The Federal Risk and Authorization Management Program (FedRAMP) “do once, apply many times” approach to security assessment offers value outside of the federal government sector. Though FedRAMP was intended to apply to federal agencies, state agencies can benefit from this framework when vetting cloud vendors.
How Does FedRAMP Apply to State Agencies?
One proponent of state agencies using FedRAMP is the IT Alliance for the Public Sector (ITAPS). In its States Cybersecurity Principles and Best Practices document, it’s stated that state agencies should: “utilize FedRAMP certification to better inform their acquisition of quality cloud products and services. When looking to standardized cybersecurity, states should avoid trying to reinvent the wheel, and should instead embrace existing standards developed by industry and leading professionals.”
Meanwhile, Matt Goodrich, director at FedRAMP, also weighed in on the topic of state agencies’ use of the framework. As reported by GCN, Matt Goodrich stated at a June 2017 event: "FedRAMP sets the bar for how to protect federal data when it resides in cloud environment, and GSA believes that state and local governments can leverage this security standard for comparable needs at the local level."
How Can State Agencies Leverage FedRAMP?
While state agencies can apply the FedRAMP framework in their cloud vendor assessments, and are often encouraged to do so; unlike their federal counterparts, they are not permitted to directly review FedRAMP security documentation via OMB MAX. Instead, according to FedRAMP.gov, state agencies can engage with FedRAMP Authorized vendors – like collab9 - to review their FedRAMP security documentation. (Contact us with related questions or inquiries).
Why Should State Agencies Leverage FedRAMP?
State agencies can take advantage of the same benefits cited by their federal counterparts. It’s estimated that agencies can save 30-40% on their vendor assessments. , in addition to time and labor costs Beyond the efficiency of the “do once, apply many times” framework, agencies can place more confidence in the security of their cloud vendors. In order to achieve Authorization, vendors are subject to over 325 controls (for moderate impact levels) as outlined by the National Institute of Standards and Technology in its 800-53 rev 4 documentation.
Additional Resources for State Agencies
You may also be interested in this article “Three Reasons Why State and Local Government Can Benefit from Hosted UC.”