StateRAMP The Easy Button for Security Innovation
Joining the podcast this week is Joe Bielawski, founding member of StateRAMP and President of Knowledge Services and StateRamp Executive Director Leah McGrath. If the name sounds somewhat familiar – like FedRAMP – it should because StateRAMP helps to meet the growing need in state and local government to manage third party risk and efficiently verify cloud security.
StateRAMP has an incredible wealth of resources and tools - such as security maturity assessment tool Security Snapshot - that help bring innovation to state/local governments faster. And in just a couple years StateRAMP is already working with 17 states. For those interested in learning more or taking advantage of the awesome resources this organization delivers visit their website at stateramp.org.
StateRAMP The Easy Button for Security Innovation
[0:45] StateRAMP’s Target Market
Rachael: We are talking about StateRAMP and we've got Joe Bielawski here. He is a founding member of StateRAMP and President of Knowledge Services. Also joining us is StateRAMP Executive Director, Leah McGrath. Both of them have been involved the organization since its formation and about 2020. I want to start at the beginning. How do you feel about that Petko?
Petko: I think it sounds great because when I hear StateRAMP, everyone's going to say, wait, is that different from FedRAMP, and how is it related? Joe, Leah, can you guys talk to us about StateRAMP, how it came about and what the goal of StateRAMP is and what need it fills?
Joe: I'm with a company that has a software as a service product that also is responsible for PII, PHI, PCI information of citizens. And back in 2000 and call it 16,17, we started talking about the risks to us and our cloud solution. Started talking about Anthem and Target and all of these data breaches. And so we wanted to differentiate ourselves from other solutions in the market and wanted to get a third party to verify our NIST 800 status. We started looking around and realized there really wasn't one available and certainly not one that government recognized, state and local government, which is our target market.
We Need StateRAMP
Joe: The only one that was available that we realized or saw was FedRAMP. And so we went down the FedRAMP authorization path beginning in 2019. Believing that we were going to go marching back into state and local government CISO and CIO offices and procurement official offices saying, "Look at this. Aren't you happy that we're secure"?
Procurement was struggling with, "Well that's great, but how do I verify if I realize you're verified, but how do I verify others? The policy's there, but I don't have the staff. I don't have the budget to bring cybersecurity experts on board". So long story short, we were out in Arizona the second week of March 2020 and talking to JR Sloan, the CIO. We talked about cybersecurity and the challenges that the State of Arizona was having.
They had begun spinning up what they were referred to AsRAMP or AzRAMP. JR looked at me and said, "You know what we really need, Joe is StateRAMP". Unbeknownst to him, we had already begun putting a model together. But that meeting, which was the last meeting he had before the pandemic, that really launched StateRAMP as we know it today.
The need for it really is that state governments are unable to use FedRAMP. Because it requires that you have a federal contract to maintain the FedRAMP authorization. And as Doug Robinson with NASCIO, well National Association of State CIOs will tell you, if you've seen one state, you've seen one state. They're all different and different policies, different procurement codes, et cetera.
What Is StateRAMP?
Joe: So it really took a change agent like JR Sloan in government to say, "This is something I can get my arms around and help foster this". And over the course of the pandemic 2020, we put thousands of hours in and dozens of government leaders and private sector cybersecurity experts that came together and really formed what we know today, which is a public-private partnership called StateRAMP.
Rachael: I love it. I love things coming out of a need. And I think the timing too is so fortuitous. COVID then digital transformation acceleration by factor, what, five, seven years, Petko. I can't remember what it was, but wow. Great timing for that to come together. So needed.
Petko: So can I ask, if a state today, let's say Ohio or Texas, one who wants to use FedRAMP, they go on the website FedRAMP. They say, "Oh, here's the things that are FedRAMP." But they don't have access to a lot of the documentation and things that go behind it. What's the main difference between StateRAMP and FedRAMP just from, I guess from the way a customer like a state will look at it? Or a way a vendor might look at StateRAMP versus FedRAMP. I want to make sure we get down to the meat of the differences.
Leah: That's great question. I want to just answer it from a government perspective. Then I will answer it from a provider perspective if that's okay. And I'll say from a government perspective, I came at this having served in local government and the needs and the challenges Joe just described, exist at the local level as well.
