FedRAMP and StateRAMP

Closing the Gap Between State and Federal Standards is Easier Than You Think

Navigating the complex landscape of governmental data management and protection can be a daunting task for companies seeking to partner with government entities. Regulations like SOC 2, PCI DSS, HIPAA and specifically tailored programs like FedRAMP and StateRAMP, are central to ensuring the integrity of cloud-based information. This blog post explains how you can navigate these challenges.

Government agencies do not work in isolation. They collaborate with external service providers to achieve their goals. Companies looking to establish partnerships for government business must first meet specific criteria for data management and protection, including compliance with SOC 2, PCI DSS, and HIPAA protocols. This readiness process typically entails verification of the completion of hundreds of proof-of-compliance requirements, and today it’s all codified through the Federal Risk and Authorization Management Program (FedRAMP).

FedRAMP was established in 2011 to provide a standardized approach to security assessment, authorization and continuous monitoring of cloud products and services to demonstrate highest possible standards in cloud security. FedRAMP allows federal agencies to leverage modern cloud technologies while ensuring the confidentiality, integrity and availability of federal information stored and processed in the cloud.

At a more local level, StateRAMP, a nonprofit organization, pursues its mission to reduce confusion and increase cloud cybersecurity and compliance by establishing Readiness and Management Protocols (RAMP) for states. Using FedRAMP and StateRAMP certification programs, service providers in manufacturing, retail, healthcare, finance and other industry verticals can meet these regulations and become qualified to work in partnership with government entities.

California and Texas are among the states that have partnered with StateRAMP and their guiding protocols, with Texas now guiding a dozen states with its own, light version of FedRAMP known as Texas Risk and Authorization Management Program (TX-RAMP).

StateRAMP is a coalition of stakeholders who support strong, standardized cybersecurity for IaaS, SaaS and PaaS. They offer a thorough security certification to aid companies and local governments in identifying risks and finding mitigating actions — ultimately enhancing trust and security when working with cloud providers.

The StateRAMP certification process may seem complicated, but it can be straightforward. It begins with basic onboarding information, a checklist to get started, and comprehensive information about the conditions for verifying StateRAMP compliance.


Cutting through the complexity

When software vendors lack certification, they can’t partner with state agencies. While compliance with the current laws and standards is essential for businesses to ensure their ability to offer their services to government entities, closing the gap between federal and state standards is easier than you think.

State agencies must meet TX-RAMP requirements to enter or renew a cloud services vendor contract. TX-RAMP sets a standardized approach for security assessment, authorization and monitoring, helping organizations save time and resources by obtaining reciprocal authorizations with StateRAMP and FedRAMP.


Here are four key things to keep in mind as you bridge the gap and seek federal and state certifications:

  1. Companies usually make mistakes when trying to meet compliance requirements. The first mistake is often the failure to properly identify and assess all compliance-related items.
  2. Conversely, some companies may go too broad in their attempts to meet compliance needs. The accurate definition of the boundaries of compliance-driven services can make it simpler to achieve compliance and easier to define for compliance audits.
  3. Knowledge management around compliance is critical. Poor communication of compliance requirements can cause a project to fail. Ensuring that key personnel are aware of the need for compliance, and what is required to meet it, is vital. Not understanding the complexity of compliance can lead to missed deadlines, budget overruns, and projects that do not meet requirements.
  4. Finally, remember that compliance is an ongoing process that requires continuous effort. Compliance requirements and regulations are constantly changing, so it's important to stay up-to-date with the latest changes and adapt accordingly.

Typically, a vendor needs 18 to 36 months and $2 to 4 million to receive an Authorization to Operate (ATO) from a federal agency. This will result in follow-on annual costs of approximately $750k. With the help of a partner who is focused on a process to expedite compliance steps, a vendor can achieve multi-agency ATO and maintain it in 9-12 months at a cost that is about 30% less.


Get started with FedRAMP, StateRAMP and TX-RAMP certifications

Prepare to ensure your company's success in meeting all federal and state requirements for conducting business. Consider using a third-party partner that can bring a proactive solution to the table to help tackle certification requirements. A partner is typically able to guide and support a company through the process, and often make provisional approval possible within a year. This can result in cost savings, limiting potential revenue loss while expediting the process.

Begin today to bridge the gap between state and federal standards and secure FedRAMP and StateRAMP certifications so you can rapidly provide cloud-based services to government agencies. Expedite your access to the government agency market, increase your performance and reliability, scalability and flexibility, and enhance security.


Join the Conversation: Find Solve on Twitter and LinkedIn, or follow along via RSS.

Stay on top of what's next in technology

Learn about tech trends, innovations and how technologists are working today.

HPC and AI

HPC and AI: The IT Power Couple

About the Authors

Jason Wicker

Chief Architect, Government Solutions

Jason Wicker

With over 25+ years in the Enterprise IT world, Jason has a successful career as a leader managing complex strategic alliances and high-performing teams - consistently innovating, strategizing, and executing to generate long-term growth in F500 and the public sector. Jason has worked for all the major players in the space; Getronics, Rackspace Technology, EMC, VMware and IBM, to name a few. With a drive for mentoring and bringing value to customers and partners, Jason has led and contributed to many critical projects over his career. His first major enterprise project was designing and overseeing the security integration of British Petroleum when they first acquired Aamco (7,500 users) and later Arco (4,000 users) for North and South America. At EMC and VMware, he helped design, service, sell and support the enterprise tooling suite that later became VMware’s VCenter Operations. Most recently Jason has been designing and driving the offering that is the Public Cloud Manager for the State of Texas, with over two hundred cloud properties under a single management plane across four cloud providers and twenty-six agencies. In his current role as Chief Architect for Government, Jason is responsible for driving Rackspace Technology's technological innovations and business solutions across the public sector line of business. He is highly motivated and results oriented, with a track record of building lasting relationships with key stakeholders and executives. Working as a partner with his clients, Jason brings the ability to create and drive close plans in alignment with clients' priorities allowing them to achieve their business objectives. He has expertise in enterprise software design, process, and architecture delivering in the areas of Business Management, Cost Transparency, Hybrid Cloud platforms, SaSS, eDiscovery, Security, Operations, Automation, Software Defined Data Center, and Orchestration. Most recently Jason has joined Rackspace’s FAIR initiative for ethical and responsible AI. The Foundry for Generative AI by Rackspace (FAIR) is a groundbreaking approach to accelerating the responsible and sustainable adoption of Generative AI solutions across industries.

Read more about Jason Wicker