Any Cloud Service Provider (CSP) who is familiar with FedRAMP likely knows that presenting an authorization package that includes a non-FedRAMP-authorized external service storing or processing of federal metadata wouldn’t get you very far—it’s likely a showstopper. However, some may not realize that that’s not necessarily the case regarding StateRAMP.
As the #1 provider of FedRAMP assessment services on the Marketplace, we at Schellman are familiar with what it takes to achieve successful FedRAMP Authorization, but we’re also an experienced StateRAMP Third Party Assessment Organization (3PAO). As such, we’re equally as familiar with the key nuances of this program—including its unique Security Snapshot, which provides a new and creative approach to the aforementioned age-old issue of using external services and data risk.
In this article, we’ll explain more specifically how StateRAMP’s Security Snapshot can help you gain Provisional Authorization, even as you’re using non-FedRAMP/StateRAMP external services, so that you can understand all your options when pursuing authorization. Before we dive in, we'll first cover common StateRAMP terms and provide a definition for StateRAMP's Security Snapshot.
SLED Metadata Subcategories
StateRAMP uses the terms “SLED Metadata,” which is further split into “SLED Metadata with a Direct Potential Impact” and “SLED Metadata with an Indirect Potential Impact.” The table below, which can also be found in our StateRAMP FAQ blog, offers a detailed explanation of the definitions and differences of these data types:
|
Data Type |
Details |
|---|---|
|
SLED Metadata |
Data that, if compromised, could impact the confidentiality, availability, or integrity of the systems supporting the processing, storage, or transmission of SLED data. Examples include:
|
|
SLED Metadata Subcategories |
|
|
SLED Metadata with a Direct Potential Impact on the Mission of Organizations or Individuals
|
This type of SLED customer metadata must reside within your authorization boundary or the boundary of another StateRAMP-authorized information system at the same or greater Impact Level. Examples include:
|
|
SLED Metadata with an Indirect Potential Impact on the Mission of Organizations or Individuals
|
This type of SLED customer metadata may be authorized to reside in a system that is fully owned, maintained, and operated by you with approval from the StateRAMP PMO. Examples include:
|
What is StateRAMP’s Security Snapshot?
The Snapshot is a separate procedure where a CSP can submit evidence to the StateRAMP PMO and receive a “Snapshot”, or a score of where your cloud service offering (CSO) stands regarding just 40 NIST controls StateRAMP has deemed of high importance.
For more information on StateRAMP’s snapshot process, visit 3 Things You Should Know About StateRAMP for a walkthrough of their process.
How to Use StateRAMP’s Security Snapshot
CSPs can opt to obtain a StateRAMP Snapshot for a variety of reasons:
- To demonstrate early commitment
- To build momentum and visibility with state agencies (and maybe even expedite those opportunities)
- To reduce how long it takes to achieve full authorization
Simply put, StateRAMP conducts a limited evaluation of the External Service Provider (used by the Cloud Service Provider) to gain an understanding and acceptable level of comfort of the risks of using that service prior to granting the Service Provider (SP) a Provisional Authorization.
Situation
Diving back in, you’re a CSP (or Service Provider "SP” in StateRAMP parlance) who no-matter-what cannot give up a vital External Service Provider (“Provider” for the use of this blog), which happens to not be FedRAMP or StateRAMP authorized.
Problem
If the service provider stores or processes SLED Metadata, a reputable 3PAO will call this out as a risk during assessment. Depending on the data types in question, this very well may impact the 3PAO’s ability to provide a positive recommendation for StateRAMP Authorization.
Legacy Solution
Historically, to move the security assessment forward, the SP would need to rearchitect in the following ways:
- Bring the information into their boundary (their control)
If such a product exists, this may be expensive and impose administrative costs. If the on-premise solution introduces a new host, this host will need to be part of the scanning scope which may introduce vulnerabilities.
- Switch to a FedRAMP/StateRAMP-authorized external service (at the same security impact level or higher)
If one exists for the desired functionality, this may be expensive.
