A Faster On-RAMP to Secure Audits for State Agencies


State agencies need secure software to manage their audits. Rather than going through the complex and time-consuming process of evaluating each potential vendor’s security practices, agencies can rely on cybersecurity authorizations from FedRAMP and emerging StateRAMP programs to assure compliance.

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a program run by the General Services Administration (GSA) to create a standardized approach to security authorizations for cloud applications. All executive agency cloud deployments are required to comply with FedRAMP standards.

To receive FedRAMP authorization, a SaaS vendor must go through an intensive security assessment conducted by an accredited third party and then undergo rigorous continuous monitoring including vulnerability monitoring and annual assessments.

What is StateRAMP?

The State Risk and Authorization Management Program (StateRAMP) is an emerging program to precertify the cybersecurity of cloud vendors for state and local governments. Launched in early 2021, the StateRAMP program is modeled on its federal counterpart and is designed to help state agencies select from a list of precleared vendors.

What is the difference between FedRAMP and StateRAMP?

Although they differ in key ways that serve their different constituencies, there’s a great deal of overlap between the requirements of FedRAMP and StateRAMP. Among the similarities are their grounding in the requirements outlined in National Institute of Standards and Technology (NIST) publication 800-53 Rev. 4, the necessity of third-party assessment, and a requirement for constant monitoring.

FedRAMP is a US Government program. To be an authorized service provider in the FedRAMP program, a company must be doing business with the federal government. StateRAMP is an independent nonprofit business group that helps vendors by providing them with security resources and validation of their security posture, thereby reducing time to market. The FedRAMP Program Management Office (PMO) is purely a reviewing and management body; the StateRAMP PMO is a shared resource among service providers and government entities.

Why are common standards important?

Data breaches of government or other public-sector systems, whether involving ransomware or the loss of personal identifiable information, are no longer unusual. A 2018 attack held Atlanta’s computer systems hostage for nearly a week. In 2020, there were major breaches confirmed in Arizona, California, Ohio and Texas. Attacks on healthcare systems are nearly commonplace.

Clearly, cybersecurity at the state and local levels needs to be top of mind, but the process of vetting vendors for each contract is onerous. A common set of standards promises to save money and time for vendors interested in state and local contracts as they would be relieved of the burden of repeated security audits for each RFP. The StateRAMP program also saves governments time because they can be assured that vendors meet a strong agreed-upon set of standards and best practices.

Vendors that hold FedRAMP authorizations also qualify to be authorized under StateRAMP through a Fast Track program. The common set of standards will speed the lengthy contracting process for agencies and vendors that serve them. While StateRAMP programs are being established, participation in FedRAMP can give state and local customers confidence that a vendor adheres to rigorous security standards.

For information about Diligent’s HighBond platform’s FedRAMP and DoD Imapct Level 5 authorizations, read the press release here.