StateRAMP to Help Secure State and Local Government

Public agencies are attractive targets for cyber criminals, with troves of personal data, control over vital services and infrastructure and often — especially at the state and local levels — inadequate security systems. Recent headlines have underscored the vulnerability of state agencies, municipalities and educational institutions, with townships paying ransom to regain control of their IT systems, schools canceling classes and citizens falling victim to identity theft.

A new public-private initiative called StateRAMP aims to make it easier and cheaper for state, local and education (SLED) institutions to improve their cyber resilience while transitioning to cloud-based services. Modeled on the Federal Risk and Authorization Management Program (FedRAMP), StateRAMP will establish a baseline of state procurement standards for secure cloud services, certify cloud service providers and conduct ongoing verification of providers’ security measures.

“This is a big undertaking,” StateRAMP Executive Director Leah McGrath said in a recent podcast cohosted by DataBank and Mimecast. “We have a real opportunity to help state and local governments and their providers improve their cyber posture.”[1]

A Patchwork of Data Security Policies and Standards

The SLED environment’s cybersecurity profile is riddled with gaps. Institutions’ security needs are often underfunded and understaffed, issues that are compounded by long and complex procurement processes. With cyber criminals looking to exploit easy targets that have valuable and critical data, government agencies and the citizens they serve face mounting risk of ransomware, compromised databases and disrupted public services.

In general, data security policies and standards are set at the state level, to cover various government departments, and then trickle down to municipalities and schools that receive state funding. Most draw on frameworks developed by the National Institute of Standards and Technology (NIST) and others including the FedRAMP procurement standards for cloud services. But details vary within and among states. Verification and ongoing controls may be lacking. And smaller local municipalities and schools may have scant protections in place.

StateRAMP would act to close many of these gaps. “As an advocate for strong but fair cybersecurity standards, StateRAMP works to bring together service providers, policy makers, industry experts and government officials to drive the future of cybersecurity,” its organizers say.[2]

CISOs Voice Concerns Over the Status Quo

State-level CISOs recently revealed just how concerned they are about attacks on local municipalities. Over half (56%) said they “are not very confident” and 35% said they “are only somewhat confident” in local government data security practices. Over four-fifths (81%) also said they are only somewhat or not very confident in the data security practices of third parties such as cloud service providers.[3]

In Mimecast’s latest research on The State of Email Security in the U.S. Public Sector, more than half of the SLED security officers surveyed said it was “likely” or even “inevitable” that an email-borne attack could inflict serious harm to their organization. In other research, The State of K-12 Cybersecurity report tracked more than 400 cyberattacks on U.S. schools in 2020, up 18% over 2019.[4]

StateRAMP to Help States Build Defenses

StateRAMP was launched in January to support SLED institutions in several ways:

• A StateRAMP list of authorized vendors will certify cloud service providers’ data security capabilities for processing, storing and transmitting government data. StateRAMP’s first vendor list is promised to be posted online this summer.
• StateRAMP will provide documentation and a list of third-party assessment organizations (3PAOs) to help service providers gain certification. SLED officials will be able to request vendors’ completed security assessments.
• Continuous monitoring will include annual 3PAO assessments as well as monthly and quarterly reporting to StateRAMP.
• Tools, education and other resources will help SLED officials evaluate organizational risk tolerance and prioritize security in procurement.

Given the diversity of states’ needs, StateRAMP is intended as a baseline, to which governments could add specifications if they see fit. Observers expect that up to 10 states could commit to using StateRAMP for procurement by the end of this year. Already, officials from several states and the National Association of State Chief Information Officers sit on StateRAMP boards and committees.

Streamlining procurement can reduce the high cost of staffing and running complex contracting processes. And certifications can increase SLED officials’ confidence in choosing secure service providers.

Because of these benefits, StateRAMP’s work is also expected to speed the public sector’s transition to the cloud, which offers its own cost efficiencies and often better security alternatives to on-premises IT systems. “Not only will StateRAMP accelerate states’ move to the cloud, it will grease the skids,” says Jon Goodwin, Director, U.S. Public Sector & Education, at Mimecast.

Leveraging FedRAMP in the States

StateRAMP is modeled on the decade-old FedRAMP used by the General Services Administration (GSA) to hold federal contractors to requirements for myriad specifications, such as encryption and other critical process controls. And while some states use FedRAMP as a reference, the GSA only certifies service providers that have contracts with federal agencies. This limits the pool of available service providers, among other drawbacks to meeting state-level needs for access to the actual security assessments and for continuous monitoring.

StateRAMP is leveraging FedRAMP to accelerate its startup phase. It is also offering a fast track to StateRAMP certification for current FedRAMP-authorized cloud service offerings, of which there are over 200.[5] As reported in Governing magazine, “If the FedRAMP legacy is any indicator of success, StateRAMP is likely to revolutionize procurement of cloud services by state governments and many of their cities and counties.”[6]

The Bottom Line

State and local governments and schools have been aggressively targeted by ransomware and other cyberattacks, since they handle so much data on their citizens and run such critical operations. A new initiative called StateRAMP aims to help turn the tide on cybercriminals by uniting states around a better way to procure more secure cloud services.

[1] “StateRAMP,” CISO Corner

[2] “About StateRAMP,” StateRAMP

[3] “2020 Deloitte-NASCIO Cybersecurity Study,” National Association of State Chief Information Officers

[4] “The State of K-12 Cybersecurity,” K12 Six

[5] “FedRAMP Reaches 200 Authorizations,” FedRAMP

[6] “’The Easy Button’ for Taking Government to the Cloud,” Governing