StateRAMP Compliance Software with OSCAL
StateRAMP adds an important level of confidence that state governments are implementing secure solutions to serve citizens and residents. By requiring technology and cloud vendors to be StateRAMP authorized, agencies can be confident that their data is being stored and processed according to NIST cybersecurity requirements. State and local governments, public education institutions, and special districts are key parties adopting StateRAMP authorization and compliance processes as part of vendor selection.
Rizkly provides StateRAMP compliance confidence for information technology providers seeking to keep and grow their state agency business. We combine expertise guidance together with a powerful StateRAMP compliance automation platform to provide you with certainty in your authorization efforts. Once we help you achieve StateRAMP Authorization, Rizkly’s continuous monitoring automation features ensure that sustaining compliance is effective and efficient so you can stay focused on what matters most, growing your federal and state government business.
Identify
Automate
Demonstrate
| StateRAMP Document | Description |
|---|---|
| Baseline Controls | This document provides the security control baselines. All of the security controls listed in the table are outlined in NIST 800-53 Rev. 4. |
| Data Classification Tool | This document helps service providers and governments determine what StateRAMP security category requirements to use to ensure their data is protected. |
| Security Assessment Framework | This document describes a general governance and security framework for StateRAMP. |
| Continuous Monitoring Escalation Process | This document explains the actions taken when a service provider fails to maintain an adequate continuous monitoring program. |
| Continuous Monitoring Guide | Continuous monitoring review procedures outline the process to examine each monthly package. |
| Incident Communications Procedures | This document describes the process for StateRAMP stakeholders to use when reporting information concerning information system security incidents or suspected information system security incidents. |
| Vulnerability Scan Requirements Guide | This guide describes the requirements for all vulnerability scans provided by service providers to StateRAMP for products with a Ready, Provisional, or Authorized status. |
| 3PAO Accreditation Process | StateRAMP recognized FedRAMP authorized third party assessment organizations (3PAOs) to conduct independent audits. |
| Appeals Committee Charter | The Appeals Committee serves as the adjudication board for the Program Management Office determinations. |
| FedRAMP JAB Attestation | In an effort to provide recognition to those providers whose products have achieved a FedRAMP Authorization through Joint Authorization Board (JAB) approval, a new Federal JAB status has been created for providers who wish to list their product on the StateRAMP website. |
| Provider Leadership Council Charter | This charter outlines the duties and responsibilities of the StateRAMP Provider Leadership Council. |
| Standards & Technical Committee Charter | The Standards & Technical Committee makes recommendations for best practices and policies that guide cloud security requirements and verification. |
| StateRAMP Adopted Bylaws | This framework for bylaws was developed by the StateRAMP Steering Committee. As the Board of Directors is formed in late 2020, one of their first actions will be to adopt the bylaws for the organization. |
| StateRAMP Approvals Committee Charter | This charter outlines the duties and responsibilities of the StateRAMP Approvals Committee and their role in providing approvals for product security packages seeking an Authorized status. |
| StateRAMP PMO Charter | The PMO Charter defines the objectives, roles, and responsibilities associated with the StateRAMP Program Management Office (PMO). |
| StateRAMP Steering Committee Charter | The purpose of this charter is to define the objectives, membership, decision making, meeting schedule, and roles and responsibilities associated with the StateRAMP Steering Committee. |
| Center for Digital Government Best Practice Guide for Cloud and As-a-Service Procurements | The Best Practice Guide was created to provide government and industry with consensus-based advice and terms and conditions for cloud solution procurement models. |
| Get Started With StateRAMP – Government Guide | This guide explains the StateRAMP implementation process for governments. |
| Sponsoring Government Brochure | Learn about sponsoring government eligibility, how to become a sponsor, sponsor commitments, and how the StateRAMP PMO works to serve state and local governments. |
| Minimum Mandates for Ready Status at Low Impact | To achieve StateRAMP Ready status at a Low Impact Level, a service provider must meet the minimum mandatory requirements outlined in this document. |
| Minimum Mandates for Ready Status at Moderate and High Impact | To achieve StateRAMP Ready status at a Moderate or High Impact Level, a service provider must meet the minimum mandatory requirements outlined in this document. |
