Cloud 101CircleEventsBlog
CAIQ Lite is now accepted into the STAR Registry! Showcase your cloud security readiness with a simplified assessment. Learn more today!

StateRAMP FAQ

Published 08/15/2024

Originally published by Schellman.


For those wanting to acquaint themselves with StateRAMP, we’ve put together answers to some of the most frequently asked questions we receive as a Third-Party Assessment Organization (3PAO).

These important points of interest regarding this framework are divided into the following sections:

  • StateRAMP Basics
  • StateRAMP Requirements
  • StateRAMP Authorization Boundary Guidance


StateRAMP Basics

What is StateRAMP?

StateRAMP is a required program for cloud service providers (CSP) that want to offer cloud services to the state government and its many departments, bureaus, non-profits, agencies, and organizations.

Though StateRAMP does share some similarities with the FedRAMP program supporting federal cloud security compliance efforts, it does feature some specific particulars that should be noted by any organization considering the program.


What does SLED Mean?

A term that StateRAMP uses often, SLED means “State, Local or EDucation” (Institution).


How Will State Agencies Know My Organization Is StateRAMP Authorized?

StateRAMP, like FedRAMP, has a marketplace that lists CSP organizations that have received an Authorization to Operate (ATO) from a partnering state institution. The StateRAMP marketplace also lists CSPs which are considered StateRAMP authorized through reciprocity with the FedRAMP program.

The marketplace also lists authorized StateRAMP 3PAOs that can perform assessments supporting those authorizations. The good news is that designated FedRAMP 3PAOs are likely also StateRAMP 3PAOs. CSPs can use FedRAMP 3PAOs for StateRAMP if the 3PAO is registered with StateRAMP.


What are the Different StateRAMP Security Statuses?

Organizations can be listed on the StateRAMP Marketplace with a variety of statuses that can all be classified into two categories:

  • In Progress
  • Verified


“In Progress” Statuses

To be listed in progress, you’ll be listed specifically according to the path you’ve chosen to take:

For those who first pursue a Security Snapshot, you can be listed as:

  • Enrolled: I.e., your product(s) are engaged in the Progressing Snapshot Program and you’re working toward their initial Snapshot score
  • Progressing: I.e., your products are enrolled in the Progressing Snapshot Program and you’ve submitted artifacts to receive their Snapshot scores.

For those pursuing Authorization:

  • Active: I.e., you’re engaged with a 3PAO for an independent audit and are actively working toward Ready.
  • In Process: I.e., you’re engaged with a 3PAO for an independent audit and actively working toward Authorized status.
  • Pending: I.e., you’ve submitted a security package to the Program Management Office (PMO) and are awaiting a determination for a verified status.


“Verified” Offerings

To be listed as one of the verified statuses, you must meet different thresholds of security requirements and provide the results of an independent audit conducted by a 3PAO that confirms such:

Verified Status

Details

Ready

What it Means: Your cloud service offering (CSO) meets or exceeds minimum requirements, i.e., Readiness Assessment Report (RAR) approved.

Next Steps: You must still undergo additional security and system validation.

(NOTE: When you become StateRAMP Ready, unlike with FedRAMP Ready, your RAR doesn’t expire after one year.)

Provisional

What It Means: Your CSO exceeds minimum requirements—more specifically, you’ve submitted a security package for consideration and your CSO has been found to meet most but not all security requirements.

* To achieve a Provisional status, any interconnected technology or external services must have a current StateRAMP Security Snapshot, per the StateRAMP Authorization Boundary Guidance.

Next Steps: If you achieve Provisional status, you must comply with continuous monitoring requirements and submit further documentation to obtain Authorized status.

Authorized

What it means: Your organization has completed all security and system validation, the government has accepted your completed security package, your CSO satisfies all requirements, and it has a government sponsor.

Next Steps: You can move forward with providing your CSO to agency sponsors, though you must also maintain compliance with continuous monitoring requirements.


StateRAMP Requirements

How Do I Determine My StateRAMP Requirements?

Like FedRAMP requirements, StateRAMP requirements are taken from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4. (While Revision 5 has been published, StateRAMP is still currently in the process of transitioning to leveraging it; however, any packages submitted after October 1, 2024, will be required to leverage NIST SP 800-53 Revision 5.)

In determining those your organizations must meet, you must first determine your baseline, and that’s based on the data you handle:

  • Low: The ground level that any CSP must meet—requires 153 (at Rev 5) controls for compliance and generally maps to data or systems that involve publicly available data.
  • Moderate: This baseline requires 319 (at Rev 5) security controls for compliance and generally maps to data or systems that involve confidential data or of high criticality to the continuity of government.

If you’re familiar with FedRAMP, you may have noticed the conspicuous absence of a High impact baseline. That’s because—at this time—StateRAMP does not authorize these, as most state agencies fall into the Low or Moderate impact areas. That being said, some CSOs are listed as High impact and those were granted authorization via FedRAMP reciprocity.


