FedRAMP & StateRAMP: What You Need to Know

May 30, 2024

At a glance:

  • The main takeaway: FedRAMP and StateRAMP are compliance programs that standardize security requirements for cybersecurity for cloud service providers, who must navigate the processes successfully if they want to sell their services to the government.
  • The impact on your business: Understanding these programs’ respective requirements, roadmaps, and necessary commitments will help companies determine whether they want, or are ready, to sell to the government.
  • Next steps: Take in the insights in this piece, then contact Aprio for more information on how to effectively and efficiently achieve authorization.
Schedule a consultation with Aprio’s Information Assurance Services and Risk Management Team today.

The full story:

Cloud service providers (CSPs) understand that one or more forms of information assurance reporting is almost always required by the commercial marketplaces they serve or seek to serve (e.g., SOC 2, ISO 27001, HITRUST, PCI DSS, etc.).  

Many CSPs that have achieved success in commercial settings, seek to expand into Federal and/or State governmental markets. These markets require different forms of information assurance, Federal Risk & Authorization Management Program (FedRAMP) or State Risk & Authorization Management Program (StateRAMP), as prerequisites to serve those markets.

For those CSPs that have made substantial investments in their commercially-oriented information assurance programs, the natural inclination is to underestimate the magnitude of effort and costs associated with achieving compliance.

The NIST 800-53, Rev 5 information security standard underpins both programs, and this along with associated Continuous Monitoring (ConMon) requirements of the program, almost always represents a very significant incremental effort from assurance reporting options generally accepted in commercial marketplaces.

The associated cost and effort are so significant that it requires the CSP to have a very measured business plan that reflects the realities of the effort and costs to achieve the certification and the payback in form of sales and profit that will be made possible from the certification. Additionally, both programs contain continuous monitoring requirements that CSPs must take into account and devote resources to defining, establishing, and implementing a continuous monitoring program. CSPs must then maintain compliance for the lifespan of their product.

FedRAMP

This program is a federal government-wide compliance program that standardizes security requirements for the authorization and ongoing cybersecurity of cloud services in accordance with the Federal Information Security Modernization Act (FISMA), OMB Circular A-130, and the FedRAMP Policy Memo, as established by the National Defense Authorization Act.

The program leverages standards and practices established by the National Institute of Standards and Technology (NIST) to create transparent standards and processes for security authorizations on a government-wide scale. Its combination of standardized security requirements for cloud services, standardized authorization packages and contract language, conformity assessment programs, and repository for authorization packages create a stringent framework for would-be technology providers, allowing the federal government to accelerate the adoption of cloud computing technologies while maintaining strict data security requirements.

The FedRAMP Marketplace

In addition to the compliance program, the FedRAMP Program Management Office (PMO) also maintains a database it calls the Marketplace. The Marketplace provides interested parties with a searchable and sortable list of all of the Cloud Service Offerings (CSOs) that have achieved program designation and the federal agencies using authorized CSOs, as well as a list of recognized auditors (i.e., Third Party Assessment Organizations, or “3PAOs”) that can perform assessments.

The Marketplace assigns CSOs and CSPs with one of three designations:

  • FedRAMP Ready: The lowest designation, this indicates that a 3PAO has assessed and attests to a CSO’s security capabilities, and that a Readiness Assessment Report has been reviewed and deemed acceptable by the PMO. Upon receiving this designation, the CSP in question has 12 months to find an agency sponsor to move forward with the process.
  • FedRAMP in Process: This designation is provided to CSPs that are actively working with either the Joint Authorization Board (JAB) or a federal agency and are well on their way to authorization.
  • FedRAMP Authorization: CSPs receive this designation after successful completion of the authorization process with the JAB or a federal agency.

StateRAMP

This is a FedRAMP-adjacent program designed to provide standardized cloud computing security standards and procedures for cloud service providers working with any or all state governments. The program’s standards and requirements are built on the NIST’s Special Publication 800-53 Rev 5 framework and modeled in part after FedRAMP. Its structure is based on a “complete once, use many” concept that helps save time and reduces costs for both governments and service providers.

StateRAMP Authorized Product List

This is a list of service providers published on the website who have obtained a StateRAMP Authorization Designation of Progressing or Verified.

Progressing

This designation is used to identify cloud service offerings in the process of working towards full Verified status. Products with this designation fall into four subcategories:

  • Progressing: Given to products enrolled in the Progressing Snapshot Program and have submitted artifacts to receive their Snapshot score.
  • Active: Products are working toward Ready.
  • In-Process: Products that are working toward Authorized.
  • Pending: Products that are currently being reviewed by the PMO and are awaiting determination for a Verified status.

