Across state governments, cybersecurity leaders are increasingly focused on evaluating their organizations’ cloud IT vendors to ensure those companies’ products are up to the standards laid out by one of several certification programs.
And while IT vendors will gladly brag that their platforms are rated by the Federal Risk and Authorization Management Program, or FedRAMP, that the U.S. government uses to review its providers, a number of states are setting additional standards of their own.
During StateScoop’s Cybersecurity Modernization Summit last week, cyber leaders from Texas and Michigan described how their agencies have taken steps to apply further scrutiny to the cloud vendors their states do business with.
“What we want to do is that once we know a vendor has a security posture established, we need to figure out what the shared responsibility model for the consumer-provider relationship,” said Jayson Cavendish, Michigan’s deputy chief security officer. “It’s not good enough to say I’m in a FedRAMP environment like AWS or Google Cloud or Azure, but how do I configure my responsibilities in that environment to ensure I remain secure?”
Meanwhile, programs like the year-old StateRAMP organization are attempting to set standards for state and local IT vendors. StateRAMP announced last month that its rubric is now being used by statewide and local agencies in 10 states, with a growing list of companies that’ve been approved.
StateRAMP, though, is voluntary and non-binding. Some states, like Texas, are building authorization models of their own. Texas CISO Nancy Rainosek said that the new TexRAMP program is meant to ensure that the Lone Star State’s IT vendors live up to the standards agencies set for themselves.
The TexRAMP program is set up to accept vendors that’ve been authorized under FedRAMP or StateRAMP, Rainosek said, but it’s also tailored to the specific needs of Texas agencies.
“What we’re asking is that vendors have the same security controls that we ask of our state agencies,” she said.