‘The Easy Button’ for Taking Government to the Cloud
By building on a decade-old federal effort, the just-launched StateRAMP promises to standardize and simplify procurement of cloud services that have already undergone rigorous security testing.
Ask any vendor about the biggest hurdle they experience when doing business with governments and they will likely say the same. For almost every transaction, the bureaucratic framework at practically every point in the government acquisition process adds unnecessary time, excess costs and, from a cybersecurity perspective, undue risk.
Unfortunately, new technology companies and technology innovations that don’t fit neatly into the historical categories for technology purchases create almost insurmountable roadblocks for government organizations that desire to take advantage of transformational technologies like the cloud, 5G networks, blockchain and artificial intelligence. Meanwhile, vendors trying to get their products into the hands of government organizations encounter their own almost insurmountable barriers. This is most often why state and local governments and their agencies find themselves lagging the private sector in technological innovation.
One of the fastest growing technological innovations of the 21st century is the cloud. The COVID-19 pandemic has accelerated government and private-sector migration to the cloud in ways that were unthinkable just a little over a year ago. The cost efficiencies of using cloud services are compelling since they eliminate the traditional capital and staffing costs of purchasing and maintaining servers and other continuously depreciating computing assets. Additionally, since providers of cloud services assume much of the risk and responsibility for maintaining cloud assets and are highly incentivized to provide both high availability and superior security, it provides an additional level of security comfort to government security teams.
Enter StateRAMP. The State Risk and Authorization Management Program is a new nonprofit collaboration designed to take advantage of what the federal government has accomplished with FedRAMP. That decade-old program was established to provide a standardized approach for federal agencies to procure cloud products and services that have already undergone significant security testing, eliminating duplication of effort among agencies, and it has dramatically improved the federal technology acquisition process. StateRAMP’s mission is to provide the same standardized and consistent value to state and local governments. Among other strengths, it can leverage a reciprocity arrangement for vendors that have already completed the rigorous FedRAMP authorization process.
Dan Lohrmann, the former Michigan CISO who chairs the StateRAMP Standards and Technical Committee, told me that StateRAMP “offers numerous benefits to state and local governments at a time when cloud security is more vital than ever. Just as FedRAMP has become a core baseline for federal government networks, I see StateRAMP playing a similar role for state and local governments over the next decade.”
There is almost global consensus that the cloud is the future of secure computing, and StateRAMP is positioned to help state and local governments achieve high levels of compliance in the three pillars of information security: confidentiality, integrity and availability.
There are three partners within the StateRAMP process:
- State and local government organizations that want to make the transition to cloud services with more certainty about the security posture of the vendor community.
- Service providers that seek a more dependable and normalized government procurement strategy.
- Assessors, a growing list of more than 30 FedRAMP-approved organizations which, according to the StateRAMP website, “help deliver on StateRAMP’s mission to standardize third-party cybersecurity verification for governments.”
The assessors’ role is key to the success of StateRAMP by both initially assessing vendor products and then, perhaps even more importantly, periodically assessing service providers’ continuous-monitoring processes to ensure that they maintain the same level of ongoing security as during the initial assessment.
“Even more important than achieving an authorization to operate is continuous monitoring,” said Jason Oksenhendler, who is the director of FedRAMP Advisory at Coalfire, one of StateRAMP's third-party assessors, and is also a member of the StateRAMP Standards and Technical Committee. “Continuous monitoring holds service providers accountable for maintaining the security of their offering and, therefore, protecting their customers' information.”
StateRAMP membership opened up last month, and expectations are that states and many local governments will quickly adopt its model to take advantage of its standardized benefits and streamlined contract negotiations in the procurement of cloud services. At the same time, vendor participation is expected to be high due to the reduced ambiguity and cost savings of a more consistent and formalized purchasing process.
If the FedRAMP legacy is any indicator of success, StateRAMP is likely to revolutionize procurement of cloud services by state governments and many of their cities and counties. As Jim Masella, managing principal at Coalfire, put it, “StateRAMP is the easy button for state procurement of cloud services.”