State and local governments, public education institutions, and special districts are now a top target for cyber criminals. Each week, more examples and headlines of major companies and governments being affected by cyber-attacks are making the news. Recognizing the limitations of budget, bandwidth, and shortages in cyber workforce, StateRAMP provides an immediate solution to universities through the organization’s shared services and standardized verification model of cloud-based software, such as TeamMate+.
However, when it comes to education, concerns over cybersecurity are impacting more than just our college universities, and higher education facilities. The K12 Security Information eXchange (K12 SIX), a national non-profit organization dedicated to protecting school districts, charter schools, private schools, and regional and state education agencies from emerging cybersecurity threats, conducted a webinar on how educational vendors should be identifying opportunities to embrace their cybersecurity responsibilities. During that presentation, it was discussed that “the most significant vector for student and teacher data breaches—in terms of numbers of individuals affected—are school district vendors and other trusted non-profit partners.”
Doug Levin, the National Director of K12 SIX, has also commented in an article on improving K-12 vendor risk management that, "Procuring technology tools and services is complicated work, and many organizations have sought to make that process easier for the public sector. By focusing on cybersecurity risk management, StateRAMP addresses a key pain point for state and local public education agencies—and the vendors and suppliers that serve them.”
But what is StateRAMP? Modeled closely after the Federal Risk and Authorization Management Program (FedRAMP) — which began in 2011 to ensure the security of cloud services used by the U.S. Government — StateRAMP certification works to establish the needed baseline of state procurement standards for secure cloud services, while utilizing many of the same underlying standards as FedRAMP, such as the NIST 800-53, Rev 4.
StateRAMP requirements are designed to serve higher education by providing a simplified and standardized approach to validate the cyber posture of the vendors who offer Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS) solutions that may process, transmit, and/or store any government data. When partnering with StateRAMP, universities will receive education, consultation, and ongoing support through the implementation, contract award, and continuous monitoring phases of the procurement cycle.
Participating institutions have access to StateRAMP’s secure repository to view vendor security packages, security statuses, and monthly and annual reporting tailored to the government’s specific cybersecurity needs. With StateRAMP, every university can take action to safeguard its cyber posture and move to protect critical data from increasing cyberthreats.
When universities adopt StateRAMP, they can expect a range of immediate and long-term benefits that include:
- Procedures, including language in solicitations and contracts, that are updated to reflect improved cyber security requirements.
- Updated organizational policies, to include improved cyber security language and vendor requirements.
- Educating the vendor community by StateRAMP staff on the improved cyber security requirements and providing access to ongoing training and assistance as needed.
- Fully training Information Security staff to access vendor security documents and to receive reporting from StateRAMP PMO.
- Educating procurement staff across the organization by StateRAMP staff on improved cyber security requirements, as well as access to ongoing training as needed.
To learn more about how to adopt StateRAMP for your public education institution, you may visit Getting Started with StateRAMP Government Guide. Additionally, TeamMate is currently “In Process” for StateRAMP authorization and will soon be able to offer a cloud-hosting environment and a solution that has been independently verified and is subject to continuous monitoring to protect your agency and the public you serve.