StateRAMP From Local Government's Perspective
Leah: And so that's so great that this has the ability to help serve all the different levels of government outside of the federal government. But if you are working with StateRAMP or you're interested in, like you said Petko, if I'm with a government agency and I want to use a FedRAMP product, your option is to go to the FedRAMP marketplace and see who's out there.
But there are some gaps. Governments don't have access to the documentation or the continuous monitoring of those products. And as we know in cybersecurity, that information sharing and that ongoing communication is actually what's so critical. Not just the one-and-done audit or the one-and-done verification. But what's happening on an ongoing basis.
The other challenge there is that especially having come from local government, at state and local government, the vast majority of the products that are used in state and local government are not federal authorized. They're not even offered at the federal level. Because those products that have a FedRAMP authorization are only those products that are used by the federal government.
So that's the other gap that we talked a lot about during the steering committee days in 2020 was how do we fill that gap? How do we meet that need that exists? And to do so, state and local governments are all different. So you have to be able to account for is just that they are unique ways of approaching policy or purchasing.
So the biggest difference between State Ramp and FedRAMP is that StateRAMP is a nonprofit.
[7:17] The Differences Between StateRAMP and FedRAMP
Leah: We have the ability to, through our committees and through all of those different government organizations or groups that we have really design a framework that can be leveraged by governments wherever they are. Whatever their needs are. In terms of how we're similar from a provider perspective, I think they care a lot about this. How does StateRAMP and FedRAMP compare?
StateRAMP and FedRAMP are both, our requirements are both built on NIST 853. We're both on Rev.4 moving to Rev.5 in 2023. We both require independent audits by third-party assessing organizations or three PAOs. And we both have continuous monitoring requirements. Where we differ is that at StateRAMP for those governments who are participating with StateRAMP, they have the ability to actually view so long as a provider grants them access. So it's all at the provider permissions state, but if they allow a government to be able to view that documentation, that ongoing continuous monitoring and have that method or mechanism for information sharing, and that's one of the biggest differences.
We also removed that barrier for providers to work with StateRAMP. That they don't have to have a contract with the state or local government. Our hope, our mission, our goal is that we want to see more secure and qualified products available to state local government. And so you don't have to have a contract. We've got a process to bring providers in who want to go through the process. If they want to do it, they can do it. That was something really important to the steering committee and board when we were standing this up.
Bringing Innovation to Government Faster
Leah: I think we have the opportunity to bring innovation to government faster. By having visibility into that security upfront and giving all providers a level playing field and a path to get there. I mentioned we're a nonprofit, so our mission is education and resources. We have a heavy, heavy influence and we really lean into the idea of customer service. Joe, I don't know how many times during the committees or even still today, we talk a lot about this needs to be business-friendly. It's your balancing the business friendliness and the reasonable factor I call it, with also what it means, the integrity of achieving a StateRAMP verification. But the business-friendly aspect comes into making it available, having resources available, being easy to work with.
Joe: And I'll add one other major differentiation, this along those lines. I will tell you to answer to your question, Leah, it was every single meeting, committee meeting we had. It was business-friendly. Well, one of those things is the, I'll say only half misconception of the cost to achieve FedRAMP. It's not cheap, it's not inexpensive, it's an aspirational goal. I think, for many that might be only focused on state or local government. So if you think about state and local government, they can't just go to this list of 250 or whatever that's on the FedRAMP list. And say, "We're going to shut down government because we can't assign a contract". So what StateRAMP has which FedRAMP does not have, FedRAMP is black or white, you meet it or you don't meet it. StateRAMP has a snapshot, which is a gap analysis basically.
StateRAMP Has Snapshot
Joe: And it's not millions of dollars. It's not hundreds of thousands of dollars. It's hundreds of dollars with StateRAMP to have a very quick snapshot so that state and local government has the ability to make an informed decision. Is this product miles and miles and years away? Or is this product just right on the edge of meeting all the requirements that the policy states? But that is a very, very quick and easy way to allow government to continue progressing and delivering services to its citizens without incurring the cost structure. This is yet something other that StateRAMP is doing to help longer-term meet the needs of state and local government.