| StateRAMP Overview | This document provides information about the StateRAMP organization, how to become a member, the process for engaging the PMO to complete a security review, requirements for government sponsorship, and how to list products on the Authorized Product List. |
| StateRAMP PMO Fee Schedule | This document provides an updated StateRAMP Program Management Fee Schedule, effective January 1, 2023. |
| StateRAMP Security Assessment Framework | This document provides a summary of the objectives, goals, and governance approach of StateRAMP, along with an outlined methodology to verify cloud security. |
| StateRAMP Security Control Baselines Summary | This document provides a summary of NIST 800-53 Rev. 4 security controls required for verification, by Security Impact Level Category. This summary is the result of ongoing collaboration with State leaders and cybersecurity experts. |
| StateRAMP Provider Sponsor Requirements | This document outlines the process (including government sponsorship requirements) for a vendor’s offering to be listed as StateRAMP Authorized on StateRAMP’s Authorized Product List (APL). |
| Significant Change Form Template | Service providers are requirements to submit this completed form to StateRAMP and receive StateRAMP approval prior to implementing a significant change to a system with an existing StateRAMP Authorization. |
| Vulnerability Deviation Request Form | When a service provider identifies a vulnerability that potentially warrants different handling than normally required by StateRAMP, they may submit a deviation request to StateRAMP using this form. |
Why Rizkly
By Chor-Ching Fan
FedRAMP automation is on its way. The Open Security Controls Assessment Language (OSCAL) is a machine-readable information exchange format developed by the National Institute of Standards and Technology (NIST) to enable automation of risk management and compliance frameworks based on security controls and functional requirements. OSCAL support the expression of compliance information through XML, JSON and YAML formats. OSCAL was released in June 2021 and is currently in Version 1.1.0 (late July 2023)
The FedRAMP cybersecurity management program is the first key adopter of the OSCAL standard. OSCAL promises to enable FedRAMP automation (and other frameworks that adopt it) improving the efficiency and effectiveness of compliance management by providing a standardized, machine-readable format for capturing and sharing security information. OSCAL automation has the ability to simplify many of the manual tasks involved in compliance including:
- Generating security documentation
- Assessment plan and results evaluation
- Tracking remediation activities
- Reporting on compliance status
OSCAL can be used to support a wide range of compliance frameworks, including:
- FedRAMP (early adoption in progress)
- NIST Cybersecurity Framework (CSF)
- ISO/IEC 27001
- SOC 2
- HIPAA
- PCI DSS
FedRAMP automation with OSCAL promises to be significant improvement over previous approaches to compliance automation. As proven by similar information exchange automation initiatives in other industries i.e. ecommerce supply chain documents or financial filing with the SEC, OSCAL should make compliance management be more efficient, more effective, and more scalable.
Here are some of the benefits of using the new OSCAL compliance framework:
- Efficiency: OSCAL automation will reduce manual tasks involved in compliance, such as generating security documentation, conducting assessments, and tracking remediation activities. This can save organizations a significant amount of time and money. FedRAMP SSPs can easily run 300+ pages in Microsoft Word. With continual updates and document submissions to the FedRAMP PMO, this task alone will benefit greatly from OSCAL.
- Effectiveness: OSCAL provides a standardized, machine-readable format for capturing and sharing security information. This makes it easier to identify, evaluate and determine next steps to remediate key risks for the US government and cloud service providers.
- Scalability & Extensibility: OSCAL is a scalable framework that can be used to support a wide range of compliance frameworks. OSCAL is extensible so any user or standards body can leverage the reference models while ensuring it supports the unique elements of their own privacy and security risk program.
Since its 1.0 release in 2021, Rizkly has supported the OSCAL standard with the goal of providing the best software for FedRAMP automation. We love OSCAL and think its great for the cybersecurity compliance world. Companies (CSPs) can import their existing Word SSPs and generate OSCAL with one-click in Rizkly. It will not be practical for most organizations to use XML editors and handcraft OSCAL files each time there are updates or submission requirements. While still in a pre-commercialization status for FedRAMP, we recommend that CSPs explore the transition to OSCAL along with their FedRAMP R4 to R5 gap analysis and planning efforts. If you’re wondering about a FedRAMP R4 vs R5 gap analysis, Rizkly, compliance automation software with dedicated FedRAMP OSCAL compliance experts, is ready to assist…just contact us.
