Here at Ignyte, we’ve talked a lot about FedRAMP, the Federal Risk and Authorization Management Program. As you likely well know, FedRAMP is the federal government’s unified security standard, derived from NIST standardization documents and transformed into a framework to provide a cohesive idea of security across disparate government organizations and contractors.
You might wonder, how does this work with state-level agencies and departments? Do the federal rules “trickle down” and apply to state governments, or are states simply left to develop their own security? The answer may surprise you.
Or maybe not, if you’re familiar with the operations of the government at different levels.
State Cybersecurity Requirements
There is, unfortunately, no real single standard for state-level, or local-level, government security. It’s largely left up to the states themselves, and a wide range of legislation has been introduced, approved, and passed over the years. In 2022 alone, 40 states introduced over 250 bills and resolutions relating to cybersecurity, though many of them were not actually passed.
This presents a problem. At the federal level, programs like FedRAMP allow various departments to present a united front against potential security attacks and intrusion attempts, ranging from the smallest-scale hackers to nation-state threats. FedRAMP is, as well, effectively the lowest possible standard a government agency can have, as even the highest impact level of FedRAMP security is still governing CUI – controlled unclassified information – at the most. Anything relating to something like the Department of Defense, arms trading, or classified information has to adhere to even higher, more rigorous standards, like ITAR, DAAPM, DFARS, or NISPOM.
At the state level, though, there’s no unified front. Attackers might find it difficult to assault California’s systems, but find it much easier to compromise Texas’s or Alabama’s. Different states treat cybersecurity with different levels of respect, and the rules and standards vary from state to state.
The issue lies in how businesses have to approach doing business with government entities. FedRAMP standards require that a cloud service provider works closely with their intended partner agency, meeting unified standards across the whole of the government regardless of which agency they work with. This is why being listed on the FedRAMP Marketplace can allow an agency to simply re-use the paperwork a CSP submits; 95%+ of the information and requirements will be the same across agencies.
If a business wants to work with a state government, though, they have to do a lot more legwork.
- They have to figure out if the agency has specific requirements outside of the normal scope of FedRAMP.
- They have to identify any overview, auditing, review, and other processes that may be relevant to gaining a localized authority to operate.
- They have to determine if there are differences they need to implement that could require an entirely separate product offering.
Often, cloud services don’t want to do all of this legwork, even for a state government contract. We talk a lot about the “potentially lucrative federal government contracts,” but a large part of that stems from the sheer size and scale of the federal government, and the rest can be attributed to the FedRAMP Marketplace listing and availability to other agencies. State governments don’t have the same budgets and don’t have the ability to share in the same way.
What is StateRAMP?
Given the name, you would assume that StateRAMP is the state-level equivalent of FedRAMP.
You wouldn’t be wrong, but you also wouldn’t be entirely right, either.
StateRAMP is an organization that aims to provide FedRAMP-style security frameworks to state-level, local-level, and education organizations, collectively known as SLED organizations. The primary difference is that FedRAMP is a government program, run and administered by the Office of Management and Budget through a combination of the Project Management Office and the Joint Authorization Board. StateRAMP, on the other hand, is run by a nonprofit organization that is not administrated by any government organization.
StateRAMP is a 501c(6) organization and is governed by a board of directors. It was first created in early 2020, the board of directors was appointed in early 2021, and membership started to open in April 2021. You can see information about who is involved in the board, the steering committee, and the general team here.
Similarities Between FedRAMP and StateRAMP
It’s easiest to talk about the differences between FedRAMP and StateRAMP once you understand the ways in which they are the same.
First and foremost, StateRAMP is designed to be as close to FedRAMP as possible in terms of security standards. Like FedRAMP, StateRAMP is built on the NIST SP 800-53 standards. These are the same sets of security controls every FedRAMP-certified organization, any organization pursuing CMMC certification, and any of a wide range of other standards is going to be very familiar with.
StateRAMP also followed FedRAMP in requiring that an authorized third-party assessment organization performs the auditing, assessment, and approval process for cloud service providers. Though the specific details of the process vary slightly, the overall concept is the same.
In another mirror of the FedRAMP program, StateRAMP also defines three impact levels of low, moderate, and high, aligned with NIST controls in the same way, with one significant difference that we’ll get into later.
Both FedRAMP and StateRAMP have requirements for continuous monitoring, to maintain appropriate security over time rather than treating it as a one-and-done event.
Finally, StateRAMP also maintains verified statuses for cloud services they authorize, including both Ready and Authorized designations.
Differences Between FedRAMP and StateRAMP
Now that you know how the two programs are the same, you can see where the differences come in. We’ve already talked about the biggest one, which is that FedRAMP is managed as a government program, while StateRAMP is a third-party nonprofit organization.
Another difference we mentioned above is impact levels. FedRAMP has four impact levels:
- Low Impact SaaS
- Low Impact
- Moderate Impact
- High Impact
StateRAMP also has four impact levels.
