Ready for a new RAMP? Welcome to StateRAMP!

September 27, 2023 | by Jason Oksenhendler, VP of Cloud Compliance

Ready for a new RAMP? Welcome to StateRAMP!, a security framework that is disrupting how state and local governments and educational institutions (SLED) protect critical information and infrastructure. StateRAMP was created to level the playing field by creating a standardized approach for service providers to offer their products to SLED entities.

StateRAMP probably sounds VERY similar to its Federal counterpart, FedRAMP.  In some ways it is, and in other ways, it is not.  StateRAMP is based on security controls set forth in the National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-53.  The guidance and controls developed and selected are required to be in place to protect SLED data that is processed, stored, or transmitted.  

Since its inception in 2020, StateRAMP has gained national attention and has taken the cybersecurity world by storm. As of this writing, 19 states, 5 local governments, and three higher education institutions have adopted StateRAMP. Here’s the link if you want to track or see which entities are joining.  If you think about it, in four years’ time, 19 states, almost one half of the country, has implemented this new security framework.  People often ask me, “Is StateRAMP is for real?”  My response is, “Yes.  It is very real.”  StateRAMP was born out of a need to standardize IT security among SLED entities because there was no standard; it was the wild, wild west, and anyone could do security, which in some cases wasn’t secure at all, the way they saw fit.  Those days are over.  Without StateRAMP authorization, it is going to be very difficult for service providers to do business with states who include a StateRAMP requirement in their requests for proposals (RFPs).

By now you’re wondering, how does this affect me and my organization?  Well, there are different lenses for different entities.  If your organization is a third-party assessment organization (3PAO) and is A2LA-accredited and FedRAMP authorized, you can apply through the StateRAMP website.  If you are a SLED entity, StateRAMP will bring about a security environment–the likes of which never have been seen before.  If you are a service provider, StateRAMP will allow you to bid on work requiring a StateRAMP authorization.

In my next blog, we will discuss why your organization should consider starting with StateRAMP.

Jason Oksenhendler

Jason Oksenhendler is the Vice President of Cloud Compliance at MerlinCyber.  He is a founding member of the StateRAMP Steering Committee and Standards and Technical Committee.  In addition to being a StateRAMP SME, Jason is a former member of the FedRAMP Joint Authorization Board.

Want to learn more about Constellation GovCloud®?