Starting with StateRAMP? What’s Next?

September 28, 2023 | by Jason Oksenhendler, VP of Cloud Compliance

You have to start somewhere, right?  Let’s be real and not kid ourselves–implementing StateRAMP is going to take hard work, money, and manpower. There’s more than one way to skin a cat, but just make sure the cat is not a lion.

From my first-hand experience, I can say unequivocally that cutting corners and taking shortcuts will not help you one bit; in fact, it will turn things into an ugly nightmare of endless rework and lost money.  Now, I am not insinuating that you are going to do this, but I have also watched service providers implode, and it’s not pretty.

So, why start with StateRAMP?

The simplest answer I can give you, and after much thought and deliberation about how to answer this, my “final answer” (RIP Regis Philbin) is that its product offerings meet service providers where they are in terms of risk posture.  For instance, if and only if you’ve run an operating system scan once a month for a year, I am going to go out on a limb and say that your organization is not in a position to attain StateRAMP Ready, StateRAMP Provisional, or StateRAMP Authorized status.  There is a lot of work associated with these three statuses.  That said, StateRAMP has an option of less rigor for those service providers just starting out and figuring out how to navigate through StateRAMP.  It’s called StateRAMP Snapshot.  Think of it as an early gap analysis.  The snapshot comes with criteria and a scoring system to let providers know where they stand in terms of the level of effort and NIST maturity to achieve, at a minimum, StateRAMP Ready status. There is a fee and the snapshot takes around three weeks to complete. Also, state governments can request copies of the snapshot, so they can see the progress a service provider has or hasn’t made, should the provider bid on an RFP that requires StateRAMP.

Whether or not your organization chooses to implement a StateRAMP snapshot, it’s a great way to determine whether to move forward and create a business case or to get out of the game, at least for the time being.

Jason Oksenhendler

Jason Oksenhendler is the Vice President of Cloud Compliance at MerlinCyber.  He is a founding member of the StateRAMP Steering Committee and Standards and Technical Committee.  In addition to being a StateRAMP SME, Jason is a former member of the FedRAMP Joint Authorization Board.

Want to learn more about Constellation GovCloud®?