- StateRAMP Low
- StateRAMP Low+
- StateRAMP Moderate
- StateRAMP High
Low, Moderate, and High all map one-to-one with the FedRAMP equivalents. However, StateRAMP does not have the lower-than-low LiSaaS designation; instead, they have a midpoint between Low and Moderate in the form of Low+. Low+ uses all of the Low baseline controls but adds a few from Moderate, but not all of the Moderate controls. They found it serves as a better middle ground than having an additional lowest-impact option.
For reference, StateRAMP Low has 117 security controls. Low+ has 179 controls, while Moderate has 312 controls. These are all the current basis formed on NIST SP 800-53 revision 4, and may change with the transition to revision 5. Note that the specific controls may vary between FedRAMP and StateRAMP within the same impact level.
In general, the view is that StateRAMP compliance is less strict than FedRAMP compliance, in particular at the lower impact baselines. This is because a compromise of a federal agency has far-reaching consequences for the nation, while a state-level compromise – while still potentially devastating locally – is limited in scope. To their credit, StateRAMP does promote parity with FedRAMP guidelines whenever possible and reasonable.
Another difference is in the Ready designation. As you may know from the FedRAMP Marketplace, a cloud service provider earns a Ready designation upon completion of their 3PAO certification and auditing. This Ready status lasts for one calendar year before it needs to be recertified. In contrast, StateRAMP Ready does not expire. Being StateRAMP Ready allows a cloud service provider to jump into the process once a government agency picks them to work with and reach Authorized status.
In the same way that there is individual agency authority to operate processes and the more broad JAB provisional authority to operate, StateRAMP has approval from government sponsors or approval from the approvals committee. One difference here, though, is that businesses are often less likely to have a government sponsor immediately and more likely to see approval committee approval so they can be added to the authorized product list, the StateRAMP equivalent of the Marketplace.
Should You Pursue StateRAMP Authorization?
There are two groups that can decide to work with StateRAMP.
The first is the aforementioned SLED organizations. State government departments, state governments as a whole, local city and county governments, and educational institutions that are not otherwise universities beholden to higher standards can all choose to work with StateRAMP for security purposes. StateRAMP even maintains a list of the governments that work with them, including:
- State of Colorado
- State of Vermont
- City of Chandler, Arizona
- Fayetteville State University
- State of Michigan
- Austin Independent School District
- Johnson County Park and Recreation District
As you can see, a variety of different levels and organizations work on the government side. However, this is still a very selection; only about half of the states have chosen to work with StateRAMP, and very few overall local and educational organizations have joined on.
In the vast majority of cases, there’s no drawback to a government or other SLED organization working with StateRAMP. The benefits to security are immense, and the overall burden of maintaining it is relatively small. The only instances where working with StateRAMP may not be ideal is if your state or local government already has higher standards, but that’s very unlikely.
The second group that can work with StateRAMP is, of course, cloud service providers. CSPs can certify in general with StateRAMP to be Ready to work with any organization, or can find direct organizational sponsors, the same as with FedRAMP.
The question is, should you?
If you do not have any current government security posture, choosing to work with StateRAMP can be a good way to get started. It tends to be slightly lower stakes, with a less serious level of review, a faster process, and a generally smoother certification. The trade-off, of course, is that it only allows you to work with the SLED organizations on the StateRAMP list, which isn’t much, all things considered. That said, achieving StateRAMP certification puts you 90% of the way toward getting FedRAMP certification, and it’s really not that much more work to take that final leap.
If you currently have FedRAMP status, working with StateRAMP simply allows you to work with the SLED agencies on the StateRAMP list. Since you’re already compliant with FedRAMP, it should be very easy to achieve StateRAMP certification and spin up state-level and local contracts as well.
The one exception to this is if you’re FedRAMP authorized at the LiSaaS level. Since the lower-than-low impact level does not have an equivalent with StateRAMP, you’ll need to increase your security posture to meet Low Impact levels to work with StateRAMP. There’s likely a reason you didn’t do this in the first place for FedRAMP, usually related to the additional amount of work, time, and investment required, so doing it for StateRAMP doesn’t make as much sense.
If you currently have non-StateRAMP state-level contracts, working with StateRAMP is not a bad idea, but it won’t give you many benefits for the current contracts you’re maintaining. In fact, non-StateRAMP states and organizations may have their own requirements, so you’ll be adding one more level of documentation you need to compile and submit. It’s up to you if the potential upside is worthwhile.
Achieving StateRAMP Certification
StateRAMP is still relatively small and new compared to FedRAMP. It’s less than four years old, has buy-in from only about half of the country’s states and relatively few non-state organizations, and there are (as of this writing) only 91 services on the Authorized Products List.
If you’re interested in joining the products on that list, go for it! More importantly, talk to us about it. We are both a certified FedRAMP 3PAO with experience in these kinds of certifications, and we know all about StateRAMP from the inside out. It’s one of the many frameworks we’re familiar with and one that our platform can be used to help you achieve. The Ignyte Platform was designed to facilitate organizational recordkeeping and compliance for obtaining diverse security certifications, and we’re confident it can help you achieve FedRAMP Authorization as well. Why not book a demo today and see what it can do for you?
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.