Forge your path to StateRAMP
Introducing the State Risk and Authorization Management Program (StateRAMP) – a cutting-edge initiative forged in the spirit of the legendary FedRAMP®. StateRAMP brandishes its digital katana, slicing through the chaos of cybersecurity to establish a uniform protocol for assessing, authorizing, and constantly monitoring cloud service providers (CSPs) in the realm of state and local governments. To enter the hallowed halls of government contracts, a CSP must demonstrate the strength and precision of a cyber-samurai, ensuring their digital defenses are unyielding and impenetrable, capable of safeguarding client infrastructures.
Enter bladestack.io, the master sensei of StateRAMP authorization. With unparalleled expertise and seasoned guidance, bladestack.io prepares CSPs for the trials ahead, honing their skills and transforming them into formidable cyber-warriors. By achieving StateRAMP authorization, CSPs unlock the coveted treasure trove of state and local government agency revenue streams, ascending to new heights in the cybernetic landscape.
You must understand that there is more than one path to the top of the mountain .” – Miyamoto Musashi
Our cyber-samurais are equipped and credentialed with the top industry recognized certifications. We are prepared to cut, slice and dice through the cyber fog of war to ensure you come out on top.
StateRAMP Advisory
bladestack.io advises clients on achieving StateRAMP authorization using a proven, time-tested methodology along with established subject matter expertise to enable our clients to go to market faster and more securely, as well as using internal resources more effectively.
We maintain a strong relationship with StateRAMP’s executive leadership and PMO. This unparalleled knowledge base covers every angle for meeting security requirements for state and local governments.
In addition, we’ve leveraged our experience as the top FedRAMP advisory firm to easily develop custom StateRAMP solution for clients, so our comprehensive turnkey StateRAMP security packages are assessment-ready and offer actionable solutions to get you to market and achieve a faster return on your security investments.
Gap Assessment
In the StateRAMP realm, a FedRAMP Authorized 3PAO is essential. Begin your quest with bladestack.io's Gap Assessment, unveiling your cloud service organization's security and compliance gaps. Together, we'll fortify your digital defenses and conquer StateRAMP compliance.
Gap Assessment Overview
- Glimpse into the StateRAMP Program – unraveling the stages of StateRAMP
- The role of Third Party Assessment Organizations (3PAO).
- Swift tactics to pinpoint obstacles hindering StateRAMP authorization Boundary scrutiny and verification
- Preliminary assessment of each security control's implementation status within the pre-defined baseline
- A cost-efficient path to forge your StateRAMP roadmap for authorization
Advisory
StateRAMP is a meticulous and intricate journey. Your team might be unprepared to navigate the complexities of readying your environment for assessment. bladestack.io, as your cyber-samurai ally, can intervene and help you orchestrate a strategy to forge the essential artifacts for StateRAMP assessments.
Advisory Overview
- Readiness endeavors to uncover gaps and execute remedial measures
- Crafting a StateRAMP security package, encompassing (but not limited to):
- System Security Plan
- Contingency Plan
- Configuration Management Plan
- Incident Response Plan
- Reinforced boundary scrutiny and verification during package development
- Seamless program development, preparing your cloud service offering for assessment by a 3PAO
Assessment
Desire to hone your organization and Cloud Service Offering (CSO) for the ultimate test? bladestack.io, your cyber-samurai guide, will conduct a simulated assessment (note: we solely provide advisory services and do NOT perform official assessments) of your cloud service against StateRAMP criteria, empowering your organization and stakeholders for the decisive battle!
Assessment Overview
- Comprehensive independent assessment of the cyber-boundary for the cloud service offering
- Assessment consists of the following activities:
- Security Assessment Plan, Security Assessment Report
- Control Assessments
- Vulnerability Scans (operating systems, web applications, network devices, and databases)
- Penetration Test
- Assessment results are then used to make updates and train/prepare for the actual 3PAO assessment
Continuous Monitoring
StateRAMP's vigilance endures beyond assessment and authorization. Continuous monitoring mandates safeguard the system's security posture, and bladestack.io, your cyber-samurai companion, stands ready to assist you in meeting these steadfast requirements.
ConMon Overview
- Process for maintaining the authorization once the authorization has been granted
- Includes various weekly, monthly, quarterly, and annual checkpoints
- Control assessments and penetration tests to be performed annually or more frequently if introducing a significant change request
- Vulnerability scans to be performed monthly, with reporting provided to the StateRAMP PMO each month based on the results of those scans
- Requires meticulous oversight and proper staffing levels to ensure the security posture of the offering is not negatively impacted over time
Why bladestack.io ?
-
- bladestack.io, akin to a modern-day cyber-samurai, has stood at the forefront of StateRAMP’s inception, leveraging our proficiency in a dynamic way as it unfolds. Our involvement continues to sculpt the cybersecurity landscape, one triumphant endeavor at a time.
-
- As pioneers in the digital domain, we are among the first firms to actively engage as part of the StateRAMP Service Vendors as a advisory-only firm. Our clientele holds a significant presence on the StateRAMP Authorized Vendor list
-
- 68% of StateRAMP-ready systems have been forged in the crucible of bladestack.io’s expertise, a testament to our unrivaled prowess as the leading advisory in the realm of cybersecurity.
