Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

‘The Easy Button’ for Taking Government to the Cloud

By building on a decade-old federal effort, the just-launched StateRAMP promises to standardize and simplify procurement of cloud services that have already undergone rigorous security testing.

2d,Rendering,Cloud,Computing,,Cloud,Computing,Concept
Shutterstock
Ask any chief information officer, chief information security officer or technologist in state or local government about the biggest hurdle they experience when working with the vendor community and they will likely have a three-word answer: “the procurement process.”

Ask any vendor about the biggest hurdle they experience when doing business with governments and they will likely say the same. For almost every transaction, the bureaucratic framework at practically every point in the government acquisition process adds unnecessary time, excess costs and, from a cybersecurity perspective, undue risk.

Unfortunately, new technology companies and technology innovations that don’t fit neatly into the historical categories for technology purchases create almost insurmountable roadblocks for government organizations that desire to take advantage of transformational technologies like the cloud, 5G networks, blockchain and artificial intelligence. Meanwhile, vendors trying to get their products into the hands of government organizations encounter their own almost insurmountable barriers. This is most often why state and local governments and their agencies find themselves lagging the private sector in technological innovation.

One of the fastest growing technological innovations of the 21st century is the cloud. The COVID-19 pandemic has accelerated government and private-sector migration to the cloud in ways that were unthinkable just a little over a year ago. The cost efficiencies of using cloud services are compelling since they eliminate the traditional capital and staffing costs of purchasing and maintaining servers and other continuously depreciating computing assets. Additionally, since providers of cloud services assume much of the risk and responsibility for maintaining cloud assets and are highly incentivized to provide both high availability and superior security, it provides an additional level of security comfort to government security teams.

Enter StateRAMP. The State Risk and Authorization Management Program is a new nonprofit collaboration designed to take advantage of what the federal government has accomplished with FedRAMP. That decade-old program was established to provide a standardized approach for federal agencies to procure cloud products and services that have already undergone significant security testing, eliminating duplication of effort among agencies, and it has dramatically improved the federal technology acquisition process. StateRAMP’s mission is to provide the same standardized and consistent value to state and local governments. Among other strengths, it can leverage a reciprocity arrangement for vendors that have already completed the rigorous FedRAMP authorization process.

Dan Lohrmann, the former Michigan CISO who chairs the StateRAMP Standards and Technical Committee, told me that StateRAMP “offers numerous benefits to state and local governments at a time when cloud security is more vital than ever. Just as FedRAMP has become a core baseline for federal government networks, I see StateRAMP playing a similar role for state and local governments over the next decade.”

There is almost global consensus that the cloud is the future of secure computing, and StateRAMP is positioned to help state and local governments achieve high levels of compliance in the three pillars of information security: confidentiality, integrity and availability.

There are three partners within the StateRAMP process:

  • State and local government organizations that want to make the transition to cloud services with more certainty about the security posture of the vendor community.
  • Service providers that seek a more dependable and normalized government procurement strategy.
  • Assessors, a growing list of more than 30 FedRAMP-approved organizations which, according to the StateRAMP website, “help deliver on StateRAMP’s mission to standardize third-party cybersecurity verification for governments.”

The assessors’ role is key to the success of StateRAMP by both initially assessing vendor products and then, perhaps even more importantly, periodically assessing service providers’ continuous-monitoring processes to ensure that they maintain the same level of ongoing security as during the initial assessment.

“Even more important than achieving an authorization to operate is continuous monitoring,” said Jason Oksenhendler, who is the director of FedRAMP Advisory at Coalfire, one of StateRAMP's third-party assessors, and is also a member of the StateRAMP Standards and Technical Committee. “Continuous monitoring holds service providers accountable for maintaining the security of their offering and, therefore, protecting their customers' information.”

StateRAMP membership opened up last month, and expectations are that states and many local governments will quickly adopt its model to take advantage of its standardized benefits and streamlined contract negotiations in the procurement of cloud services. At the same time, vendor participation is expected to be high due to the reduced ambiguity and cost savings of a more consistent and formalized purchasing process.

If the FedRAMP legacy is any indicator of success, StateRAMP is likely to revolutionize procurement of cloud services by state governments and many of their cities and counties. As Jim Masella, managing principal at Coalfire, put it, “StateRAMP is the easy button for state procurement of cloud services.”
Mark Weatherford, Governing's cybersecurity columnist, is the chief strategy officer for the National Cybersecurity Center.
Special Projects
Sponsored Stories
Sponsored
Workplace safety is in the spotlight as government leaders adapt to a prolonged pandemic.
Sponsored
While government employees, students and the general public had to wait in line for hours in the beginning of the pandemic, at-home test kits make it easy to diagnose for the novel coronavirus in less than 30 minutes.
Sponsored
Governments around the nation are working to design the best vaccine policies that keep both their employees and their residents safe. Although the latest data shows a variety of polarizing perspectives, there are clear emerging best practices that leading governments are following to put trust first: creating policies that are flexible and provide a range of options, and being in tune with the needs and sentiments of their employees so that they are able to be dynamic and accommodate the rapidly changing situation.
Sponsored
Service delivery and the individual experience within health and human services (HHS) is often very siloed and fragmented.
Sponsored
In this episode, Marianne Steger explains why health care for Pre-Medicare retirees and active employees just got easier.
Sponsored
Government organizations around the world are experiencing the consequences of plagiarism firsthand. A simple mistake can lead to loss of reputation, loss of trust and even lawsuits. It’s important to avoid plagiarism at all costs, and government organizations are held to a particularly high standard. Fortunately, technological solutions such as iThenticate allow government organizations to avoid instances of text plagiarism in an efficient manner.
Sponsored
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
Sponsored
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?
Sponsored
As more state and local jurisdictions have placed a priority on creating sustainable and resilient communities, many have set strong targets to reduce the energy use and greenhouse gases (GHGs) associated with commercial and residential buildings.