The year 2023 saw several developments regarding the Federal Risk and Authorization Management Program (FedRAMP) and the State RMP (StateRAMP).
So, in order to describe the comprehensive programs and answer some basic questions about FedRAMP and StateRAMP, I asked Jason Oxenhendler, a cloud security expert with experience in both programs, if he would be willing to talk to me about important questions related to cloud security compliance.
Jason is currently Vice President of Cloud Compliance at Merlin Cyber. Previously, he worked for approximately six years with Coalfire as a FedRAMP/StateRAMP/NIST director and subject matter consultant.
I have worked with Jason for several years on the StateRAMP Technical Committee, and he brings a wealth of knowledge and experience to all FedRAMP and StateRAMP topics.
Dan Luhrmann (DL): You've worked in government technology compliance regulations for most of your career. In your opinion, why are these security systems important?
Jason Oxenhendler (Jordan): Thank you for pointing out that I'm old, Dan.
I began performing certification and accreditation evaluations starting with NIST 800-26. Go look it up if you're interested.
Regulations are not only important, they are critical. If public and private industry continues to make security an afterthought and not among their top five priorities, the amount they will pay initially will not even measure what they will pay for lawsuits. There must be security in everything. a period. It should have its own line item in the annual budget. Given the day and age we live in, in my honest opinion, security is no longer an option.
DL: How has the FedRAMP program evolved since it first became required for federal agencies?
Joe: The biggest change is that this once-small program that came out of the second floor of the General Services Administration (GSA) at 18th and F in D.C. is now law. This is a fantastic achievement and I was delighted to spend three years on the Joint Authorization Board (JAB) representing the GSA.
FedRAMP 2013 and FedRAMP 2023 are two completely different types of FedRAMP. The current incarnation, like everything else, has its bumps and bruises, but there are a lot of smart experts on the subject at PMO, GSA, the Department of Homeland Security (DHS) and the Department of Defense (DoD) who are working on licensing. . FedRAMP is now more efficient, and I suspect that now that it becomes law, it will become even more efficient.
In the past, information system security officers (ISSOs) served as intermediaries between the JAB and the CSP. I was one of the ISSOs who then became the JAB-TR for GSA to review continuous monitoring packages for approved providers. I love Feedramp. I made a career out of it. It's not for the faint of heart. It has an appropriate security balance based on the types of data flowing in and out of the system. It requires time, patience, money and people. It's a commitment.
When I was leading gap analyzes at a previous job, I was always asked, “How are we supposed to do this? The costs are astronomical. Do you know what my CFO would say? I would politely acknowledge real, honest concerns. I did. I do. I still do.” However, I've never heard a CFO complain about a company's return on investment now that its pipeline is strong.
DL: How is StateRAMP similar to FedRAMP?
Joe: The concepts are the same: do once, use many times. The basic lines of control are mostly similar except for the details centered around the federal government. The goals are the same as far as raising security standards to prevent bad actors from wreaking havoc in government and industry. There are sponsors: Federal agencies for FedRAMP and state/local governments/educational institutions for StateRAMP. FedRAMP to me is the gold standard in the civilian world. To see how StateRAMP turned out to be a program, it happened very much like FedRAMP. It started slow, but it gradually escalated.
DL: How is StateRAMP different from FedRAMP?
Joe: Well, the obvious thing is – StateRAMP targets the SLED market while FedRAMP targets the federal government. I would say the biggest difference, and I hope this changes in time, is that there is no reciprocity between StateRAMP and FedRAMP. With a FedRAMP Authorization to Operate Package (ATO), a service provider can apply through the StateRAMP Fast Track program and after review of the receipt and package, the service provider will receive a StateRAMP ATO. However, if you have a StateRAMP ATO, this means that you have undergone either a StateRAMP Ready assessment or a full StateRAMP assessment; Providers cannot obtain FedRAMP Ready or FedRAMP ATO. After attending the StateRAMP Summit a few months ago and hearing positive feedback from key security players in the federal government, I'm hopeful this will come to fruition at some point.
DL: What are the biggest changes you see coming to StateRAMP in the next year?
Joe: Growth. adoption. More growth and more adoption. State and local governments and educational institutions can no longer say, “There's no platform we can implement to guide or help us” — there is. It's powerful, practical, crystal clear and ready to use. So I encourage everyone to start looking at StateRAMP. When all 50 states turn one color on the adoption map, it will be a momentous occasion.
DL: How do you respond to a government leader who believes StateRAMP requirements are too expensive or too bureaucratic to implement (with too much paperwork)?
Joe: Security is not an option. It is a requirement. If there's no provision in your budget for it, don't complain when your organization is on the front cover and front page of The Washington Post. You have to spend money to make money. It's an investment. Implementing StateRAMP would be much less expensive than paying lawyers hourly.
DL: I've worked with many different providers. Can you describe the different roles played and services available to assist both governments and businesses seeking StateRAMP accreditation?
Joe: The advice is the same: do your due diligence. StateRAMP is very achievable and FedRAMP is achievable as well. But it requires money, people, planning, and an executive sponsor. The FedRAMP and StateRAMP websites are great sources of information, as are the PMOs involved. If you are strategic about implementing either framework, the end result will speak for itself.
DL: Is there anything else you'd like to add?
Joe: It's time to make security a priority. I'm in the middle of reading your book and the scenario at first is enough to make a CIO or IT manager have a panic or anxiety attack. Bad actors won't go away. It's a simple concept. We can't control what they do, but we can control what we do, and this is really a call to action for everyone, industry, government, education – literally everyone to make security a priority. Even at home… How many of you have never changed your router password from the default? Make security a priority.