Navigating StateRAMP
StateRAMP is a cutting-edge non-profit organization that emerged in early 2021 with the objective of establishing a standardized approach to cloud cybersecurity authorization specifically for State and Local governments. You might wonder, why establish another governing body when a proven framework like FedRAMP already exists? Well, just like cyber samurais have their own unique blade styles, each industry and governing body needs to have its distinct approach to ensure maximum security and compliance. Therefore, the StateRAMP program is designed to provide CSPs with the opportunity to showcase their innovative, futuristic solutions tailored specifically for State and Local governments. As a result, CSPs should keep a close eye on StateRAMP for potential future business opportunities in this rapidly growing market.
StateRAMP vs FedRAMP
The question on everyone's mind is, why bother with a StateRAMP program when FedRAMP and other frameworks already exist? One could argue that the same question could be asked of CMMC and other similar programs. While FedRAMP was developed with the Federal Government and downstream contractors in mind, StateRAMP was created to cater to the unique needs of State and Local Governments, while still maintaining the common thread of NIST 800-53.
However, one significant challenge we've observed is that CSP FedRAMP authorization packages, including ConMon, are solely available to the Federal Government, depriving State and Local entities of the valuable insights and ongoing visibility they require.
"Without FedRAMP authorization, State and Local entities are left in the dark without the necessary visibility into the authorization package (inclusive of ConMon)."
Despite having similar security requirements under NIST 800-53, there are a few key variables to consider, as outlined below.
In the age of cybernetic samurais and dystopian megacities, it's essential to stay ahead of the game and adapt to changing circumstances, such as the unique security challenges faced by State and Local Governments. Thus, the StateRAMP program offers a promising opportunity for CSPs to showcase their innovative solutions and gain a foothold in this burgeoning market.
Your organization has two primary options for StateRAMP authorization. The first is for a cloud service offering that lacks a pre-existing FedRAMP ATO, while the second is for a cloud service offering that already possesses a FedRAMP ATO and qualifies for a accelerated StateRAMP Fast Track.
StateRAMP Authorization
(No FR Authorization)
The StateRAMP authorization process involves becoming a member of the StateRAMP Governing Body and engaging with a 3PAO to prepare for StateRAMP Ready. The next steps include achieving StateRAMP "Active" Status in the Marketplace, undergoing sponsorship engagement, 3PAO assessment, StateRAMP PMO review, and a sponsoring government review. At this point, either StateRAMP "Authorized" Status or StateRAMP "Provisional" Status in the Marketplace is granted. Finally, the post-authorization process involves ongoing continuous monitoring, quarterly POAM, and an annual assessment.
Planning:
- StateRAMP Membership: Become a member of the StateRAMP Governing Body
- StateRAMP 3PAO Engagement: Engage with a 3PAO in preparation for StateRAMP Ready
- StateRAMP "Active" Status in the Marketplace
In Process:
- Sponsorship Engagement: State, Local, Tribal, Government Agency or Higher Ed Engagement
- StateRAMP 3PAO Assessment: Undergo 3PAO Assessment
- StateRAMP "In Process" Status in the Marketplace
- StateRAMP PMO Review: StateRAMP PMO Review, with the intent to be approved
- Sponsoring Government Review: Government review, with the intent to be approved
- StateRAMP "Authorized" Status in the Marketplace OR StateRAMP "Provisional" Status in the Marketplace
Ongoing:
- Post-Authorization: Ongoing Continuous Monitoring (Monthly ConMon, Quarterly POAM)
- Annual Assessment
StateRAMP Accelerated
Great news for CSPs with a pre-existing FedRAMP ATO - your efforts can be utilized towards StateRAMP authorization with a few additional steps. While the process involves a review and negotiation of reciprocity terms, your existing FedRAMP ATO serves as a valuable asset towards attaining StateRAMP authorization.
CSPs with a Current FedRAMP Ready/Authorization:
- StateRAMP Membership:
- Become a member of the StateRAMP Governing Body
- Engage the StateRAMP PMO:
- Engage the StateRAMP PMO for a security package review (pay fee)
- Complete Required Documentation:
- Submit required security package with 90 days of ConMon and StateRAMP temp
- Note: StateRAMP 1 equals FedRAMP Low, StateRAMP 3 equals FedRAMP Mod, and StateRAMP 3 equals FedRAMP High
- Submit required security package with 90 days of ConMon and StateRAMP temp
You wil either go into Ready Review or Authorization Review
- Ready Review:
- StateRAMP PMO Reviews Ready Status
- Authorization Review:
- StateRAMP PMO Reviews Authorization Status
In Process:
- StateRAMP PMO Review/Feedback:
- StateRAMP PMO reviews and provides feedback with the intent to get approval
- You will either go into
- StateRAMP "Ready"
- StateRAMP "Authorized"
- StateRAMP "Provisional Authorization"
- Leveraged StateRAMP Authorizations
- State, Local, Tribal Government leverage authorizations
On-Going
Post-Authorization:
- Ongoing Continuous Monitoring (Monthly ConMon, Quarterly POA&M)
- Annual Assessment
Note: This StateRAMP authorization process timeline assumes that you do have an existing FedRAMP Authorization.
Unsheathe your BLADES.
Contact us to get started. The first step is a one hour introductory and readiness session, to understand your business landscape and gather technical details, while also making sure that we’re a mutual fit. We also offer unbilled follow up calls if you have any additional questions or need consulting advice as you gear up for the StateRAMP marathon.
Following our initial meetings, formal proposals and pricing are submitted within approximately one week. We can kick-off with a dedicated senior-level team within two to three weeks of contract signature.
