AWS Public Sector Blog

StateRAMP on AWS

StateRAMP on AWS

What do Amazon Web Services (AWS) public sector customers need to know about the State Risk and Authorization Management Program (StateRAMP) and how can you use AWS to help meeting StateRAMP requirements? In this blog post, learn a quick recap on what StateRAMP is and how it differs from the similar Federal Risk and Authorization Management Program (FedRAMP).

What is StateRAMP?

Launched in 2020, StateRAMP was designed by its board of directors to support state entities that want to leverage cloud-based services in a secure way. Like FedRAMP, the goal of StateRAMP is to help state agencies use a single assessment to validate the viability of a solution for use across their enterprise. Instead of each entity performing their own assessment, the state can leverage a single authorization to operate (ATO).

How is StateRAMP different than FedRAMP?

StateRAMP is organized as a 501c(6) nonprofit and is governed by a board of directors. In contrast, FedRAMP is made up of two authorization models, an authorization agency through which an individual Federal agency can authorize a cloud service offering and the Joint Authorization Board (JAB), which is composed of the chief information officers (CIOs) from the Department of Defense (DoD), Department of Homeland Security (DHS), and the General Services Administration (GSA).

In both StateRAMP and FedRAMP there is a “Ready Status.” This allows a cloud service or solution to be listed in the StateRAMP or FedRAMP market place, signaling a company’s ability to get an authorization to potential customers. StateRAMP Ready statuses do not expire, and cloud service providers (CSPs) do not have to have a contract with governments to receive a Ready or Authorized status. With FedRAMP, providers only have 12 months once they achieve Ready to find an agency sponsor to become authorized before having to restart the process.

Another difference between StateRAMP and FedRAMP relates to boundary guidance. In both programs, your workload is authorized based on the totality of the solution, not just the core features. That means what is in scope for the authorization are all the components like software-as-a-service (SasS), external identity providers, and other sources that are part of your environment.

StateRAMP offers a provisional status for cloud offerings that rely on solutions which have not yet achieved a StateRAMP or FedRAMP Authorization, so long as the suppliers complete a StateRAMP Security Snapshot for the solution to make visible the strengths and risks of the cyber posture. In contrast, in FedRAMP, if a solution leveraged a third-party as part of the solution that does not also have a FedRAMP authorization, agencies likely would not be able to leverage that solution.

How does AWS help customers meet StateRAMP requirements?

As with FedRAMP, AWS can help agencies design their solutions to align to StateRAMP requirements in the following areas:

Control mapping

In both StateRAMP and FedRAMP, the number of controls that are applicable are based on the impact level of the system. These impact levels are based on the data classification that the CSO offering will be supporting. The impact level is based on National Institute of Standards and Technology (NIST) 800-60r1, which outlines how to map information and information systems to various security categories. This maps the data to classification levels such as Low, for data generally considered to be public data; Moderate, for data generally considered sensitive data; and High, for data generally considered to affect national security. StateRAMP assumes that state and local government data will likely be at the Moderate impact level.

Slightly different than FedRAMP, StateRAMP categorizes its impact levels as:

  • Low
  • Low +
  • Moderate
  • High

The difference between Low and Low+ is that Low+ includes additional Moderate Impact controls for added security.

StateRAMP controls are based on NIST 800-53 controls, similar to how FedRAMP works. In June 2023, StateRAMP updated their security baselines to align with 800-53 revision 5 (R5). Likewise, FedRAMP also uses NIST 800-53r5 now as well, which added new areas such as privacy and software bill of material (SBOM) requirements. In preparation for a third-party assessment of your cloud-based environment and assets, agencies should know how their solutions measure up against these controls. AWS has several solutions that can help customers establish their alignment with NIST 800-53r5 controls.

First, AWS Config, a service that continually assesses, audits, and evaluates the configurations and relationships of your resources on AWS, on premises, and on other clouds, offers a conformance pack for NIST 800-53r5. A conformance pack is a collection of AWS Config rules and remediation actions that can be deployed as a single entity in an account and an AWS Region or across an organization in AWS Organizations. Using a conformance pack can take the guess work out of mapping controls to AWS features and services. While AWS Config does not provide coverage for 100% of controls in an application’s environment, it can reduce the effort needed to verify alignment to desired security controls. Using this conformance pack can help automate some of the checks that are performed as part of a control. For example, in the case of a NIST 800-53 access control requirement like AC-2(1), the AWS Conformance pack for NIST 800-53R5 provides customers with several different ways to measure their compliance.

Next, agencies can use AWS Security Hub, which aligns to the NIST 800-53r5 standard, to also assist with benchmarking the account against NIST 800-53. Security Hub can aggregate the data from AWS security services into a single dashboard. Agencies using AWS security services like Amazon GuardDuty or Amazon Detective, along with many others, can benefit from using Security Hub to enable a single source of aggregated service information.

AWS also provides documentation within AWS Artifact, a central resource for compliance-related information available in the AWS Management Console. In AWS Artifact, customers can find the FedRAMP Customer Package and the AWS Customer Compliance guides (CCG). The FedRAMP Customer package contains documents like the customer responsibility matrix, the control implementation summary, digital identity worksheet, Federal Information Processing Standard (FIPS) 199, privacy threshold analysis and privacy impact analysis, executive briefing, and the annual assessment approval letter. The Customer Compliance Guides provide detailed information on a service by service basis on how to meet compliance requirements using the shared responsibility model.

Logging and monitoring

For ongoing assessment of cloud environments, for example as part of a continuous monitoring program (ConMon), agencies can use AWS Audit Manager to deploy the NIST 800-53r5 framework in Audit Manager to not only track compliance adherence, but also to generate reports that can be used by an assessor to demonstrate ongoing compliance.