Is Penetration Testing Required for StateRAMP?

Yes. And while StateRAMP did release its own penetration testing guidance, it’s the same methodology as that for FedRAMP.


StateRAMP Authorization Boundary Guidance

When obtaining StateRAMP authorization, many of the headaches occur around the Authorization Boundary and diagrams.

Thankfully, much of StateRAMP’s Authorization Boundary guidance is the same or seeks the same goals as FedRAMP. Moreover, StateRAMP has defined what’s necessary to depict within the Authorization Boundary Diagrams, Network Diagram, and Data Flow Diagrams, and by and large, it’s the same as FedRAMP—meaning, the same scrutiny used at the FedRAMP level should be used for StateRAMP.


What Data Types Must Be Included in My StateRAMP Authorization Boundary?

First and foremost, you must account for—and include within the authorization boundary—any data thatis created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for a State, Local, or Education Institution (SLED) customer, in any medium or form that passes within your cloud service offering. Some examples include:

  • Mission-based information
  • Financial management information
  • Human Resources data
  • IT management data
  • Citizen/taxpayer information
  • Third-party supplier information

That being said, SLED data can also be broken down into different categories that may make it easier for you to identify it when preparing for StateRAMP:

Data Type

Details

SLED Metadata

Data that, if compromised, could impact the confidentiality, availability, or integrity of the systems supporting the processing, storage, or transmission of SLED data.

A few examples:

  • Mission-based information types
  • Services Delivery Support information types
  • Government/State Resource Management information types
  • Any other information types as defined in NIST 800-60 Volumes I & II

SLED Metadata Subcategories

SLED Metadata with a Direct Potential Impact on the Mission of Organizations or Individuals

This type of SLED customer metadata must reside within your authorization boundary or the boundary of another StateRAMP-authorized information system at the same or greater Impact Level. Some examples:

  • Security metadata revealing the current security posture of the system
  • Vulnerability information
  • Active incident response information and communications
  • Active threat assessment, penetration test, or security investigation information and communications.

SLED Metadata with an Indirect Potential Impact on the Mission of Organizations or Individuals

This type of SLED customer metadata may be authorized to reside in a system that is fully owned, maintained, and operated by you with approval from the StateRAMP PMO. Some examples:

  • Data revealing system infrastructure, facilities, and design
  • Application names, versions, and releases
  • Application, system, and network configuration information
  • Interconnections and access methods
  • Systems inventories
  • Architecture models, diagrams, and details
  • System security plans, contingency plans, risk management plans, security impact analysis, plans, and roadmaps
  • Personnel security information: information that could be sold for profit
  • Historical SLED entity metadata that previously was considered to have a direct potential impact


What about Corporate Services and Metadata?

Though SLED and SLED Metadata in its different subcategories must be included in your Authorization Boundary, data about processes within the authorization boundary or SLED customers that does not contain security-sensitive information and/or information that if compromised could be a threat to the systems supporting the processing and storage of SLED data, SLED metadata or SLED personnel data.

For example:

  • IT utilization and performance data
  • Project planning information
  • Marketing materials
  • Pricing data

External systems processing or storing corporate metadata may have active connections to the authorization boundary, but all connections must be examined, and the type of information transmitted in the connection must be validated by the 3PAO during initial authorization and during the annual assessment to ensure the data types do not reflect more sensitive data.

Again, only those corporate systems and services that do not contain SLED data or metadata may exist outside of the authorization boundary—any that do contain that information must meet the same security requirements that your CSO must meet and be brought into the scope of your assessment.


How Do I Account for External Services/Interconnections within My StateRAMP Authorization Boundary?

An interconnection is the use of another information system or cloud system to share data and other resources—that includes external services used to support the system. While StateRAMP encourages CSPs to leverage other StateRAMP service providers—as well as FedRAMP-authorized services—you aren’t forced to do so.

That being said, if you do choose to leverage an external service without a StateRAMP status of Authorized or a FedRAMP authorization, you should know that:

  • You will be limited to obtaining a Provisional StateRAMP authorization. Moreover:
  • Your leveraged service must undergo the StateRAMP Snapshot process and you’d be limited to a Provisional status until all external systems and services are StateRAMP authorized.

(Your letter awarding the Provisional status will include a list of controls and/or third-party systems that must be remediated before you can be awarded full authorization.)

  • For you to achieve full Authorization, your external services must:
    • Achieve StateRAMP or FedRAMP authorization; or
    • You must move the product or service into the authorization boundary; or
    • You must discontinue the use of the unauthorized service and move to a product with a current StateRAMP or FedRAMP authorization


How Do I Depict all this into My Diagrams?

Luckily, StateRAMP adopted a very similar set of guidelines for Authorization Boundary, Network, and Data Flow, and you can find all the particulars here.

Share this content on your favorite social network today!