2024 and Beyond: How to Find the Right Cloud Service Provider Now

As any state or local government IT leader will tell you, 2023 has not seen a decline in cybersecurity incidents, especially ransomware attacks. From Dallas to Oakland to Colorado, cities and states are being heavily targeted. In a recent report, nearly 70 percent of state and local government IT leaders said they were targeted by ransomware in the last year. As attacks increase, compliance issues, including data privacy requirements, are becoming more challenging as well.

Many governments, wanting to secure “cloud-first” networks but burdened by limited budgets and facing a hot hiring market that makes finding cyber talent even more difficult, are turning to cloud service providers (CSPs) to keep up.

Yet, as governments are finding out, there are a dizzying amount of CSPs who tout similar traits and not all are equal. By implementing the StateRAMP or FedRAMP security framework and using it as the starting point for a CSP search, governments can simultaneously make their search more efficient while ensuring a base level of security throughout their agencies.

But is StateRAMP or its federal-focused alternative FedRAMP the right choice? How does that choice impact a CSP selection? What else should state and local governments prioritize when looking to secure their networks in 2024 and beyond?

Finding answers to these questions can help governments select the right CSPs now, while keeping citizen and government data safer this year and beyond.

GROWING CHALLENGES FOR GOVERNMENT CYBERSECURITY

Today, state and local governments are grappling with broad changes to the way their employees work while juggling compliance issues and a growing list of privacy standards.

Data privacy and compliance regulations are constantly changing and the list seems to get longer every year. Some state and local laws mandate cybersecurity training. Some mandate setting up and following formal security policies, standards and practices. Some require having incident response plans in place, providing mandatory training for employees or to report security incidents, including ransomware attacks. Some require all of these.

At the same time governments are facing growing challenges trying to maintain high levels of security in a remote/hybrid work environment. Employees are sometimes at home on Wi-Fi, out at a coffee shop or even working from another residence in a different state or country.

In addition, following the federal government’s lead, many state and local governments are trying to implement multifactor authentication (MFA) at specific agencies, or across the entirety of government accounts.

Given these challenges, many state and local governments are instituting StateRAMP, a cybersecurity framework, built on the NIST Special Publication 800-53 Rev. 4 framework and modeled on the highly successful FedRAMP program.

StateRAMP AND FedRAMP: WHY THEY MATTER AND HOW TO CHOOSE

StateRAMP and FedRAMP play pivotal roles in ensuring the security and compliance of federal (FedRAMP), state and local (StateRAMP) governments.

Both StateRAMP and FedRAMP help agencies prioritize information security and ensure a baseline level of security across all levels of government, which fosters consistency and compatibility. Both frameworks mandate rigorous risk assessments to identify vulnerabilities and potential threats, enabling agencies to implement necessary safeguards and mitigate risks.

StateRAMP and FedRAMP also rely on third-party assessors to evaluate the cybersecurity posture of agencies, which helps enhance objectivity and trust in the compliance process.

Yet, for most state and local governments, StateRAMP is the right choice. While similar in many ways to FedRAMP, it’s tailored to address the specific cybersecurity needs of state and local governments without the burden of federal regulations that may not apply directly to states. Implementing FedRAMP can be more resource-intensive due to its federal focus and potentially higher compliance costs. StateRAMP, since it’s more focused on state-level needs, could help reduce overhead and compliance costs. In addition, StateRAMP governance is typically managed at the state level, allowing state governments to maintain control over their compliance processes. This localized approach can simplify decision-making and streamline governance compared to the federal-level oversight of FedRAMP.

That said, whether governments choose to implement StateRAMP or FedRAMP, the most important thing is that they simply choose one of them. And the reasons are numerous, including: ensuring a baseline of security across all agencies and programs; promoting interoperability as states begin to standardize around these frameworks; and receiving grants as compliance with these frameworks becomes a prerequisite for receiving funds.

Yet, when it comes to selecting the right CSP, one of the biggest benefits of these frameworks is that they provide a blueprint to quickly and easily ensure a provider meets all necessary requirements and mandates.

SELECTING THE RIGHT CSP FOR 2024 AND BEYOND

Managing cybersecurity is time consuming, expensive and requires a high level of expertise from in-demand cybersecurity professionals. Increasingly, state and local governments are looking to CSPs to simplify the process. Yet, many CSPs make similar promises and speak in similar language that can make it difficult to parse the differences.

When hiring a CSP, look to prioritize the following points:

1. Look for CSPs who offer “government-grade security,” regularly work with state and local governments, and utilize StateRAMP or FedRAMP.
2. Ensure the vendor keeps up with the latest evolving data privacy and security laws and understands how to future-proof investments.
3. Evaluate whether the CSP is able to fit their solutions within your current cybersecurity tech stack, or if they require a specific piece of technology. For instance, can you continue to use your single sign-on or MFA solution, or will you need to replace it to meet their needs?
4. Make sure you understand the CSP's incident response plans. If the vendor gets breached, how do they notify agencies and constituents?

CYBERSECURITY IS NOW A STRATEGIC IMPERATIVE 

Today, as state and local governments continue to build “cloud-first” data environments, they’re increasingly turning to CSPs to help secure their networks. As agencies face resource, expertise and regulatory challenges, this approach has many benefits and can help governments ensure a high base level of security across their networks.

Yet, CSPs can vary widely in terms of approach, quality and cost. By choosing StateRAMP or FedRAMP, prioritizing the right strengths of a potential CSP and asking them the right questions, governments can ensure they’re making the best choice possible. For state and local governments, selecting the right CSP doesn’t just fulfill a regulatory obligation; it’s a strategic imperative that will better fortify their cybersecurity posture and meet the evolving challenges of the digital age.