StateRAMP attracts more states, education sector
StateRAMP, the two-year-old group working to build a standardized security rubric for state and local IT vendors, announced Tuesday that several more governments and other organizations have begun using its standards.
Those new partners include the K12 Security Information Exchange, a group that’s bemoaned the lack of security standards for grade-school tech providers, and the University of North Carolina system, which Leah McGrath, StateRAMP’s executive director, suggested could be the first of multiple public higher-education systems to adopt the standards.
Just as the Federal Risk and Authorization Management Program, or FedRAMP, uses a network of outside assessment organizations to rate the security of cloud vendors doing business with the U.S. government, StateRAMP has assessors doing the same for state and local sellers. It also offers continuous monitoring for approved products. Those services are now being extended to the education sector, McGrath told StateScoop.
Major universities like UNC, she said, are charged with protecting data belonging to thousands of students and staff, and keeping sensitive research under wraps from malicious actors looking to steal intellectual property. Universities with medical schools are also subject to laws governing patient data.
“We started seeing opportunities there, and because so many public universities work with the state, it became a real natural transition or expansion,” McGrath said.
North Carolina was one of the first 10 states to start using StateRAMP to validate its cloud vendors. McGrath said the state’s Department of Information Technology cybersecurity strategy made it easier for the University of North Carolina to join in.
“What’s neat in North Carolina is you have a whole-of-state approach,” she said. “Where [UNC is] similar to state government is that there wasn’t a standardized way to manage compliance with continuous monitoring. Whether it’s centralized procurement in IT or decentralized, we have the ability and flexibility to work with them.”
‘A growing crisis’
The K-12 field works a bit differently, though.
During a webinar hosted by K12 SIX on Tuesday, McGrath said she’s also seen new opportunities for StateRAMP in the K-12 space. School districts nationwide have for years been bombarded by ransomware — including, recently, in Los Angeles — and the COVID-19 pandemic also prompted schools to adopt more cloud-based applications.
“As we’ve seen this trend of modernization, we also have to be cognizant of the added responsibility it brings to each of us,” McGrath said. “I have three teenagers and we lived through the pandemic, so I’m very familiar with the educational tools that got us through.”
K12 SIX’s executive director, Doug Levin, has been critical of security standards in edtech and repeated those concerns Tuesday. Of the roughly 1,300 cybersecurity incidents K12 SIX has counted since 2016, 55% originated with a vendor, he said.
“This is a growing crisis,” Levin said, noting recent data breaches involving Battelle for Kids and Illuminate Education.
Through the local governments that’ve adopted StateRAMP, there are between 40 and 50 school districts that could sign on to the group’s standards, McGrath told StateScoop.
“They are starting to have those conversations,” she said.
‘Is it connected?’
In addition to K12 SiX and UNC, StateRAMP on Tuesday announced another slew of state governments that’ve started adopting its standards, including agencies in Colorado, Maine, North Dakota, Vermont and West Virginia, as well as the judicial branches of Arkansas and Nebraska.
At the local level, McGrath said StateRAMP is now also working with the New York State Government IT Directors Association, potentially allowing it to reach into counties, cities and towns across that state. The organization is also working with Fayetteville State University, another public college in North Carolina.
While every organization incorporating StateRAMP’s model has its intricacies, McGrath said there is a common set of questions that applies across government and education.
“You always have to ask, is this a cloud solution?” she said. “Is it transmitting, processing or storing private or confidential data? Or could it impact your data? Are you connected, is it connected? That’s the question each K-12 school, each organization is going to have to take a look at.”