provider, works with more than a dozen state governments and more than 100 local governments.
“It was how can we help government through a public-private partnership to solve an identified problem, an identified need, knowing that we couldn’t do it alone,” he added, as he recalled some of the initial thinking behind the formation of an organization dedicated to serving as a sort of cybersecurity clearinghouse for government agencies.
Government agencies are under constant threat of cyberattacks, vulnerabilities that only increase as more governments at all levels turn to third-party cloud technologies and handle an increasing level of personal data for residents and businesses. It is generally left to each state agency to vet the cybersecurity soundness of the vendors they do business with. StateRAMP positions itself as a structure for verifying certain minimum security thresholds.
StateRAMP’s aim is to “help bring state and local government together to create that common method, and assist state and local governments in managing the third-party service providers, when it comes to cloud security and cybersecurity,” said Leah McGrath, executive director for StateRAMP.
For the eighth year in a row, the National Association of State Chief Information Officers (NASCIO) listed managing third-party risks and cybersecurity as a top concern. The rise of cybersafety has gained added attention in the wake of high-profile data breaches like the recent far-reaching hacking of federal government agencies by Russian operatives.
“I think it reflects our role as stewards of the peoples’ information,” said Ted Cotterill, chief privacy officer for the state of Indiana and a member of the StateRAMP board of directors, remarking on the rise of cybersecurity concerns among a wide cross-section of tech officials. “There’s got to be an expectation from our citizens, from across the U.S., that we’re getting it right in government.”
It might be easy to say vendors ought to simply go through the FedRAMP vetting process for working with local and state government. However, a number of vendors will simply never work with the federal government, said Bielawski.
“We have taken what we think are the really great things that are replicable, but yet we’ve created what we think is flexible and understanding for the need to serve local government and state government,” he added.
As StateRAMP gets geared up, next steps will be adoption by states. Organizers say they anticipate generally favorable adoption.
“I sense, without being overly optimistic, that we’ll see an adoption that is fairly quick in the coming years,” said Bielawski.
“Operationally, providing that single point of contact for our cybersecurity needs for all the vendors that we drive through this process, that’s a big win,” he added.
StateRAMP can help to smooth out the contract negotiation process, as well as the procurement process, say officials, adding the organization will bring a uniform application of heightened standards.
“That’s a really big deal for us in government, and ensuring that we’re all on that level playing field,” said Cotterill.
“To be able to offer a solution to this challenge that state and local governments have been facing is something that we’re really proud of, and hopeful for in 2021,” said McGrath.
