Interview with StateRAMP Representatives: Expert Insights and Best Practices for Compliance

  • November 23, 2023

Emily Bonnie

Senior Content Marketing Manager at Secureframe



Nonprofit Organization

The first half of 2023 saw an 8% surge in global weekly cyberattacks — the largest jump in two years. Given the alarming frequency and increased sophistication of threats, there is a significant need for state, local, and education government organizations (SLEDs) to have complete assurance that their third-party vendors have sufficient information security practices in place to protect sensitive data. StateRAMP meets this critical need by offering SLEDs and the cloud providers that serve them with third-party verification of a strong security posture. 

Launched in 2021, StateRAMP is a relatively recent addition to the cybersecurity landscape. To help organizations understand the framework’s benefits and the verification process, we spoke with officials from the StateRAMP organization who shared their expertise. 

We recently had the opportunity to interview Rebecca Kee, Senior Government Engagement Director at StateRAMP, and Liz Huston, Program Manager at StateRAMP, to learn their best practices and advice for organizations pursuing verification. They cleared up common misconceptions, shared insights into current trends and practices, and offered expert guidance to help organizations prepare for StateRAMP verification. 

What common misconceptions do you encounter around StateRAMP and the verification process?

Liz immediately called out cost as a major misconception. She said, “Many organizations assume that it will be prohibitively expensive to get StateRAMP verified. We’ve taken steps to reduce cost barriers, especially for smaller businesses, with measures such as tiered membership pricing.” 

For Rebecca, a key misunderstanding is around how StateRAMP relates to FedRAMP. “There is a common misconception that FedRAMP and StateRAMP are interchangeable, or that FedRAMP has a more restrictive control set than StateRAMP. Both FedRAMP and StateRAMP use the NIST 800-53 control set, and the 3PAO are the same assessors that are certified by the federal government program. They are assessing essentially the same controls in the same manner,” she explained. 

“The most significant difference is that with FedRAMP, state and local governments don’t have access to continuous monitoring reports. With StateRAMP, state and local governments can now get the same level of insight and risk assessment without having to rely on organizations with FedRAMP-ready status. The differences are in reporting and lines of communication, rather than on different organizational or control parameters.”

What trends or changes are you seeing with organizations that are pursuing StateRAMP verification? 

“Historically we had seen a lot of organizations that already had FedRAMP or government authorization come through our Fast Track program. Since we introduced our Security Snapshot, we’ve seen an increase in IaaS, SaaS, and PaaS companies pursuing StateRAMP verification first, even before FedRAMP,” Liz shared. “With the Snapshot tool, they’re able to get a clear picture of where they stand in terms of compliance and exactly what they need to do, which has really opened the door to a wider variety of organizations.” 

How many organizations are StateRAMP compliant? 

Liz shared that, “Approximately 250 members have joined the StateRAMP organization, and 86 of those organizations are currently on our Authorized Product List.” 

Does StateRAMP currently leverage automation in any of its processes? 

“With the Security Snapshot, organizations submit control evidence and monthly continuous monitoring reports. Our PMO team then manually reviews everything — but we are looking into leveraging automation in the future to streamline the process,” Liz commented.

What advice do you have for companies that may need to be compliant with multiple RAMP frameworks (i.e., TX-RAMP, StateRAMP, and FedRAMP)? 

Rebecca offered some key advice for organizations managing compliance across multiple government frameworks. She said, “My initial question would be: where are you doing business, and with whom? If you plan to do business outside the state of Texas, our advice would be to get StateRAMP verified. We automatically send criteria for organizations that are StateRAMP verified to TX-RAMP. Unless you’re doing business with the federal government, there’s no need to do FedRAMP. That said, if you’re already FedRAMP Ready, you can leverage the StateRAMP Fast Track program to expedite the process of getting StateRAMP verified.”

What guidance would you give an organization that’s trying to decide if they should pursue verification status with or without a government sponsor? 

“StateRAMP is designed so that you don’t need a government sponsor, even if your organization is pursuing Authorized status,” Rebecca explained. “If you happen to have a government sponsor that’s great, but if you don’t you can go through the Approvals Committee. The only reason to appoint a government sponsor is if you’re working with a government that requires one.” 

Many states have passed or introduced their own data privacy laws. How does that affect StateRAMP? Will StateRAMP introduce additional requirements to account for new privacy legislation? 

According to Rebecca, “It will likely depend on the state. Some states have passed code that is directly related to StateRAMP and other standards, even if the code doesn’t explicitly call out StateRAMP. Many other states are passing code that StateRAMP already satisfies. Still others are operating with the understanding that the state Chief Information Officer has the necessary authority and they don’t need to pass additional code. Every state is different.”

“We’re currently working with several states to determine things like, do they have a vendor assessment process in place? Is StateRAMP going to replace or augment that process? At this point, most states ultimately want to require StateRAMP in some form but are still trying to figure out how to implement the framework to best fit their needs,” she explained.

Get StateRAMP ready with Secureframe

Our leading GRC platform is built to help organizations navigate and streamline complex security and privacy compliance efforts. Here are a few reasons organizations choose Secureframe as their partner for achieving and maintaining compliance with government and federal frameworks like StateRAMP: 

Government and federal compliance expertise

Our dedicated, world-class compliance team includes former FISMA, FedRAMP, and CMMC auditors who have the expertise and experience to support you at every step. 

Integrations with federal cloud products

Secureframe integrates with your existing tech stack, including AWS GovCloud, to automate infrastructure monitoring and evidence collection.

Trusted 3PAO partner network

Secureframe has strong relationships with respected auditing firms that are certified Third Party Assessment Organizations (3PAOs) and can support StateRAMP and other federal audits such as FedRAMP, CMMC, and CJIS. 

Cross-mapping across frameworks

NIST 800-53 has many overlapping requirements with StateRAMP, NIST 800-171, FedRAMP, CJIS, and other federal frameworks. Instead of starting from scratch, our platform can help map what you’ve already done for StateRAMP to other frameworks so you’re never duplicating efforts. 

Continuous monitoring

By monitoring your tech stack 24/7 to alert you of non-conformities, Secureframe makes it easier to maintain continuous compliance. You can specify test intervals and notifications for required regular tasks to maintain StateRAMP compliance. You can also use our Risk Register and Risk Management capabilities to support your continuous monitoring efforts and POA&M maintenance. 

To learn more about how Secureframe can help you comply with StateRAMP, FedRAMP, and other rigorous frameworks, schedule a demo with a product expert.