The surge in public cybersecurity breaches is continuing to drive companies into proactive and comprehensive approaches to reducing cybersecurity risk. The waves of attention and consequences are moving beyond large organizations to small and medium ones, including government and commercial businesses.
If you’re seeing increasing demands in the form of cybersecurity questionnaires or compliance requirements, you’re likely falling prey to “cascading compliance requirements.” Add StateRAMP to the widening array of cybersecurity and compliance requirements impacting companies of all sizes.
These cascading compliance requirements are usually coming as part of your client’s vendor/supplier selection process. As enterprises operationalize their vendor and third-party management program, they use questionnaires and security requirements to understand the risk that a vendor poses to their business. And this wave is not slowing down, but is growing, as government and cyber insurance companies are requiring cybersecurity programs from their suppliers or clients too.
As supplier scrutiny increases, we’re seeing requirements for specific frameworks and certifications such as SOC 2, ISO 27001, and NIST compliance. It is increasingly the case that SMBs must secure a SOC 2 Type 2 or similar attestations/certifications or lose eligibility to win or sustain business with their enterprise prospects.
State and local governments are joining the mix of organizations compelling small and medium businesses to address their cybersecurity risk via compliance initiatives.
StateRAMP, among the newest security requirements, follows in the footsteps of the more broadly deployed FedRAMP certification, which many software and cloud-based service providers must implement to be eligible for federal contracts.
StateRAMP is a set of security controls and oversight mandates for suppliers to state and local governments, including educational institutions. Arizona and Texas have taken the lead among at least a half-dozen other states developing StateRAMP certification.
Arizona’s AZRAMP program debuted in 2021 and is progressing to the broader-based StateRAMP requirements. All the security controls are based on NIST 800-53, which is the same underlying standard for FedRAMP. Here are some of the AZRAMP requirements software and cloud providers must demonstrate:
- Meet 35 basic controls to bid on Arizona state projects or protect their data
- Meet 125 basic controls to protect public data
- Meet 325 basic controls to protect sensitive data
Currently, over 235 active vendors meet AZRAMP standards. The supply base will be required to shift to StateRAMP, which provides a more formal process for validating compliance.
Texas has pushed ahead even more aggressively. It passed the TX-RAMP legislation in the summer of 2021, and required all SaaS, IaaS, and PaaS vendors to be TX-RAMP authorized by January 2022. Authorization is an interim step to certification, which will be required within 18 months thereafter. Compliance is mandated before suppliers can renew or secure contracts with state agencies or higher education and public community colleges. As with the Arizona-based program, TX-RAMP is the state-specific version of what is presumably the multi-state standard, StateRAMP. It’s unclear at the time of this article to what degree states will reciprocate among the state-specific standards, but all states signing on for StateRAMP will be aligned on a common reciprocal standard.