‘StateRAMP’ group aims to grade state and local vendors’ security

Similar to how the federal government vets cloud services for their security parameters when bidding on contracts, a group of state IT officials and vendors is attempting to build a similar program for state and local providers.

The StateRAMP consortium, which launched late last year, plans to offer frameworks for verifying that government IT vendors adhere to certain cybersecurity and risk assessment standards. The effort is modeled on the Federal Risk and Authorization Management Program, or FedRAMP, which offers a standardized approach to grading the security of federal vendors.

The new group arrives when most states are following the security and privacy controls — the same that govern FedRAMP — laid out by the National Institute of Standards and Technology.

“If you look at the data breach with [the U.S. Office of Personnel Management], because we deal with personal identifying information, payment card industry information, we decided we need to ensure we are meeting states’ policies,” said Joe Bielawski, a member of the StateRAMP board of directors who is also president of Knowledge Services, a managed service provider with dozens of state and local customers.

Bielawski said StateRAMP grew out of conversations beginning in early 2020 with Arizona Chief Information Officer J.R. Sloan. He said the two discussed ways to strengthen the relationship between technology officials who work with vendors and the lawyers and procurement officials who negotiate contracts. From those initial talks, Bielawski and his colleagues spent more than 1,000 hours last year talking to other state and local officials about the prospects of a standardized cloud security platform.

‘The stewardship chain’

Sloan, who also sits on the StateRAMP board, said Arizona had already been trying a localized version of the FedRAMP process called AzRAMP, which requires bidders for state contractors to meet NIST standards.

“We’ve been navigating these waters as we in Arizona follow a cloud-first policy,” he said. “We’re going be looking at cloud service providers and cloud products. That means data for the state is moving to a new location. We need to vet the vendors that are entering the stewardship chain.”

Sloan said AzRAMP also made it easier for state technology and procurement officials to review potential contractors by weeding out the weaker ones.

“There’s the burden we were taking in in reviewing vendors,” he said. “How do you not force our guys to go to 10 vendors because they’re responding to an RFP when only two or three are going to be acceptable?”

Sloan and StateRAMP’s other backers hope to replicate that effect elsewhere to make it easier for states to standardize their tech contracting.

“Government is a steward of the people’s data,” said Indiana Chief Privacy Officer Ted Cotterill. “We need to be able to reduce cyber risk in all these vendor agreements we have. In government we’ve argued for these increased standards on a one-off basis. And we lack uniformity in application.”

In Indiana alone, where Cotterill has advocated for policies that simplify internal data-sharing agreements, he estimated there are between 70 and 100 agencies negotiating their own IT contracts. By promoting uniform standards modeled on federal benchmarks already being widely followed, it “reduces the negotiating runway,” he said.

“That’s government efficiency and it applies very evenly,” Cotterill said.

‘Beyond IT’

Under FedRAMP, federal cloud providers are reviewed periodically by third-party assessment organizations. Accredited 3PAOs, as these reviewers are known, are responsible for conducting initial and annual tests of cloud service providers’ adherence to the required security protocols.

StateRAMP Executive Director Leah McGrath, who is also a Knowledge Services vice president, said StateRAMP will use many of the same assessment organizations as FedRAMP does. It will also have multiple levels of authorizations that depend on the intensity of the potential impact of a cybersecurity event with the affected system, similar to how FedRAMP gives ratings of “low,” “moderate,” and “high.”

With the plan in place, the StateRAMP group’s next challenge is to find adoption in as many states as possible.

“There’s definitely interest,” said Sloan, who said he’s presented it to his fellow members of the National Association of State Chief Information Officers. (NASCIO Executive Director Doug Robinson is a member of StateRAMP’s steering committee.) “We’re all wrestling with the problem. It’s beyond security, it’s beyond IT. It’s procurement, it’s across businesses. We’re trying to bring some consistency and leveling the playing field.”