The StateRAMP consortium, a group of state technology officials and industry consultants, released on Tuesday its first list of companies approved by a new process grading the security of state government cloud vendors.
The organization said that 51 products from 24 companies made the cut, as the StateRAMP group seeks to encourage governments to apply more scrutiny toward their IT contractors.
StateRAMP was launched in late 2020 with the goal of giving states a process akin to the Federal Risk and Authorization Management Program, or FedRAMP, which grades the security of federal vendors. Like FedRAMP, the new organization’s criteria are modeled on the cybersecurity framework issued by the National Institute of Standards and Technology and depends on authorized third-party organizations to assess if companies and products meet those requirements.
“There is no question that state and local governments are under attack, and the threats to our communities’ infrastructure, utilities, and information are very real,” StateRAMP Executive Director Leah McGrath said in a press release. “StateRAMP is an important step that state and local governments can take today to work toward a more secure future.”
The initial authorized vendor list, or AVL, includes companies and products with verified security statuses, as well as vendors whose certifications are still being processed by one of the outside assessors. StateRAMP’s rubric offers three verified statuses: “Ready,” indicating a product meets the minimum standards; “Provisional,” meaning the exceeds the minimum requirements; and “Authorized,” when a product satisfies all the security requirements and has a government sponsor.
Along with satisfying the StateRAMP standards, vendors must also comply with continuous monitoring to keep their status.
Additionally, there are three statuses for products that are still under review: “Active,” for services that are on track for a Ready certification; “In Process,” for vendors seeking an Authorized rating; and “Pending,” when a vendor is waiting for the determination of its verified status.
Of the 51 products included on the AVL, the vast majority are still under review, including 22 marketed by Cisco. Four — including a VPN and internet gateway sold by Zscaler — have met the “Ready” certification.
Arizona will be the first state to implement StateRAMP when it begins testing the framework later this month, Chief Information Officer J.R. Sloan told StateScoop last week. (Sloan is one of StateRAMP’s founders and directors.) Other states are developing their own replicas of the FedRAMP process, including Texas, which recently enacted legislation authorizing the development of a program called TexRAMP.
The new Texas program will accept certifications from other cloud-security standards, like FedRAMP, state CIO Amanda Crawford told StateScoop in July. McGrath said Tuesday that TexRAMP will also accept StateRAMP-issued credentials.