An overview of the NIST Cybersecurity Framework, FedRAMP, and StateRAMP

What is NIST 800-53?

NIST 800-53 is a set of general IT security controls federal agencies and corporations can use to better protect their information systems and data. NIST 800-53 is designed to help organizations protect their information systems and data from unauthorized access, use, disclosure, disruption, modification, or destruction by requiring controls implemented across different categories of IT controls. A NIST audit for compliance with these controls would consider how the organization addresses risks and controls across all categories covered by the framework. The NIST 800-53 controls are used to form the basis of both FedRAMP and StateRAMP authorization.

What are FedRAMP and StateRAMP?

Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program in the U.S. that provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and services. Cloud service providers who want to provide services to federal government agencies undergo a rigorous security assessment process conducted by a third-party assessor. Some FedRAMP authorizations can be leveraged by companies as well as government agencies.

StateRAMP is a voluntary program run by a non-profit organization that helps state and local governments identify cloud service providers that meet the NIST 800-53 cybersecurity standards. Cloud service providers must also be assessed and continuously monitored by StateRAMP to achieve authorization status. StateRAMP operates in a similar fashion to, but is independent from, FedRAMP.

A shared foundation

The NIST Cybersecurity Framework, FedRAMP, and StateRAMP may have a shared foundation, but it’s important to note that they each have a different focus. The NIST Cybersecurity Framework provides the information needed to assess an organization’s security and offers a helpful guideline for individual evaluations, while FedRAMP and StateRAMP — both based individually on standards set in NIST 800-53 — address the security of third-party cloud service organizations for government agencies. While the NIST Cybersecurity Framework, FedRAMP, and StateRAMP have different objectives, they are each designed to build a strong system of cybersecurity controls.

The NIST Cybersecurity Framework, FedRAMP, and StateRAMP

By leveraging the best practices of the NIST cybersecurity framework, and/or working with FedRAMP/StateRAMP authorized providers, organizations can strengthen their cybersecurity posture:

• Internally, the NIST framework cybersecurity controls can be a comprehensive best practice guide for an end-to-end cybersecurity control environment. The framework challenges organizations to consider their controls compared to over one hundred best-practice cybersecurity controls.
• Externally, FedRAMP and StateRAMP can serve different purposes. One way is to look for FedRAMP and StateRAMP Authorized vendors who have already been vetted through an independent process. Another way is to use the controls and guidance within FedRAMP as a blueprint for evaluating third-party vendors, as public and private organizations hold their vendors to higher standards each year.

As organizations continuously strengthen their cybersecurity control environments, leveraging the NIST CSF, FedRAMP, and StateRAMP will continue to provide a solid internal control foundation.