StateRAMP is here to stay. Are you ready?

By Ceren Öney, SLED Market Intelligence Manager

Formal adoption of StateRAMP into IT procurement policies is rapidly increasing. Last year, we encouraged vendors to put StateRAMP on their radar screens. Since then, nearly 200 government members representing 33 states have joined the membership.

For service providers selling into state, local, and education institutions, now is the time to ensure that your cloud security is compliant with StateRAMP requirements.

While StateRAMP itself may still be a few years from being a household word, that doesn’t mean that state and local governments have been sitting idly by. The move toward better monitoring and certification of state, local and education network security has been going on for years, with two states at the forefront.

Arizona and Texas introduce state-specific frameworks

In September 2021, Arizona CIO J.R. Sloan announced the state will “test-drive” StateRAMP over the next year. Sloan, StateRAMP President and founding board member, had previously introduced AZRamp, Arizona’s Risk and Authorization Management Program. Arizona’s move to test StateRAMP doesn’t come as a surprise and further solidifies Sloan’s confidence in the program.

Meanwhile, effective January 1, 2022, Texas mandates state agencies to only enter or renew contracts for cloud offerings compliant with the Texas Department of Information Resources’ (DIR) own security framework, TX-RAMP.

Rising ransomware attacks targeting state and local governments, schools and colleges increased the pressure to strengthen cybersecurity postures and protect against incursions by bad actors. Coupled with the shift to digital services due to COVID-19’s disruptions and federal funding available under the Infrastructure Investment and Jobs Act and the American Rescue Plan Act, considerable emphasis is being placed on cyber security now more than ever.

Other states adopt the StateRAMP framework

For most states, like North Carolina and Georgia, creating a state-specific framework is too laborious and inefficient. Adopting the established StateRAMP framework makes the initial risk assessment, continuous monitoring and management more seamless and easier.

In fact, in a recent StateRAMP panel, Texas Deputy CISO Matthew Kelly shared his encouragement for vendors doing business in multiple states to leverage the StateRAMP framework before a state-specific framework such as TX-RAMP.

If you’ve already been working on FedRAMP compliance, you may be ahead of the game.

FedRAMP authorization makes StateRAMP compliance easier

Companies that do business with the federal government and are already on track for FedRAMP authorization will have an easier time getting through the StateRAMP process, which stems from the NIST controls they’re built upon. If your company is in this situation, it will be well worth your time to understand how StateRAMP compares with FedRAMP as articulated in this blog post.

Whether complying with authorization requirements on a state-by-state level, or at the overarching StateRAMP level, it’s important for vendors to start preparing now for when the program becomes more widely required.

Need help with growing your SLED business? Learn more about how immixGroup’s Market Intelligence team can help you.

Want to keep on top of trends in the government marketplace? Subscribe to immixGroup’s Government Sales Insider blog now.