If you’re a cloud software vendor who wants to sell — or has already sold — to federal government agencies, it’s likely that you’re already aware of FedRAMP compliance. But cyberattacks aren’t just limited to the federal government. With more people working from home and moving to the cloud now than ever before, news of attacks on state and local governments seems to be a common occurrence these days. Previously, there wasn’t a clear, standardized approach to the cybersecurity standards required from cloud software providers offering solutions to state and local governments. But all that may change with the introduction of StateRAMP.
What is StateRAMP?
Founded in early 2020, a non-profit organization called StateRAMP was formed to bring states together and create a common method to verify the security and manage risk from third-party solutions. While StateRAMP is just getting off the ground, it’s worth understanding it if you’re interested in selling to state and local governments or if you’re already certified for FedRAMP check out our FedRAMP solution brief.
In a nutshell, the StateRAMP organization brings together state & local governments, cloud service providers, and assessment organizations to reduce risk by standardizing an approach for verifying and monitoring security postures.
StateRAMP vs FedRAMP
It turns out that FedRAMP has blazed the trail for StateRAMP, as many of the processes and procedures mirror that of FedRAMP. In fact, both adhere to the complex controls outlined in the NIST SP 800-53 Revision 4 addressing all major known security risks for information systems and cloud systems.
How to get StateRAMP certified?
If your cloud software is FedRAMP Moderate certified today, then you’re in good shape to be at StateRAMP Category 3. Here are three important steps to get StateRAMP certified:
- Submit additional items to the StateRAMP PMO
- Become a member of StateRAMP
- Get a StateRAMP certified 3PAO to conduct an official assessment
Submit additional items to StateRAMP PMO
You can use your FedRAMP ATO to achieve reciprocity, but additional items need to be submitted to the PMO.
Become a member of StateRAMP
You’ll also need to become a member by paying an annual fee in addition to the other fees associated with becoming and remaining your authorization.
Get a certified 3PAO to conduct an official assessment
And of course, a StateRAMP certified 3PAO will need to conduct an official assessment when you’re ready.
Remember, for those software vendors who have achieved FedRAMP compliance but have not yet secured a federal agency sponsor, the reciprocity can allow a state agency to sponsor you.
For more frequently asked questions and answers, check out the FAQ page.
Anitian can help get you ready.
The longest and most grueling part of the FedRAMP (and/or StateRAMP) processes is getting ready for the audit by the 3PAO. Taking a do-it-yourself or consulting services approach typically takes 18-24 months to prepare, design, build, configure, and document all the components needed to pass a FedRAMP audit and achieve your Authority to Operate (ATO) for your cloud application in AWS or Azure. The costs can be surprising as well, rising near $2M for many implementations.
That’s where Anitian comes in.
Anitian SecureCloud for Compliance Automation platform can have you FedRAMP audit-ready up to 80% faster – and at half the cost – by leveraging a complete, pre-engineered cloud security environment that runs in your AWS or Azure account. The Anitian platform wraps around an application in hours to make existing or new cloud applications secure and compliant in days, rather than months or years. Ready to get started? Schedule a demo with the Anitian team today.
