Exclusive: StateRAMP to rebrand later this year
da-kuk via Getty Images
By
Chris Teale
The voluntary program will be rebranded as “GovRAMP” to better reflect that its offerings can be used by local governments, educational institutions and others, the organization’s executive director told Route Fifty.
The nationwide nonprofit that authorizes cloud service cybersecurity for state government use will rebrand later this year, the group’s executive director exclusively told Route Fifty this week.
The State Risk and Authorization Management Program, known as StateRAMP, will rebrand itself to “GovRAMP” to better reflect that the voluntary program can be used by local governments, educational institutions, hospitals and others, Leah McGrath said. An official announcement of the rebrand, which the board approved in December, is expected this month.
McGrath said the shift in branding reflects the growing emphasis on whole-of-state cybersecurity approaches, where all levels of government share information and best practices while recognizing that a threat against one is a threat against all. StateRAMP and GovRAMP will continue to be used “interchangeably,” McGrath said, to reflect that some states use the original name in various policies, laws and documents.
“Almost as soon as we launched StateRAMP, we started hearing from local governments, K-12 schools and higher education, and they said, ‘We really love this. Is this something we can do?’” McGrath told Route Fifty in an interview. “The name StateRAMP felt limiting for them, and so we've had conversations about, ‘how can we improve that communication, especially as we're working more deeply with some of our participating states on whole-of-state initiatives? How do we make sure that people know that this is something they can leverage across all the different levels of government and public sector?’”
The rebrand marks another chapter in a busy time for StateRAMP, which is used in 27 states to authorize cloud services state governments can use to ensure they satisfy standardized security requirements. It also has inspired several state-level equivalents, like Texas’ TX-RAMP, which the state stood up in just five months.
One of its biggest recent initiatives has been around cyber framework harmonization, which streamlines the patchwork of rules and guidelines issued by various government agencies that businesses and the public sector must then comply with. Federal regulations on cybersecurity are set by myriad agencies, which all have different auditing requirements and a web of standards to follow that sometimes vary.
It's something lawmakers have tried to make progress on as well. For state and local leaders, cyber requirements can be “painful,” but McGrath said that “when something is painful enough, people are willing to give time to fix it.”
“We go where the pain is the greatest, and we hear that this is painful,” she continued. “The other way that we tackle this is to not recreate the wheel. We don't want to recreate the wheel, and we don't want to create a project just to create a project. We want to solve problems, and we know there are many people out there trying to solve this problem, so let's just come together. One of the things that we do well is serve as a facilitator, and through that facilitation, identify big wins and small wins that help solve the problem and make it a little better.”
It may be that cyber frameworks are never truly harmonized, given the “uniqueness” that exists in individual jurisdictions, agencies, contracts or data, McGrath said. Getting most of the way there, though, will make things more “manageable,” she added.
It’s been a similar story for StateRAMP’s task force that focuses on boosting cloud security within the criminal justice sector to align with the Federal Bureau of Investigation’s Criminal Justice Information Services. As with framework harmonization, McGrath said that task force contains state and local representatives as well as industry leaders to “align around the unique definitions or parameters that are required by the FBI,” then align that to StateRAMP’s requirements.
“Every one of our members has their own mapping that they've done to all these various requirements, so what we really tried to do is facilitate the conversation so we can all come around common mapping and understanding,” McGrath added.
StateRAMP enjoys a synergistic relationship with its federal equivalent — the Federal Risk and Authorization Management Program, or FedRAMP — that is operated by the General Services Administration. The future of that agency’s tech shop appears somewhat uncertain, however, and so may throw into doubt how much more collaboration there could be between the federal government and the states.
But McGrath said she remains optimistic about the future, as disruption at the federal level may mean it is a “good time to have a conversation on federal cyber regulations and how we make that better.”
“Sometimes when there's a lot of disruption, change becomes less daunting because change is inevitable,” she added.
NEXT STORY: Arizona police procedures exposed in massive policy database hack