Rachael: That's huge because, let's be honest, FedRAMP is multi-year, could be multi-million. It's a great process, but I don't know business friendly is necessarily a mission statement. So I love to hear this. I love to hear this and thesecurity snapshot, I think that it's just so critical. Especially knowing state and local are going to be at such different places. Their maturity, curb, and starting places.
Leah: Exactly. And I think that has been a real challenge from the providers and that snapshot is probably the most exciting thing we're doing right now. We've just launched this after a lot of work by our standards and technical committee. Our board and our steering committee advising on how to deliver this for the providers.
The Biggest Question
Leah: But we heard this as a need coming from our provider members, coming from government members was the how do we begin? And how do I know what I don't know. That is the biggest question, especially for providers who are saying, do I want to make this investment? I don't even know what the investment looks like because I don't know what the big gap is.
So to be able to have this snapshot upfront, it takes away the mystery. It takes away that concern because they can know, oh, this is what I need to work on to be able to get there. And the other thing that we've been really excited about is the snapshot process does take into consideration other types of, if you've had a SOC 2 Type 2 report, if you've done other types of models before, frameworks before, you can bring that to the call. And it allows you to leverage that to understand what does that map to when you think about NIST. You can leverage that and then build on that to go the distance.
Petko: No, I think you hit the nail on the head, part of the business frame this is if you wanted to go FedRAMP today, cost aside, the hardest barrier I hear from all the technology vendors and the businesses is I need a sponsor.
Where StateRAMP Comes Into the Picture
Petko: And then there's effort on the government side that they have to do certain things, and that takes just as Rachael put, enormous effort there. At the same time, even after you go through it, you're selling just to the federal government. But if you just want to sell the state, you're like, "Well, federal doesn't make sense for me". So there's a lot of local companies, I think at the state level. Lots of great work happening there where local technology companies have helped automate your local DMV or automated paying taxes on the website. Well, that doesn't have a federal requirement, but there might be a security posture need there at the state level.
Joe: Well, and someone coming from the private sector, I'll add to that Petko. Because the exciting thing that we're hearing about StateRAMP from the private sector, from the vendors, is the verify ones use many. So if you have aspirations of working with more than one municipality or more than one state and there's not a standard that everyone looks to, and that's the goalpost, if I meet that, then I have to go through dozens. If you work with dozens of organizations, different processes to get verified for that organization. That's where StateRAMP comes in.
You get StateRAMP verified once. Then all of the other states that are part of the StateRAMP community or local governments can look to that and say, "Okay, there's an independent body that has verified this that is trustworthy that we sanction and approve. Therefore we don't have to go through that with this vendor".
[15:06] The Things StateRAMP Addresses
Petko: So Joe, I’m curious, I know in the US government there, as part of their authorization to operate, they're required to do FedRAMP. At the state level, I know you mentioned in this compliance. But is there anything that says you have to do it a certain way from a legal standpoint or funding standpoint that goes to the state government level?
Joe: Not that I'm aware of. Those that I have read, and it's been over 40 of them, they simply state you must meet NIST 853. They haven't gotten into process or method. They've left that up to the IT departments within state governments. The challenge of course is the silos. And I'm not knocking it, oh my gosh, this is the best place on earth to live. But government is structured where IT is responsible for, in this case security. Or ensuring that systems are secure and procurement is responsible for buying, gaining the best value from the vendors.
Procurement doesn't have IT specialists, cybersecurity specialists on staff, they don't have the budget for it. IT does not have lawyers that are embedded into the procurement process. And so what happens is procurement makes a selection, lobs a contract over the fence, as we are told many times by the IT groups. Saying, "You've got this mission critical. You've got five days to verify the authenticity of this product." And it's like, "Well, I can't do that, don't have the people. I don't have the access to the information". So the process is really what is, I'll say, one of the things that is broken in government that StateRAMP does address, and the other is the cost.
The Challenge Providers Face if They Take the FedRAMP Route
Joe: Shared services is just a great way in a world of, I'll say, a challenged labor market in cybersecurity to help address that across the country.
Leah: I think that's huge. I mean Petko, you mentioned the challenge, and I've heard this too, being at different summits or conferences. But one of the challenges providers says if they do want to go to the FedRAMP path is finding a sponsor. I think one of the key differences, and this was really smart when the steering committee decided to set up StateRAMP this way was to have a centralized program management office.
