Understanding the StateRAMP Security Snapshot: A Comprehensive Guide

In the realm of cybersecurity and compliance, having a diverse range of providers and offerings is crucial. These services cater to both large federal customers and smaller state, local, and municipal entities. However, it’s vital to ensure that maintaining a competitive marketplace doesn’t compromise security. This is where the StateRAMP Security Snapshot comes into play, especially for smaller or newer tech cloud service providers aiming for Authorization.

Why Prepare for StateRAMP Before Authorization?

StateRAMP, built on FedRAMP requirements, involves a lengthy authorization process. This includes pre-assessment audits, complete-system inventories, and continuous monitoring once authorized. The process is complex, but there’s a high demand for cloud offerings at the state and local levels. Therefore, it’s essential to have a process that’s supportive and democratic, allowing independent cloud providers to gain authorization and compete with larger service providers.

To assist providers in starting their StateRAMP Authorization process, the program has introduced an early-stage security maturity assessment tool. This tool helps providers new to StateRAMP or federal assessment understand their readiness for the program.

What Is the StateRAMP Security Snapshot?

The StateRAMP Security Snapshot provides a “moment in time” picture of an organization’s security posture. It offers a gap analysis of the provider’s system compared to StateRAMP requirements. The Security Snapshot uses a scoring model based on several factors:

Security and IT factors impacting the offering’s ability to meet StateRAMP requirements.
IT factors affecting the overall security posture.
Insights provided by the StateRAMP PMO to procurement teams regarding specific security and IT components.

Adherence to best practices in these areas results in gaining “points” that demonstrate the maturity of the underlying infrastructure. The StateRAMP PMO may award additional points based on specific criteria, such as:

StateRAMP Authorized IaaS: Higher scores for offerings hosted on StateRAMP authorized Infrastructure-as-a-Service architecture.
FedRAMP Authorization: Additional points for cloud offerings using FedRAMP Authorized IaaS architecture or being FedRAMP Authorized.
Annual Security Awareness: Additional points for ensuring annual security awareness training for employees.

The provider submits documentation on their current security posture, which the StateRAMP PMO reviews based on essential criteria using a weighted scaling system. Some of the criteria include:

StateRAMP or FedRAMP Authorization: The security infrastructure’s authorization status.
Inventory: The provider’s ability to inventory regulated security components effectively.
Certifications: Completion of other certifications like SOC 2 Type 2, ISO 27001, CSA STAR, or HITRUST.
Training: Provision of required, continuing security awareness training.
Security Modules: Use of cryptography modules, Single Sign-On (SSO) technology, Multi-Factor Authentication (MFA), and anti-malware solutions.
Scanning and Testing: Regular vulnerability scans and penetration tests.
Auditing: Performance of regular audits and protection of audit information.
Recovery: Effective recovery from security events and the presence of incident response and contingency plans.
Configuration: Existence of a configuration management plan and regular scans for configuration changes.

The StateRAMP Security Snapshot is not required but is helpful for organizations new to the program. It will begin in January 2023, with cost fees ranging from $500 to $1,500 based on price tiering.

Considering StateRAMP Authorization?

Lazarus Alliance is an experienced, certified FedRAMP and StateRAMP 3PAO that helps businesses develop their security posture to enter the government agency IT market. With decades of experience in rigorous compliance standards, Lazarus Alliance has supported companies through FedRAMP, StateRAMP, ISO, SOC, HIPAA, and NIST audits and assessments.

If you’re considering StateRAMP Authorization, contact Lazarus Alliance today to get an early start. For more information, visit their website.