The theme of the inaugural StateRAMP Cyber Summit could be summed up in two ways. The first was federal, state and local government leaders and private sector executives all recognized the need to harmonize the growing assortment of cyber regulations. The second was the underlying benefits of having a set of cybers standards that every agency take advantage of and vendor can achieve.
Over the course of the last four-plus years, it’s become clear that without this baseline of cyber requirements, state and local agencies would have a harder time protecting their systems and data from cyber threats.
“I think everyone has recognized the time, the effort and the expense to properly staff and deliver the assessment and continuous monitoring that comes through StateRAMP, which makes it a great value for the states,” said JR Sloan, the Arizona state chief information officer and co-founder of StateRAMP. “We call it StateRAMP, but it’s really not just states. This goes all the way down to the local and municipal level. And I’ll tell you that I see the same problem with cities, counties, local municipalities, again, they’re trying to get all the advantages of these emerging technologies and the advantage of cloud solutions, but they got to solve the same problem with the data. They were looking to us to say, ‘well, who have you reviewed?’ They started leveraging our list. Well, that’s the same thing with StateRAMP. That great value for them, and in terms of the supplier value proposition, it’s not just being able to sell to states, it’s being able to sell through that entire continuum, down the state, local and education (SLED) markets.”
About 25 states are part of StateRAMP and a few others like Texas have adjacent programs that follow almost the same set of standards. Additionally, StateRAMP now has over 400 vendors who have been certified, many of which also have met the federal standards under the FedRAMP program.
Defending critical infrastructure
A shared service like StateRAMP came into being almost at the perfect time as the cyber threats were becoming more complex and harder to defend against.
Joe Bielawski, the president of Knowledge Services and co-founder of StateRAMP, added back in 2020 when they started talking about this concept, the cyber threats were mostly data breaches. Today, he said, it’s ransomware and attacks against critical infrastructure like water systems and electric grids.
Ken Weeks, the chief information security officer for the state of New Hampshire, said he’s seeing those threats first hand.
“What we’ve come to realize is that some of our most vulnerable systems are in critical infrastructure, and especially in community drinking water systems and wastewater systems. Some of these systems are very small. They may only serve 60 customers. Some serve thousands of customers. But over time, there has been no attention paid whatsoever to the security of these systems,” Weeks said. “We’ve used a program that we have called the Municipal Cyber Defense Program that’s run by a private organization, and they go out and provide hands-on training for SCADA operators. They give seminar type training for elected officials as well as for town employees to teach them what’s important about cybersecurity, what things to budget for, what things to not worry about so that it can be sustained. I think through the awareness campaign, as well as actually delivering real solutions and outcomes, we’ve made tremendous progress.”
Nikki Rosecrans, the CISO for Arapahoe County, Colorado, said her county is one of those areas that is playing cybersecurity catch up.
Arapahoe County just issued its first information security policy in June.
She said before the policy came out, the county practiced strong information security, but the new policy was more about educating its non-cyber and IT workers more broadly about how to protect data and systems.
“Now that our employees are apprised of the policy, they’re starting to understand what this means. I feel like we can feel better about how our employees are processing and handling sensitive data,” Rosecrans said. “Arapahoe County has chosen to follow the Center for Internet Security (CIS) framework. It’s a set of 20 controls based off of the NIST framework. It’s a little bit more palatable for us to implement.”
The benefit of cyber harmonization
Rosecrans said she’d rather be able to rely on a more standardized set of controls where cybersecurity requirements for CIS and StateRAMP, for example, were more harmonized.
That desire for harmonization resonated time and again with state and local leaders and private sector executives.
Dan Lohrmann, the field CISO for Presidio and a former CISO for the state of Michigan, said harmonization through programs like StateRAMP drives huge value for vendors.
“The ability to for states to not have to reassess solutions every time they do a request for proposals (RFP) is a big deal. You really want to say is this product that we’re going to be using a cloud-based solution and is that even protected properly, and if so, can we use it?” he said “The ability to for the vendor not have to redo that for every state and have different requirements across the board, that’s a huge value. I can’t give you an exact number on the percentages, but it’s well over 50% to 70% [savings]. There are some unique requirements that are still going to be there like for criminal justice information or Medicare and Medicaid, but I think it’s 10% or 20% different and 80% of it is the same.”
John Lee, the vice president of cloud solutions at Carahsoft, which sponsored the StateRAMP Cyber Summit, said vendors also benefit once receiving their StateRAMP or FedRAMP certifications through increased revenue. He said they are seeing as much as a 60% increase in public sector revenue in that first year after achieving a cyber certification.
“Clearly government procurement officials feel more comfortable when they look at somebody who has achieved that authority to operate (ATO) across the board. With all the attacks that are occurring, people are looking at this for the Good Housekeeping seal of approval,” Lee said. “They know that nobody’s going to yell at them if they actually are utilizing somebody with an ATO in place. So I think that’s what’s driving and then, quite honestly, once you have that, that’s a great message to go out and sell and market.”
Coordination with acquisition leaders improving
That message is resonating with state procurement officials, mainly as a way to reduce risk and make up for a lack of resources to monitor cybersecurity companies.
Jamie Schorr, the chief cooperative procurement officer with the National Association of State Procurement Officials, said the relationship between CISOs and acquisition leaders is closer than ever.
“Our CISOs are able to rely on us to provide good guidance and feedback throughout the procurement process, to ultimately select those suppliers that will meet those minimum cybersecurity standards. It’s fantastic,” she said. “Not only do the CIOs, CISOs and business officials have more respect for procurement and what we do to follow our statutes and laws, but the chief procurement officers are also having a greater understanding for the CISOs and what their protections area and what their ultimate goal is.”
Those conversations are moving CISOs into a larger role that has less to do with just cybersecurity and more to do with protecting business and mission systems.
Meredith Ward, the deputy executive director of the National Association of State CIOs (NASCIO), said CISOs are doing more to build and maintain relationships with other state agency leaders.
“We know that the bad actors don’t care if you’re with this city or this state or this county, they’re attacking everyone. So no longer can we rest in these silos,” she said.
Discover more articles and videos now from the StateRAMP Cyber Summit in Indianapolis.
Copyright
© 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.