So all of those security reviews, continuous monitoring, are under one office. You've got consistency in application, how things are applied and communicated, which is great for the provider community. And then through that, that is that shared service that's being delivered to states and local governments is access to be able to view those documents. Again, only if providers grant the access. But you can tell that's been a question I've answered before. But I think that is really, really smart. Because what we've heard is that states and local governments don't have the bandwidth. Or the budgets to do those reviews on their own.
So a shared services model is really helpful there. But that aside, we don't have enough cybersecurity professionals in the United States to fill all those jobs if there was unlimited budget or unlimited bandwidth there.
The Organizations Working with StateRAMP
Leah: I think that alone really drives us to a shared services model like this. It's been a great benefit as we try to really relieve the burden from state and local governments. And hopefully providers too by streamlining not just the process. But the T's and C's that go with it so you can get to work faster. And I think that's been really exciting.
Petko: Yes, I think we are constantly hearing the news how many breaches we've had recently. You get numb to it after a while. But I can't imagine one day having some system that might have local government data in it. Getting spilled on the internet, and then you're like, "Well, who do I to blame? Is it the service provider? And is it the agency? Is it the state"?
Leah: That's right.
Petko: I think the great thing about StateRAMP and even FedRAMP is it shifts security to put it onto the providers to say, let's build this right and then we'll let you sell it. But in order to help you sell it, let's make it easy. I'm curious, being called StateRAMP, which state agencies are part of it? How do we get state more states involved?
Leah: If you go to stateramp.org, we do list all of the governments who have participated. We've got 17 states who have announced they're working with StateRAMP. We've got a number of other local governments in higher ed. The University of North Carolina system is working with StateRAMPs. And so those are organizations that have announced they're working with StateRAMP and are in the process of really in incorporating StateRAMP into what they do.
Why Organizations Are Partnering with StateRAMP
Leah: So we're all at different stages. But before I go further, I want to make sure I touch on something because you just said it so perfectly. I think why they're all becoming a part of StateRAMP is all the things we've said, the shared services model. But really the why is because we've got to be able to partner with the private sector to do this better. Because whether it's our utilities and the security of our water systems or pipe gas, pipelines, you name it, right, that's what is at risk.
It's the data, it's the infrastructure, it's the integrity of government. And so I've had many conversations with companies who are saying, "Why should I do this"? And I tend to say in response, "Because you're innovating and we want you to be able to serve government. But when you do congratulations and welcome, you're now a part of the cyber defense team".
We have to do this together if we're going to do it well. So for those providers who want to get involved or government go to stateramp.org. You can sign up, you can request meetings and we want to meet with you. For the governments, there is no cost. This is provider funded. So for governments, for states and local governments, we've got a couple of benefits if they want to participate. We've got a couple of membership levels. One is the individual level and they can sign up right on our website.
And if you're an individual working for state, local government, educational agencies and you want to be involved, it's just that easy. You just sign up and say, I want to be involved. And that gives them access to our members-only page.
[21:32] How to Partner With StateRAMP
Leah: It allows them to have input and comment on policies when we're updating them. We're getting ready to go through an update through our standards and technical committee. So there's a great way to get involved and get on committees. And then for governments state level or at the enterprise or agency level who want to work with StateRAMP to verify their third-party security, then it's really just as simple as reaching out to us. We have a call and we'll work with them to understand at what level they really want to participate. And so that's how easy it is. We have a team that can work with them.
We've got templates. We're working with the Center for Digital Government as well on an update to their best practices guide for cloud solutions, solicitations that incorporate StateRAMP into it. So we're really excited about that. That'll come out here shortly to help standardize those T's and C's. But we've got lots of sample language, sample templates.
We've been doing this for two years, but especially in the last year and working with more states have really developed a library of resources that we can share as well for them. So we want to be able to be a good partner and even it's similar how the PMO helps relieve that burden for the InfoSec team. Our team is there to relieve that burden from the policies and the managers so we can help with education and outreach as well.