- Attempt to obfuscate all data within the external service
If done, this may render the external service simply valueless. Additionally, the PMO would need to accept this, which can hardly be counted on.
It’s also worth noting that the task of obfuscation is exactly as complicated as it sounds, and it may not work well enough to the PMO’s liking.
New StateRAMP Solution: Security Snapshot
In this situation, it’s not the SP who needs to undergo a Security Snapshot—it’s the Provider of the SP. The SP would simply ask the Provider to engage the StateRAMP PMO and complete a Security Snapshot.
To do this, the Provider must perform the following:
1. Understand what a Security Snapshot is
- The provider will submit evidence of implementation for 40 NIST 800-53 Rev 5 critical controls
- The assessor will evaluate the evidence and decide if the controls are “Pass, Pass with Concern, Fail, or No Evidence Provided.”
- Each positive determination adds to the score, which is weighted based on the MITRE Control Protection Value as documented in the scoring criteria. The top score is 100.
- You can download the Security Snapshot Matrix to find the instructions and scoring criteria.
2. Submit a Security Snapshot Request Form
- The StateRAMP PMO will be in touch with you to schedule an intake meeting and discuss details of payment.
- Payment is based on the Provider’s annual revenue and ranges from $500-$1,500.
3. Conduct Intake Meeting
- During this 1-hour meeting, StateRAMP PMO may ask additional questions.
- This is also an opportunity to for the Provider to ask any questions about the methodology of the snapshot, i.e. scoring criteria.
4. Provider Submits Implementation Evidence to StateRAMP
- It’s noteworthy that if complete and accurate evidence is not submitted, there are no partial scores given, according to the StateRAMP PMO.
5. Receive the Security Maturity Score
- StateRAMP claims the turnaround is about 3 weeks. The score will be issued in a formal letter from the StateRAMP PMO and is not made public.
If the score is high enough for the StateRAMP PMO to gain comfort of the Provider’s risk, given the context of the Provider system usage, metadata types in question, and the Service Provider’s assessment risk, StateRAMP will notify the SP and move the security package toward authorization, which is limited to a Provisional Authorization.
To note, because the authorization type is Provisional, the Provider must complete a new Security Snapshot annually upon the SP’s annual assessment due date.
What To Do If Your Provider Does Not Understand the Snapshot Program
A common concern upon learning about the Snapshot program is the risk of providers either not understanding the Snapshot program or being reluctant to assist. Often times, the Provider may be a larger organization than the SP requesting the effort, or they don’t have the bandwidth to conduct a Snapshot.
Here are some helpful tips to get your Provider on board:
- Request a meeting between the StateRAMP PMO and the Provider. The PMO does understand this situation and can offer some assurance to the Provider, such as where the data is stored and what the retention periods are. They can help deliver the message of “what’s in it for them.”
- Offer to pay for the Snapshot for the Provider. The StateRAMP PMO does say this is an option.
- Remind the Provider that the Snapshot may be reusable for other SPs entering the StateRAMP marketplace. This may increase usage of the Provider’s product.
- Educate the Provider about the original purpose of the Snapshot program. The program is based on the premise of obtaining an independent assessment score which may indicate whether a system is primed for further entrance into the StateRAMP market via Readiness Assessment or full Authorization. If you download and look inside the Security Snapshot Matrix, the final tab presents data about the completion of each level of the StateRAMP Journey.
Moving Forward in Your StateRAMP Journey
As a leading 3PAO for FedRAMP and StateRAMP, Schellman is ready to assist with your StateRAMP assessment journey. If you’ve previously worked with us on a FedRAMP assessment, you can expect essentially the same project scope, engagement length, fees, and type of deliverables—Security Assessment Plan (SAP), Security Assessment Report (SAR), Risk Exposure Table (RET), Penetration Test Report—though StateRAMP does have specific templates for those that we use.
If you’re ready to move forward in your StateRAMP assessment journey, or you have any other questions about the process, contact us today and we’ll get back to you shortly. In the meantime, discover other StateRAMP insights in these helpful resources: