dreamstime m 48596532 3 e1613584851100

Boost Your Security: The Urgent Need for StateRAMP in State Agencies

Why State Agencies Need StateRAMP

We’ve already explored the nitty-gritty of StateRAMP certification for Cloud Service Providers (CSPs). But let’s not forget the crucial role state agencies play in this process. Today, we’ll walk you through the high-level steps state agencies need to take to adopt StateRAMP requirements, including the essential contacts, infrastructure, and documents needed to comply with StateRAMP.

Steps to StateRAMP Adoption

The path to StateRAMP adoption for state agencies involves organizing around a new security policy framework, preparing to onboard compliant CSPs, and understanding how contract agreements work concerning security levels.

Step 1: Contact StateRAMP PMO for Roles and Responsibilities

First things first, reach out to the StateRAMP Project Management Office (PMO). The PMO will provide the necessary resources and outline the next steps for meeting StateRAMP requirements. At this stage, the requirements are primarily organizational and include:

  • Receiving a responsibilities matrix to identify who will handle compliance management with partner CSPs.
  • Identifying government stakeholders who will maintain control or responsibility for StateRAMP adherence.
  • Completing a Data Discovery form, outlining your current cloud services portfolio and any providers managing data on your behalf.

Step 2: Create a Standard Security Policy

StateRAMP recommends that agencies new to the program adopt a general policy for all cloud providers offering SaaS, IaaS, or PaaS services. This policy should include:

  • CSP adherence to NIST 800-53 Rev. 4
  • All contractors and suppliers using the cloud system must adhere to NIST 800-53
  • Data security Impact level adhering to FIPS PUB 199 for data classification
  • Regular maintenance of security controls for CSPs
  • Right to request a review of any 3PAO used by a CSP
  • Response requirement for any CSP or contractor if a serious flaw is found
  • Process for approval of any deviation from StateRAMP certification

Step 3: Determine Your Security Category and Required Security Status

Alongside defining your security policy, you need to determine your security threat level based on the data you manage. StateRAMP follows FedRAMP in designating the “Impact Level” of the data that a government agency handles. State agencies typically handle less sensitive data, so StateRAMP includes three security levels:

  • Category 1: Follows the FedRAMP Low Impact rating, including data generally accessible by the public.
  • Category 2: Follows the FedRAMP Low Impact rating with additional security controls, placing it above Category 1 but not as strict as Category 3.
  • Category 3: Follows the FedRAMP Moderate Impact rating, including unclassified but private data not available to the public.

Step 4: Integration into Request for Proposals

With a general policy in place, your agency can include StateRAMP requirement language in all Request for Proposals (RFPs) for CSPs. StateRAMP recommends that any StateRAMP-compliant RFP includes the following information:

  • Security policies for your agency, including StateRAMP requirements based on NIST 800-53.
  • Notification that no contract will be executed with a CSP unless that CSP meets the stated StateRAMP certification requirements.
  • Any applicant with a “Ready” status attests to their capability to eventually move to full certification.

For more information, you can visit the official NIST website.

Similar Posts