StateRAMP is a 501(C)(6) Organization Education
Joe: I'll go back to the fact that StateRAMP is a 501(c)(6) organization education. I can reflect on our journey where I thought we were and then when reality hit and I realized just the level of workload ahead of us and what was needed in terms of licensed product as well as people, knowledge. I'm assuming that there's an awful lot of companies. There's tens of thousands serving all of state local education and many of them just don't know where to even begin, which is where we were. And I googled, do I go here? Do I go there? And that's where StateRAMP and the resources Leah is referring to.
Before you start down a path and invest time, maybe unnecessarily or prematurely, because there are other pressing priorities or licensed software that isn't really the appropriate or the wrong time. I strongly encourage everybody to contact StateRAMP, have a gap analysis, the snapshot done. It gives you a map to the minefield. Here are the priorities that based upon meeting and achieving the minimum requirements for StateRAMP. That can save enormous amounts of time and money for any company that was a small company like us. Not Google, not Oracle, don't have unlimited resources and are focused on achieving a level of security that your customers are demanding, will demand or require in the most time-efficient and cost-effective way.
Petko: Joe, Leah, I'm curious. If I'm a FedRAMP-authorized service today, let's say, or a vendor that has one or a business that has one, how do I bring that to StateRAMP? You talked about policies and procedures. Is it technically different? Do I have to go through the same assessment, or can I leverage my existing FedRAMP assessment?
StateRAMP's Fast-Track Process
Leah: You can leverage your existing FedRAMP assessment. So we've got a number of providers who have done that. It's really to the benefit of the clients they're serving to do that. Because that's how they're able then to make sure their clients who are the state and local partners have the ability to have visibility into the continuous monitoring and reporting.
We have a number of providers who have a FedRAMP product who've come through StateRAMP. And we call it a fast-track process because they can leverage their FedRAMP audit, the documentation. We try to really be easy to work with, what our program management office, what our security team do with the PMO is they're going to look at that. They're going to validate and authenticate that yes, this meets the requirements. It's a complete package. You know how that goes sometimes. And they're also going to review the most recent continuous monitoring to make sure that the provider is up-to-date for that product's reporting.
And that's what we take on to make sure that we're doing our due diligence and reporting out to the states and local governments that we serve. It takes a matter of weeks. I can tell you board and [inaudible 00:26:06] place asking all the time, we're tracking how long does this take. We know that speed is really important and when people invest a lot of time in getting their security documents together, by the time they call us, they want to go. So we want to be able to meet them on their pace.
The Map to the Minefield
Leah: So in terms of if you're interested, you got a product out there that's FedRAMP authorized, you want to be listed on StateRAMP's authorized product list, we have a fast track process. You can read about that on our website as well, or just reach out to info stateramp.org and we'll respond and let you know what that looks like. But they are able to leverage the work they've already done.
Rachael: That's fantastic. Now, are there synergies between what is the Modernization Act, if I'm referring it to it correctly. Where the state and local governments and tribal authorities can apply to get funds over the next, I think three years, four years, whatever. It seems like there's some really nice synergies here in terms of that planning process. And the gap analysis and what you might want to pursue in terms of a funding program to pitch in. Are you seeing some of that happening?
Leah: I think it's early to see it happening, but we've had so many conversations around it. That a piece of managing your cybersecurity program is managing supplier risk. StateRAMP fits in perfectly there. It is like the easy button.
If you don't know where to start, start there. Because that is going to immediately, especially with the snapshot, that's going to immediately begin to give you visibility into where your risks may lie. If I'm a government, I'm going to look at that immediately. Like Joe said, it gives you the map to the minefield. If you've got your suppliers and you understand where their risks are, now you know where your risks are too. And you can take action as needed to be able to protect yourself.
[27:58] What People Think About StateRAMP
Joe: And I'd add Rachael, great question. Because there's what, a billion dollars? All of the states that we've spoken to, they're trying to figure out how to use the money and that passes through to local government. So much of the conversation relates to infrastructure dollars. How do we, whether it's broadband or whether it's a water, et cetera.
What most people think about when they think FedRAMP or StateRAMP is "cloud solutions". When in fact some of the largest data breaches have occurred through HVAC, control systems or mail systems, or elevator control systems are my favorite. A large organization had a beautiful fish tank. Well, they've got thousands of dollars of these beautiful fish. And guess what?
