Trying to modernize public sector technology while keeping up with cybersecurity threats can feel overwhelming. Governments want to take advantage of the power and flexibility of innovations in areas like cloud computing. But limited resources place a strain on reviewing new vendors.
The good news is that cybersecurity frameworks/programs like StateRAMP and FedRAMP streamline cloud procurement. Government organizations can also gain more assurance over their cybersecurity by choosing from vetted vendors.
However, it’s important to realize the differences between StateRAMP and FedRAMP. It’s not a matter of picking whichever one sounds better to you. Instead, StateRAMP is designed for state and local governments, while FedRAMP is used by federal agencies.
Not only do the target markets differ, as the names imply, but the services these programs provide vary as well. In this article, we’ll take a closer look at StateRAMP vs. FedRAMP.
What is StateRAMP?
StateRAMP is a non-profit membership organization that helps state and local governments find cloud service providers that meet certain cybersecurity standards.
While StateRAMP is not officially affiliated with the US government, it uses the National Institute of Standards and Technology (NIST) requirements to create a list of authorized vendors.
Membership is open for free to any state, local, education, tribal/territorial official or employee that’s responsible for information security, IT, privacy, and/or procurement, explains StateRAMP. A service provider can also obtain membership for a fee and can apply to get on the StateRAMP Authorized Vendor List.
What is FedRAMP?
FedRAMP is a federal program that federal agencies use to procure cloud services that meet NIST security standards. Rather than having every agency conduct their own security review for a cloud service offering (CSO) from scratch, FedRAMP standardizes and streamlines the process.
“A Cloud Service Provider (CSP) goes through the authorization process once, and after achieving FedRAMP Authorization for their CSO, the security package can be reused by any federal agency,” explains FedRAMP.
The FedRAMP program is part of the General Services Administration (GSA). And rather than being something that federal agencies choose to join, there are requirements to use the program when an agency works with a cloud-deployed product or service.
“FedRAMP is mandatory for all executive agency cloud deployments and service models at the Low, Moderate, and High-risk impact levels,” as is explained in the FedRAMP FAQ.
StateRAMP vs. FedRAMP
StateRAMP and FedRAMP may sound similar, but there’s more than just a name that separates them. At their core, both programs help government agencies identify and procure cloud-service offerings that meet strong cybersecurity standards.
Differences between StateRAMP vs. FedRAMP
As mentioned, the main difference between StateRAMP and FedRAMP is that StateRAMP can be used by state and local governments, while FedRAMP is a federal program.
FedRAMP is also an official government program, whereas StateRAMP is a non-profit that is not affiliated with the U.S. federal government. FedRAMP has mandatory requirements for federal agencies, whereas compliance requirements to use StateRAMP vary among different state and local governments.
The way the programs operate also differs. FedRAMP is designed to support federal agencies that want to modernize their workflow and mandates the use of authorized cloud-services. While StateRAMP follows a similar path for local and state agencies, requirements are established at the state level.
Similarities between StateRAMP and FedRAMP
Both StateRAMP and FedRAMP use NIST Special Publication 800-53 Rev. 4 requirements to assess cloud-service providers for potential authorization. They are both moving toward Rev. 5 requirements.
The way the programs provide verifications and use NIST controls is also similar.
“StateRAMP and FedRAMP use impact levels of low, moderate, and high that align with NIST controls,” explains StateRAMP. “They utilize verified statuses of Ready and Authorized.”
Both programs have requirements for continuous monitoring (known as ConMon) of cloud service offerings.
These types of commonalities can be useful for those who work with both verification programs. For example, a state employee might be familiar with FedRAMP authorization if they worked with a federal agency previously, and now they might have an easier time using StateRAMP to procure cloud services.
Using StateRAMP in conjunction with audits
StateRAMP can help public sector auditors in several ways. For example, if you conduct an audit and identify technology and/or cybersecurity gaps, you might look to change vendors. In that case, turning to StateRAMP could help. Similarly, federal agencies would turn to a FedRAMP list of vendors for procurement.
If your organization already uses StateRAMP certified providers, then that might give you some assurance regarding the cybersecurity posture of those third parties.
Part of your audit process might include identifying which vendors you’re already working with that are part of the StateRAMP Authorized Product List. You also can note which ones are working toward full authorization. There are different statuses such as StateRAMP “In Process” and StateRAMP “Ready” that signify where a cloud service provider is on their StateRAMP authorization journey.
And as you work toward improving your IT internal controls and strengthening risk mitigation, you can turn to tools like TeamMate+. Not only can TeamMate+ provide an environment that meets FedRAMP security standards and guidelines, but it also helps you audit more securely, effectively, and efficiently. TeamMate+ is a FedRAMP authorized vendor, and we’re “In Process” with StateRAMP.