Coalfire ramps up for StateRAMP — What you need to know…

Jason Oksenhendler, Director, FedRAMP Advisory Services, Coalfire

There has been a lot of buzz during the past year or so about StateRAMP (SR). SR was an idea born out of helping state and local governments efficiently and effectively verify cybersecurity and manage third-party risk. SR is a 501-c6 non-profit, membership-based organization based in Indiana and after April 1st, cloud service provider (vendor) memberships and assessments will begin. Here is an FAQ we put together on StateRAMP.

Q: Is Coalfire an authorized StateRAMP 3PAO?
A: Yes. As of February 5, 2021, StateRAMP successfully verified our accreditation status.

Q: How will Coalfire be involved in StateRAMP?
A: Coalfire will be involved in offering StateRAMP Advisory and Assessment Services for cloud service providers (vendors) seeking StateRAMP Authority to Operate (ATO).

Q: If Coalfire conducted a FedRAMP Assessment of our system and it received an ATO, does it automatically become StateRAMP authorized?
A: No. To use a FedRAMP ATO to achieve StateRAMP reciprocity, a CSP must submit the following to the StateRAMP PMO:

  • FedRAMP ready status, FedRAMP ATO, or FedRAMP P-ATO
  • FedRAMP-approved security documentation package
  • Prior 90 days of continuous monitoring

Q: What kind of services will Coalfire offer?
A: As StateRAMP evolves, Coalfire’s offerings will evolve with the program. For CSPs embarking on their SR journey, Coalfire will offer:

  • StateRAMP workshops
  • StateRAMP readiness/gap analyses
  • StateRAMP documentation development
  • StateRAMP security control assessments
  • StateRAMP advisory hours

Q: What type of deliverables will Coalfire prepare?
A: Although the StateRAMP templates haven’t been published as of this writing, we expect documents similar to FedRAMP, such as a security plan, policies & procedures, contingency plan, incident response plan, etc.

Q: Will the fees for StateRAMP membership be separate from Coalfire’s fees?
A: Yes. The fees associated with StateRAMP are separate from the fees for Coalfire’s services. Because StateRAMP’s cost model is provider-funded, there are costs for providers (CSPs):

  • $500 – Membership, annual, paid by organization
  • $2,500 – Ready review conducted by StateRAMP PMO to verify requirements for ready status
  • $5,000 – Authorization review conducted by the StateRAMP PMO to verify requirements for authorization status
  • $5,000 – Annual fee for continuous monitoring to verify that requirements are met ongoing

For additional StateRAMP information and resources, please visit stateramp.org, or reach out to 3PAO@coalfire.com.

Jason Oksenhendler

Author

Jason Oksenhendler — Director, FedRAMP Advisory Services, Coalfire

Top