It's internet of things. It's connected, and I'm making sure that the water, alkaline level, and temperature are all just right to save these fish. And the bad actors came in through the fish tank, and they incurred millions of dollars of losses from that. So my point with that is as you look at StateRAMP or verifying internet of things, because it is connected through your Wi-Fi, it is connected through your network, it poses risks. And that's truly where I think some of that funding could find its way is to ensure infrastructure is as secure as it can be.
Leah: To your point, Joe, though, one of the first steps is, and I can't say how many conversations we've had around this. But it's just identifying who are your suppliers you should be thinking about. Because I do think the first list typically is here's my cloud service providers. But we forget often those softwares, the solutions, that are doing other things.
Know the Right Questions to Ask
Leah: And I don't know Petko if you've seen this too. But I've had a number of calls with providers who, especially those in the SaaS world who will say, "No, we're FedRAMP authorized. And they'll bring to the meeting, they're Azure, AWS certificate, because that's where they're hosted". And we're like, "That's awesome, step number one. Now let's talk about the boundary for which you have responsibility". And I think that's part of the education that we've seen and experienced in how we're trying to move forward as well.
Petko: Yes, I think a lot of it, at least it first starts with jurisdiction. Are they at least in the US? Do US laws apply to them? Because there's also SaaS solutions that are hosted overseas in certain clouds. You're like, "Well, if I knew it was that cloud, I would've never have bought it".
Leah: But if you're not asking the question, and that's where this comes down. So there's been, I think, not because of negligence, but because the speed of digital transformation happened so fast. That when you get down to it, a lot of these details get worked out in contracting.
In contracting you have someone there who maybe doesn't know what to ask. And so they say, "Hey, here's our policy", to Joe's point. "You got to meet NIST 853. Do you"? And the guy on the other line is the one just responsible for closing the deal says, "Sure, I do". Yes, we've all seen that and it's innocent, but once you recognize it, now we need to do something about it. And so I think it's knowing what questions to ask and when and how. StateRAMP, like I said, I think it's the easy button for how we can move forward.
Why It’s Fun to Work with StateRAMP
Joe: Well, I'll go a step further. The SOC report, because my hosting service, and pick your name. It could be AWS or some regional, one of their sites is FedRAMP authorized or one of their sites has had SOC. And so therefore all of their hosting sites must meet this requirement. But as a procurement person, I don't know that. So I see a SOC report, I have to trust the vendor is telling me the truth. That's again where StateRAMP comes in as who do I turn to as a procurement official to validate what I'm being told is actually the truth? By the way, the vendor may think it's the truth also because their vendor is telling them it's the truth. So that independent authority to be able to do the due diligence and validate what is factual.
Leah: And the education, right?
Leah: That I think what has been so much fun. We've got over 50 people on all of our committees and boards. Then working with our members is so much fun because it presents the opportunity for education every single day. Every single day we learn something, but every single day we're able to help raise the bar, I think.
What I have found is that the providers we're working with and talking to, because if we are able to standardize the process and the requirements, it's easy to raise the bar or easier to raise the bar. Because if you have one standard that you're trying to achieve, if we can standardize this, the value is so great to them.
StateRAMP Is the Bridge Between IT and Procurement
Joe: If someone came up with this and that was their product or service, there's no way that it would've escalated. And at the inertia that we have today in government in just over a year to have the number of states and local organizations, bodies of corporate politic using StateRAMP, it's because of all of those public-private experts and leaders that have contributed so much time and knowledge in this process and in building the organization.
Rachael: It's impressive how much you've gotten done in what's seemingly a short amount of time.
Leah: It is, isn't it Rachael? I'm really tired.
Rachael: I imagine. But it's so needed and it's wonderful to see how much that you've put together. We talked 2020. I mean, it was just a minute ago and I'm so excited to see where this goes. And so how do we get more states online here, because I can only see the goodness. It's like multitude, magnitude of goodness as more and more get online. How do we get more folks onto the StateRAMP?
Leah: It's doing things like this and getting the word out. Part of our process, you asked, and I don't know if I answered. But I've found that we're often the bridge between the information security team and procurement. Most often the discussion begins, not always, but most often it begins with the information security team. So it's the chief information security officer reaching out or maybe his or her deputy or a chief technology officer.
