Connecting state and local government leaders
Collaboration among states to tighten the security of cloud software is increasing under the nationwide program StateRAMP. Meanwhile, Texas is embracing its own certification effort after several high-profile cyber incidents.
Three years ago this month, 22 Texas municipalities were hit by a ransomware attack. A Russian-based hacker group crippled the cities’ systems and then demanded a ransom.
Shortly after that incident, the home addresses of some undercover police officers operating in the state were leaked, putting them in potential danger. The breaches emboldened state lawmakers to do something to strengthen Texas’ cybersecurity.
That led to sweeping legislation in 2021, which put in place several new programs at the state’s Department of Information Resources, including one to establish a state risk and authorization management program that provides “a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency.”
Known as TX-RAMP, the initiative is modeled after federal and state risk and authorization management programs, which are both designed to help government agencies do business with cloud providers authorized to offer secure services by ensuring they adhere to standardized security requirements.
Under the legislation, Texas had just five months to stand up the program, and existing cloud software providers had only an additional month to comply with the state’s new requirements. Texas Chief Information Security Officer Nancy Rainosek said the program “borrowed, or stole, a lot from the other RAMP organizations.” TX-RAMP has reciprocity with StateRAMP and FedRAMP, so if a company is certified by one of those programs, it is easier to be certified in Texas.
“We're not asking companies to do any more than we require of our state agencies,” Rainosek said during a panel discussion at Carahsoft’s FedRAMP Summit this week. “It was done very quickly, and so it continues to evolve over time.”
In the meantime, staff are trying to make the certification process more efficient, so it’s “not as big of a burden on the vendor,” Rainosek added.
It is early days for these state-level programs, which come as breaches, particularly via provider software, proliferate. Governments are still reeling from the fallout of the MOVEit hack.
StateRamp launched in 2020, a year before the Texas Legislature established TX-RAMP. StateRAMP’s Executive Director Leah McGrath said at the summit that the organization is getting “stronger.” It recently welcomed its second round of committee members and so has transitioned into its “second generation,” she said.
Plenty of challenges lie ahead for state and local governments as they look to tighten their security, especially given the sheer number of them throughout the U.S. Ted Cotterill, Indiana’s chief privacy officer and StateRAMP’s secretary-treasurer, said his state alone has around 3,000 units of government, making it difficult to get everyone on the same page.
McGrath and Cotterill said StateRAMP has sample standards, policies, and terms and conditions for governments of all sizes to draw from and plan to go deeper through partnerships with the likes of the National Association of State Procurement Officials to build out those resources. Cotterill said those efforts can help “start to turn the ship slowly” towards more secure cloud services.
“For a unit of government that doesn't know how to get started in the cloud, just having a contract for the public to use as a starting point for those negotiations is really beneficial,” he said.
“That's really what's the joy for me, being a part of StateRAMP, is being able to bring everyone together and say, ‘Let's hear all the voices, let's find where there's commonality here, let's find where we have that shared vision or understanding of standards,’” McGrath said.
By embracing committees, working groups, task forces and other partnerships, McGrath said cross-state collaboration through StateRAMP can help ensure higher cybersecurity standards across the board and make it easier for states to get there, “rather than having to climb that mountain, one at a time.”