Verified

Verified designations are given to products that meet minimum security requirements and provide an independent audit conducted by a 3PAO. They come in three subcategories:

  • Ready: Indicates the CSP product meets the requirements in the Ready Minimum Mandatory Requirements Policy. Allows a CSP to pursue contracts with state and local governments.
  • Provisional: This designation requires a state or local government sponsor and may be designated when a product meets most but not all critical controls.
  • Authorized: This designation is given to products whose security packages have been validated by the PMO and who have already demonstrated compliance with all required security controls.

Authorization Requirements

The Authorization Packages for either program include essential documents that demonstrate a cloud system’s compliance with applicable requirements. These documents are crucial for obtaining authorization-to-operate (ATO) within the government environment (Federal / State) and include:

  • System Security Plan (SSP) and attachments – a comprehensive document that describes the cloud service offering, its security controls regarding NIST 800-53 rev. 5, and how the CSP implements those controls. Required SSP documentation includes but is not limited to:
    • Minimum Baseline Controls: For both programs, the CSP system is designated a Low, Medium, or High risk ranking to correspond to its role relative to sensitive data and services. Each program then designates specific minimum baseline control requirements based on this risk ranking; for Low this is approx. 150, Medium is approx. 320, and High is 410 control requirements.
    • Security Policies and Procedures addressing each of the NIST 800-53 Rev 5 control families.
    • Other plans include Info System Contingency, Configuration Management, Incident Response, and Supply Chain Risk Management.
  • Security Assessment Plan (SAP) – a detailed document of test procedures performed by a 3PAO to assess a CSP’s SSP.
  • Security Assessment Report (SAR) – a 3PAO-produced report detailing the results of their assessment of the CSP.
  • Plan of Action & Milestones (POA&M) – details any security control weaknesses identified in the 3PAO assessment and the CSP’s action plan for remediation.

Authorization Roadmaps

Both programs have similar timelines for authorization. Completing all the necessary steps and providing the necessary documentation could take up to a year for either program. The roadmap can be broken up into three phases: Preparation, Assessment and Authorization.

StateRAMP offers a Fast Track option for companies that already have a FedRAMP ATO, P-ATO, or Ready status, allowing them to streamline the StateRAMP authorization process.

Preparation

Timeline: 2 – 6 months 

Preparation is the first, longest, and most crucial phase of the authorization process. There are a number of common steps and experiences that CSPs can expect in this phase, including:

  • Planning and strategy
  • Design
  • Determining sponsorship approach
  • Identifying the impact level of your service
  • Completing a Readiness Assessment Report (RAR) to identify gaps (optional)
  • Developing a comprehensive Authorization Package
  • Engaging a 3PAO to develop a Security Assessment Plan (SAP)

Assessment

Timeline: 2 – 3 months

  • 3PAO evaluation of compliance with applicable requirements
  • Remediate gaps within required timeframes
  • Generate a Security Assessment Report (SAR) and Plan of Action and Milestone (POAM)

Authorization

Timeline: 2 – 3 months

  • Prepare and submit Authorization Package to authorizing body
  • Receive verification for security package and audit findings
  • If all controls are met, the package will be accepted and the CSP will be listed in the Marketplace.

Continuous Monitoring

Both programs contain continuous monitoring requirements as described in NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organization. CSPs will need to take these requirements into account and devote some resources to defining, establishing, and implementing a continuous monitoring program. Afterwards, they will need to maintain it for the lifespan of their product, which can be a significant undertaking in itself.

A final word

The government takes cybersecurity seriously for a reason. Cloud service providers that want to work with the government will have to achieve authorization. The process may be demanding, time-consuming and resource-intensive, but the hill is worth the climb. The arduous nature of the effort underscores the importance of finding the right partner.

Schedule a consultation with Aprio’s Information Assurance Services team today.

Related Resources:

Achieving Synergy: The Benefits of Combining ISO 9001 and ISO 27001 Audits

How ISO 27001 and 27701 can help address client’s GDPR needs

Security & Compliance at Sandata: From Headache to Head Start

Recent Articles

About the Author

Dan Schroeder

As a Partner of Aprio’s Information Assurance Services team, Dan applies his over 25 years of experience in IT, operational and risk management functions to provide guidance on cybersecurity and privacy risk management strategies to the CISOs, CIOs and Internal Counsel of domestic and international technology-based businesses. In addition to helping clients establish, monitor and maintain effective information security and privacy risk management programs, Dan specializes in providing risk assessments and attestation services to address PCI, ISO, CMMC, FedRAMP and other leading privacy and security protocols.


Scott Ritchie

As the Director of Aprio’s Compliance-as-a-Service Practice, Scott applies his experience, technical acumen, and insight to helping the CISOs of technology companies establish and maintain robust, efficient, and effective security and privacy programs that guarantee compliance with various security requirements. In addition to helping build, rebuild, and maintain security programs, Scott provides his clients with outstanding audit, governance, compliance, and risk management services.


Stay informed with Aprio.

Get industry news and leading insights delivered straight to your inbox.

Stay informed with Aprio. Subscribe now.