How to Work with StateRAMP
Leah: That's typically where the discussion begins. they'll reach out and say, "I want to know more. I want to do this". And we will say, "Great, get your team on the phone, but can you also invite procurement. Can you also invite the other people who may have a hand in this"?
It's getting out of those silos and thinking about every single one of us plays a role in cybersecurity. So it's bringing all of the right people to the table and having that champion to move it forward. So it's just time. We had said we thought we were on a third, a third, and a third. I'm just going to share this.
In our steering committee basically said, we think in terms of state adoption, you're probably going to have about a third of the states first year, third of the states second year, a third of the states third year. Because of lots of factors, because of leadership styles. And because of cyber maturity or also because there's a thing called elections. We just had a massive number of new governors. So part of it is waiting for the new appointments to be made so that we can pick up the conversations where we've been having them.
But we strongly advise not to announce StateRAMP publicly until you've had those conversations with everybody on the phone. And we're all ready to move forward together. We're available, firstname.lastname@example.org, email me. That is the best way to begin. I think that we're having really good adoption and energy and momentum. And it's outpaced a little bit of what our steering committee had set out for us in terms of goals.
[36:30] StateRAMP Is the Right Solution, at the Right Time
Leah: I think that it's because it's the right solution at the right time. I've heard JR Sloan say that so many times. When our steering committee was meeting in 2020, the number of times we would be meeting and we had all these breakout groups and committees working on different things, bylaws, all those fun things. But one committee, the number of times we'd get together and people would say, gosh, I wish this were available now. So it was in the middle of the pandemic and they were having to make really quick decisions on who to work with and how. And so I think that the need is very evident, and it's an elegant solution.
Joe: And I would add that for all of your listeners that either do business with government or aspire to do business with government, to have the number of states that have announced their adoption of StateRAMP within a year of launching it.
It truly is remarkable knowing that, one, you have to have change agents inside government. You have to have champions that drive it forward. But you also have to change policy, and you also have to change procurement code. And that takes an education process each one individually. Then you have to have public comment period. And all of that takes time, and so to have that many that quickly to me serving government for the last 30 years is nothing sort of remarkable.
StateRAMP Has Incredible Strategic Partners
Joe: And I think we're going to see continued inertia as we move forward because we see the states that we're talking to that aren't ready to announce yet, but that will be very soon.
Rachael: Just a real quick sidebar. I worked for the City of Houston for a number of years. And I have to say what I love is that the only way you could get, I think, as far as quickly as you have is knowing all those nooks and crannies. Because it took me, I think, a year to figure out all the different people to go to for different things just to get my job done. And that's critical, critical. So it's amazing that you guys already cracked that code so that folks can actually get stuff done. Because that's the only way.
Leah: Oh, we are going to get in there. We have incredible leadership on our board and committees and great strategic partners with the National Association of State Procurement Officers. The National Association of State Chief Information Officers, and so many more. We just worked on a partnership with the National Association of Counties. I think those strategic partnerships have been so beneficial in helping get the word out. But also helping advising us in terms of all those nooks and crannies. So we're very fortunate.
Two Years vs. A Decade of Accomplishment
Petko: Leah, I can't help but just reflect on it what, two years since you guys launched. And you've got a third of the states onboarded. Yet when I think about how long FedRAMP has been around, I mean FedRAMP started over a decade ago.
Rachael: 2011, we're in 2011, I think.
Petko: Yes. So what you guys accomplished in two years with the pandemic and onboarded a third of the country, that's pretty impressive if you think about it.
Joe: Love to take credit, can't. It goes to all the members that have put an awful lot of time and effort into this. But thank you for that.
Leah: Well, and I think too, it's the members who put in time to come up with a framework that can work. That has the flexibility built in so that we're constantly asking, how do we make this better? What are the educational needs? How do we break down barriers because we're all trying to get to the same place of better security.
Joe: And I would add to that we don't live in a world of steady state. So to have the advisors from public and private will continue to help us evolve as the changes occur. The risks occur, and we'll have to adapt. And I think having that input is just a remarkable thing.
Rachael: Absolutely. So I know I want to be respectful of time but real quick too. I want to give you a plug for as we look at the year ahead, where are you guys going to be? Any shows or things we want to call out, so people can stop by and talk to you guys face-to-face?
