Comparing FedRAMP and StateRAMP

For Cloud Service Providers (CSP) hoping to win business with federal, state, and local government entities, their product(s) will likely need to be authorized by either FedRAMP or StateRAMP. In this article, we will break down the similarities and differences between the two cybersecurity frameworks.

What is FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP®) was established in 2011 to provide a risk-based approach to adopting and using cloud services by the federal government. In 2022, the FedRAMP Authorization Act was signed as part of the FY23 National Defense Authorization Act (NDAA). The Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information. FedRAMP is the cloud arm of the Federal Information Security Management Act (FISMA).

CSPs that want to make Cloud Service Offerings (CSO) available to federal agencies must have a FedRAMP designation.

What is StateRAMP

StateRAMP is essentially FedRAMP but for state and local governments. StateRAMP is a registered 501(c)(6) nonprofit membership organization comprised of service, third-party assessment organizations, and government officials. The list of governments and educational institutions that recognize StateRAMP standards can be found here.

As you would expect with the two frameworks focused on cloud security, there are some overlapping characteristics and requirements.

NIST 800-53

Both FedRAMP and StateRAMP use the NIST SP 800-53 security controls and include parameters and guidance above the NIST baseline that address the unique elements of cloud computing.

3PAO Audits

FedRAMP and StateRamp both require organizations to have assessments conducted by an approved Third Party Assessment Organization (3PAO) to achieve their security status.

Continuous Monitoring

Both frameworks have continuous monitoring requirements.

FedRAMP-authorized providers must maintain and validate the security posture of their services through vulnerability management, including monthly operating system, database, and web application scanning reports. They also need to conduct an Annual Assessment and report incidents. Providers that use the Joint Authorization Board authorization process must use a FedRAMP-recognized 3PAO for annual assessments. A 3PAO is recommended, but not required, for the Agency Authorization process.

StateRAMP-authorized service providers must work with a StateRAMP-approved 3PAO for annual assessments of their system and to evaluate the impact of some significant changes made by the service provider to its system, platform, and service offering.

FedRAMP and StateRAMP: Authorization Differences

CSPs will need to follow different paths depending on whether they want to get their CSOs authorized and listed on the FedRAMP marketplace or StateRAMP Authorized Products List.

FedRAMP Authorization

There are two approaches available to providers seeking FedRAMP authorization, authorization through the Joint Authorization Board (JAB) or authorization through an agency.

The JAB selects approximately 12 cloud products to authorize each year through a process called FedRAMP Connect. CSPs interested in working with the JAB are required to review the JAB Prioritization Criteria and Guidance document and then complete and submit the FedRAMP Business Case.

For the Agency Authorization path, a CSP needs to find a federal agency to sponsor their CSO. CSPs will work with their sponsorship agency to pursue an Authority to Operate (ATO) and will work with the agency throughout the FedRAMP Authorization process.

StateRAMP Authorization

To become StateRAMP authorized, CSPs need to go through a multiple-step process that includes:

• Become a StateRAMP member
• Complete a StateRAMP Security Snapshot
• Identify Impact Level and Desired Status
• Select a 3PAO
• Complete the required documentation
• Submit a security review request

StateRAMP authorization is possible without a government sponsor. The StateRAMP Approvals Committee can serve in the place of a sponsor for CSPs who don’t have one.

The StateRAMP Fast Track program allows products that have FedRAMP Ready status to bypass the audit, allowing for the authorization to take weeks instead of months.

FedRAMP Authorization Statuses

The FedRAMP Program Management Office (PMO) defines three official designations for CSOs:

FedRAMP Ready

A designation provided to CSPs that indicates that a FedRAMP-recognized 3PAO attests to a product’s security capabilities and that a Readiness Assessment Report (RAR) has been reviewed and deemed acceptable by the FedRAMP PMO.

FedRAMP In Process

A designation provided to CSPs that are actively working toward a FedRAMP Authorization with either the Joint Authorization Board (JAB) or a federal agency.

FedRAMP Authorized

A designation provided to CSPs that have successfully completed the FedRAMP Authorization process with the JAB or a federal agency.

StateRAMP Authorization Statuses

StateRAMP has six security status designations between its Authorized (verified) Product List and Progressing Products List.

Verified Offerings: Ready, Authorized, and Provisional

To be verified, the provider must meet minimum security requirements and provide an independent audit conducted by a 3PAO. StateRAMP recognizes three verified statuses: Ready, Provisional, and Authorized. Ready meets minimum requirements, Provisional exceeds minimum requirements and includes a government sponsor, and Authorized satisfies all requirements and includes a government sponsor.

Progressing Offerings: Active, In Process, and Pending

StateRAMP recognizes offerings in the process of working toward a verified offering. For an in progress listing, the provider must be engaged with a 3PAO for an independent audit. The in-progress statuses include Active, In Process, and Pending. Active is working toward Ready, In Process is working toward Authorized, and Pending has submitted a security package to the PMO and is awaiting a determination for a verified status.

Unlike FedRAMP, StateRAMP Ready statuses do not expire. Providers do not have to have a contract with governments to receive a Ready or Authorized status. FedRAMP gives providers 12 months once they achieve Ready to find an agency sponsor to become Authorized.

CompliancePoint has a team of cybersecurity professionals that can help your organization achieve the NIST 800-53 compliance required for FedRAMP and StateRAMP authorization. Contact us at connect@compliancepoint.com to learn more about our services.