By Chor-Ching Fan
As organizations chart their growth through government contracts and assess the cost of cybersecurity compliance initiatives, many wonder “what’s the the difference between CMMC and FedRAMP”? The Cybersecurity Maturity Model Certification (CMMC) and the Federal Risk and Authorization Management Program (FedRAMP) are two different compliance frameworks that organizations must follow if they want to work with the US government.
CMMC is a comprehensive framework designed to protect the defense industrial base’s (DIB) sensitive unclassified information. While it started with five levels of maturity, the latest version of the CMMC 2.0 framework includes 3 levels and tracks very closely with the NIST 800-171 control framework. All DoD contractors will need to achieve at least Level 1 (based on the sensitivity level of the information handled by the contractor) in order to keep and/or win new work with the DoD
FedRAMP is a cybersecurity framework that focuses on the security of cloud service providers (CSPs) doing business with the US federal government. There are two approaches to achieving FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through a specific government agency sponsor. The JAB is the primary governing body for FedRAMP and includes representation from the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). There are four different control baselines that support the different FedRAMP authorization impact levels.
| CMMC | FedRAMP | |
|---|---|---|
| Purpose | Assesses and enhance the cybersecurity maturity of all contractors working with the DoD | Focuses on the security of cloud service providers serving federal agencies |
| Certification/Authorization Levels | 3 | 4 |
| Minimum Level Required for Work Contracts | Level 1 (once CMMC is finalized) | Authorized at applicable impact level |
| Levels and Control Scope |
|
|
| Applicability | Applies to all contractors that work with the DoD | Applies to cloud service providers (CSPs) that work with US government agencies |
CMMC vs FedRAMP
CSPs must achieve Authorized status in order to provide services to US government agencies. Soon, DoD contractors will need to achieve at least CMMC Level 1 status before winning new contracts.
In general, FedRAMP is a more comprehensive framework than CMMC. FedRAMP requires organizations to enhance process maturity and capabilities across a wider range of topics dealing with data, network, staff, physical building and vendor security. Here are additional considerations to keep in mind regarding CMMC and FedRAMP compliance:
- CMMC has been in development for the past few years and is now (2023) nearing finalization.
- FedRAMP is a mature framework (based on NIST 800-53) that has been in place for over a decade (2011). We view it as the high bar for cloud cybersecurity compliance.
- Both CMMC and FedRAMP are constantly evolving. The DoD, FedRAMP PMO and NIST are constantly updating the requirements to reflect the latest cybersecurity threats.
- Compliance with CMMC and FedRAMP can be a complex and expensive process, especially for SMBs. Rizkly helps SMBs consider their needs and regulatory requirements and offers an effective and efficient solution for achieving and sustaining improved cybersecurity posture and compliance.
Rizkly experts will advise, guide and review hardware and software technology changes to ensure that they address specific compliance controls but we do not perform the actual implementation work. Over the years, we have a developed a trusted ecosystem of partners who offer effective and affordable solutions to expedite remediation of security and compliance gaps. We will gladly refer you to appropriate partners if and when the need arises. Creating policies, procedures and other artifacts are also a key part of compliance remediation efforts and these are activities that our advisors do perform using powerful Rizkly features for policies and procedures.
Rizkly cybersecurity compliance advisors will work with you through the entire lifecycle of your compliance initiative. We will scale up/down depending on specific need, and we co-create our involvement in the early stages of the project. Typical project activities include:
- Gain an understanding of your business, your clients, your system(s), and your anticipated compliance requirements
- Educate your team members on compliance requirements, how to leverage the Rizkly app and what will be expected throughout the effort
- Develop the system ‘boundary’, and what will be in scope for compliance purposes
- Draft a system architecture diagram that clearly depicts the system boundary
- Review existing documentation and work with your team members to understand system and process specifics
- Perform a high level gap assessment to determine what controls are in place and operating effectively, and where there are gaps
- For each gap determine a detailed plan of action to remediate
- Collaborate as needed with personnel (staff and/or your vendors) during remediation.
- Provide advisory support, develop documentation, design controls, review evidence, audit prep, etc.
- Ensure that all artifacts and control implementation statements are effectively captured in Rizkly
- Educate your team on how to leverage Rizkly to generate audit-ready documentation such as SSPs, POAM reports and SPRS scoring
- Post-remediation ensure that all controls are in place and operating effectively