Leah: Absolutely. We've got a number of conferences we'll be attending in person and speaking at several of these. I mentioned NASEO and NASPA, we'll be at their mid-year annual different things. We're also going to be in the State of New York. We've been working with the New York Counties and their IT directors. So we'll be there at the end of February in Albany as well as in May.
The National Association of State Technical Directors is another one of our strategic partners will be at their conferences and speaking as well. And those are just some of the few. You read my mind, Rachael. Because earlier today I was meeting with our team and I said, "My goal is to get all of this on the website by the end of this". If you go to stateramp.org/events, you can see all of the events where we're going to be. As well as we host webinars. So we've got virtual meetings we are hosting all the time.
And so you're going to see by end of January, that will be populated and very robust. We've got, I think three or four events. But if there is an event that someone's interested in having a speak at or attend a virtual event, reach out. We hardly say no. If we can make it, we really want to be there. Because I think a big part of our mission is connecting with individuals and making sure that all the different parties and members know what's out there and available to them.
Take the First Step Today
Joe: Leah, nice job. Rachael threw us a softball. I was going to end with invite us. Because I'm happy to offer Leah and her team's time to participate in any event you have.
Petko: Joe, given the velocity you guys are having in terms of getting states on board, if you haven't already hit critical mass, I think more vendors need to say, I need my product to be StateRAMPed. Because if not in the near future, if it hasn't already, it will in the near future.
Joe: Yes. And thank you for that Petko. I would say as a vendor to government and have been for decades. You have to look out more than the next RFP that you think is coming out. You really have to look out two years, three years. We track competitors' contract expiration periods and say, "What do we need to do today to be well positioned in two years when that RFP is coming out". And the time to begin the NIST 800 journey is not six months before the RFP comes out or when the RFP comes out. So again, I come back to that snapshot, engage now, learn now, at least begin that thousand-mile journey with that first step today. Don't wait.
Leah: And you know what? It's a journey that never ends. So you to make sure that you enjoy the ride. Because there's no such thing as a one-and-done audit or a one-and-done report in cybersecurity.
Sign Up with StateRAMP
Leah: So the shift to continuous monitoring, and I think what you're going to see, certainly where we are aspiring to go, is continued mapping to other compliance frameworks. These flow-down requirements that come from the federal government to state and local, whether it's the criminal justice information system or the Medicaid management information systems or IRS, all of those flow down. The more we can map to NIST 853, the better. We're definitely seeing that as the gold standard and common language. And I think that brings so much opportunity to continue standardization. So you're going to see us talk more about that. Just continuing to provide more resources and education for everyone we're serving.
Petko: So to our audience, and if you're a state local government, please make sure to sign up. If you're a vendor, please make sure to look at stateramp.org.
Rachael: Absolutely. So onto all our listeners out there, Happy New Year. I think we're getting out to a great start. And as always, Petko, what are we going to ask to do?
Petko: Smash the subscribe or like button? I can't remember which one it was.
Rachael: Wanted twin powers activate. That's right. Smash that subscription button and you get a fresh episode every Tuesday. So until next time, everybody, stay safe.
About Our Guests
In 2020, Joe Bielawski (President of Knowledge Services) and J.R. Sloan developed the idea of StateRAMP to meet the growing need in state and local government to manage third party risk and efficiently verify cloud security.
Serving as the Executive Director, Leah McGrath has been involved with StateRAMP since its formation. In 2020, she spent countless hours working alongside Steering Committee members to develop StateRAMP’s governance and policy framework. Prior to her work with StateRAMP, McGrath held leadership positions in both the public and private sector, including serving as the first deputy mayor of the City of Fishers, Indiana.
During her tenure, Fishers transformed from a town into a smart, vibrant, entrepreneurial city and was named the #1 Best Place to Live in America in 2017 by Money magazine. As deputy mayor, she helped lead modernization efforts and spearheaded city-wide efforts to develop the city’s first long-range, comprehensive plan. McGrath’s 20-year career has been focused on working to improve government outcomes at the state and local level, helping shepherd government into the digital age securely and effectively for the citizens it serves.
Listen and subscribe on your favorite platform