FedRAMP and StateRAMP continue to align on cyber security

By Chauncey Kehoe, Contracts Manager, State, Local, and Education

Recent federal legislation is driving states to follow suit to similar cyber regulation.

During the last few years, we have highlighted the importance of StateRAMP as it pertains to infiltrating the SLED market and staying ahead of contract requirements. Now those things will be made easier with StateRAMP’s new Security Snapshot. For those manufacturers who have not yet received StateRAMP Verified status, you can leverage the StateRAMP Security Snapshot for a small fee and understand your product’s maturity level.

The StateRAMP Security Snapshot is an affordable option for manufacturers who are preparing for the StateRAMP process but may need more time to financially plan. According to StateRAMP, the intent of the Security Snapshot is to offer providers a first step toward achieving a verified StateRAMP security status. The criteria are designed to provide a gap analysis that validates a product’s current maturity in relation to meeting the Minimum Mandatory Requirements for StateRAMP Ready, including controls and select additional requirements that would have a significant impact on the state of the system. 

StateRAMP Security Snapshot

Applicable for products that have not yet achieved StateRAMP verified status:

• $500 for providers with less than $1 million in annual revenue.
• $1,000 for providers with annual revenue of $1 to $5 million.
• $1,500 for providers with annual revenue greater than $5 million.

For more information on StateRAMP’s fee schedule, visit https://stateramp.org/wp-content/uploads/2022/12/2023-StateRAMP-PMO-Fee-Schedule.pdf

FedRAMP and StateRAMP updates

Just recently the federal government codified the FedRAMP program as law. In short, this provision allows agencies to recognize a FedRAMP Authorization to Operate (ATO) without the process of issuing their own ATO. What does this mean? It means that government customers can trust that the product they are purchasing has been approved through the FedRAMP program instead of explicitly accepting the risk based on their own judgment.

It should not come as a surprise that StateRAMP is also working toward the same thing but for their state, local and education (SLED) agencies. For a list of participating SLED agencies please visit https://stateramp.org/participating-governments/

---

Significance of this change

Our March 2022 blog post stated it perfectly, “StateRAMP is here to stay. Are you ready?” Here are a few reasons why you should care about StateRAMP:

• As a manufacturer selling to SLED markets, you will demonstrate to your government customers that you care about their security concerns and that you are ready to work with them now — not 6 months from now — once you are StateRAMP authorized.
• Standardized security requirements are going to continue to be added to SLED and cooperative contract RFPs as a minimum requirement for response.
• StateRAMP has reciprocity with other state-specific RAMP programs such as TX-RAMP. You can expect to see this trend with other states as they develop their own standardized security requirements.

Chauncey Kehoe is contracts manager for state, local, local and education (SLED) for immixGroup, the public sector business of Arrow Electronics. Delivering mission driven results through innovative technology solutions for public sector IT. Visit http://www.immixgroup.com/ for more information.

Do you want to keep on top of federal procurement regulations. Subscribe to immixGroup’s Government Sales Insider blog now!