Arizona readies first pilot of ‘StateRAMP’ program
Arizona Chief Information Officer J.R. Sloan told StateScoop he’s preparing this month to launch in his state the first instance of a new program that vets and continuously monitors the security standards of IT vendors.
Since its formation in late 2020, StateRAMP’s organizers — which include procurement, privacy and tech officials — have met with a growing number of officials seeking a more efficient way to ensure the vendors they work with are implementing cybersecurity standards that will keep public data safe, Sloan said. The group is also meeting with tech companies that’ve sought approval from the Federal Risk and Authorization Management Program, which grades the security of federal cloud vendors and inspired StateRAMP.
“It provides a higher level of assurance and monitoring for local governments and for everybody else, vendors and providers, they can do the process once and use it many times,” Sloan said.
Sloan said he expects to “test drive” StateRAMP in Arizona over the next year to find ways to further improve the program so it will be ready for widespread adoption by state and local governments and the vendors that serve them.
StateRAMP is also modeled after AzRAMP, a program Sloan created in 2015, while serving as deputy CIO. That program is based on a popular set of security controls maintained by the National Institute of Standards and Technology. He said there are 235 active vendors that have met AzRAMP standards that he’ll soon shift over to the StateRAMP standard. The main difference between the programs is the addition of a process to continually monitor vendors’ compliance.
After vendors passed their initial AzRAMP assessments, Arizona only had the resources to confirm their compliance every few years or when there was a security incident, Sloan said. The StateRAMP organization will bring a “more formal process” to continually validate compliance, a process Sloan said his office didn’t have the resources for.
But Sloan said StateRAMP is about more than just assessing vendors.
“We had a process where we could do that. Really, it’s about risk mitigation,” he said. “We could assess the risk of working with a given vendor, but we didn’t want to wait until someone had already committed a contract to begin that assessment process.”
The challenge in integrating StateRAMP into existing procurement processes comes with selecting the right moment and level of analysis, he said. A state can’t completely vet all 25 vendors applying for a large procurement — “You’ll bury yourself,” Sloan said — but waiting until a vendor has won a contract is too late in the process. Arizona plans to speed up that part by issuing vendors a subset of questions in the full security questionnaire and setting expectations with the companies that if they don’t obtain certification after they win a contract, they’ll lose it.
Sloan said adding an additional hurdle has rankled vendors and agency officials alike, but he was ultimately vindicated.
“We had a vendor that failed the security review process [for AzRAMP] and was already engaged with another local government,” Sloan said. “We explained that we would not be engaging with them, and people were getting pretty upset with us about it until within a couple of weeks there was a breach notification. Then our process looked better.”
There are “a half dozen or more” other states involved with planning StateRAMP so far, Sloan said; officials from Indiana, Maine and Mississippi have joined the group’s steering committee.
Sloan, who sits on StateRAMP’s board of directors, said Leah McGrath, the group’s executive director, is currently conducting introductory sessions to get vendors and governments ready for what may soon be the new gold standard for cybersecurity certification for state and local government.
“There’s a shared risk you accept for the benefit of working with cloud providers,” Sloan said. “You have to invest and understand the risk side of it in order to gain that benefit. And you can’t ignore it.”