In compliance frameworks like StateRAMP, emphasis is placed not only on the security of the environment, but also on the logging and monitoring infrastructure. Services like AWS CloudTrail allow customers to capture API activity in their account and services like AWS CloudWatch allow customers to observe and monitor resources and applications on AWS, on premises, and on other clouds. AWS offers customers the flexibility to choose to run monitoring on AWS native services like the Amazon OpenSearch Service, which makes it simple to perform interactive log analytics, real-time application monitoring, website search, and more. Customers can also seamlessly integrate with premier logging solution partners that make getting log data in and out of AWS simple.

Patching and compliance reporting

Patching is an essential function of security operations and and is required in many of the StateRAMP controls found in NIST 800-53r5. Customers can leverage Patch Manager, a capability of AWS Systems Manager, which automates the process of patching managed nodes with both security-related updates and other types of updates.

Patch Manager can apply patches for both operating systems and applications. After a patching operation, agencies can use the Systems Manager console to view information about which of their managed nodes are out of patch compliance, and which patches are missing from each of those nodes. Agencies can also generate patch compliance reports in .csv format, which are sent to an Amazon Simple Storage Service (Amazon S3) bucket of their choice. Agencies can generate one-time reports, or generate reports on a regular schedule. For a single managed node, reports include details of all patches for the node. For a report on all managed nodes, only a summary of how many patches are missing is provided. All of this is available through AWS Organizations at scale.

Account governance

Customers are leveraging AWS accounts as the application or program separation point instead of legacy designs that relied only on network segmentation. With multiple accounts to monitor and maintain, customers can leverage any of the multiple solutions to enforce a consistent set of governance and policies across all the services. AWS Control Tower helps customers automate the deployment of a landing zone deployment pattern. AWS Control Tower is built on top of AWS Organizations, which allows customers to group accounts and centralize billing. For customers that need more granular control across multi-account environments, the Landing Zone Accelerator on AWS provides further control and enforcement based on standards like FedRAMP High or DoD Cybersecurity Maturity Model Certification (CMMC).

Each of these solutions can enable customers to use AWS Organizational features like service control policies and control a number of supporting services centrally. This helps customers deploy a consistent and repeatable set of account configurations across their organizational accounts.

AWS provides customers prescriptive guidance on how to properly architect and deploy your workload and accounts with the AWS Well-Architected Tool which builds on the AWS Well-Architected Framework. The Well Architected Framework also includes specific lenses on topics like Best practices for designing and delivering government services on AWS.

Security of the cloud

At AWS, security is the top priority. That’s why AWS built the AWS Nitro System, the underlying platform for the next generation of Amazon Elastic Compute Cloud (Amazon EC2) instances that enable AWS to innovate faster, further reduce cost for our customers, and deliver added benefits like increased security and new instance types. Nitro System-based infrastructure allows customers to deploy some of the most sensitive workloads.

StateRAMP customers can build on top of AWS Nitro-based infrastructure for stronger customer data protection, as well as to leverage confidential compute capabilities like AWS Nitro Enclaves, which allow for isolated compute environments and can benefit organizations that need to process personally identifiable information (PII), as well as healthcare, financial, and intellectual property data within their compute instances.

A recent blog post described how the AWS Nitro Systems were independently audited for affirmation of its confidential compute capabilities.

Conclusion

Customers can use AWS to develop solutions that support StateRAMP and FedRAMP authorization. Customers that need help architecting their StateRAMP solution can work with their AWS account team and solution architects, or leverage a security and compliance specialist from the AWS Public Sector. If you have never worked with your account team, you can fill out this intake form.

Customers that are looking for partner solutions that can help them achieve their ATO can also leverage the Global Security and Compliance accelerator program to find the right partner solution for your application.

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.

Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.

Brad Dispensa

Brad Dispensa

Brad is a principal security specialist solutions architect for the public sector at Amazon Web Services (AWS).

Alex Corley

Alex Corley

Alex is a senior solutions architect at Amazon Web Services (AWS). He has worked to help the great state of Texas for over eight years as different agencies mature at different rates and for different needs as they move to the cloud. Daily, he helps provide strategic advice for future scale and possibilities along with prescriptive technical guidance in the short term. In addition he is also a security and compliance subject matter expert (SME) with deep experience across many different compliance regimes.

Brian Stucker

Brian Stucker

Brian Stucker is a senior solution architect and specializes in security and compliance within Amazon Web Services (AWS) worldwide public sector (WWPS). He has over 18 years of experience in infrastructure security and leadership, with a passion for problem solving and doing more with less. Outside of work he enjoys spending time with his family and traveling.­­

Ted Steffan

Ted Steffan

Ted Steffan is the head of federal compliance acceleration at Amazon Web Services (AWS). He joined AWS in 2016 as the Department of Defense (DoD) compliance architect where he led the effort to achieve the initial accreditation for AWS GovCloud (US) at DoD Cloud Computing Security Requirements Guide Impact Levels 4 & 5. In 2017 he moved into the role of a security partner strategist where he helped AWS’s security and compliance partners develop security solutions that run on AWS. Ted is a co-creator of the Authority to Operate (ATO) on AWS program that helps accelerate AWS Partners through the process of building and certifying regulated workloads running on AWS. He now leads a team that is responsible for federal compliance acceleration for the government regions team. Here he drives the priority of services that go through the FedRAMP authorization process as well as eliminating blockers to adoption. Ted also sits on the Cyber-AB Industry Advisory Group focused on shaping the emerging Cybersecurity Maturity Model Certification (CMMC) program.