How StateRAMP Helps Mitigate Supply Chain Risk

One of the largest obstacles companies face today is IT supply chain risk. The recent attack on Kaseya emphasizes the need for security among third party vendors.

According to the NIST 800-53 Revision 5 standards, supply chain risk management is defined as “a systematic process for managing cyber supply chain risk exposures, threats, and vulnerabilities throughout the supply chain and developing risk response strategies to the risks presented by the supplier, the supplied products and services, or the supply chain.” Having an unsecure supply chain exposes a company’s entire system to vulnerabilities. For example, in the SolarWinds breach, the attackers were able to access all their customers because they compromised a widely used piece of SolarWinds software.

Noah Brown, StateRAMP PMO Director, says, “StateRAMP encourages transparency into where data is stored and the flow of data between systems and suppliers.” To receive a StateRAMP security status, providers are required to submit a boundary diagram of their cloud offering. The diagram is a blueprint of their system showing data traffic flow and connections between the cloud system and other IT suppliers. Like FedRAMP, StateRAMP leverages a third-party assessor to conduct an independent audit. The auditor examines the boundary diagram and conducts penetration testing to validate the blueprint’s accuracy. These blueprints give state and local governments a clear understanding of a system’s security strength. If there is a leak in the system, it will be identified in the audit conducted by the third party assessor and corrected before a StateRAMP security verification is given.

StateRAMP’s continuous monitoring process goes beyond a single moment-in-time snapshot of the system. To maintain a StateRAMP security status, providers must comply with continuous monitoring requirements that include vulnerability scans. If anything changes in the system, state and local agencies will be notified and can act quickly to mitigate the risk. In addition to continuous monitoring, providers are required to submit an annual independent audit of their systems to renew their StateRAMP security status.

Cybersecurity is a shared responsibility between users and suppliers. Our risk awareness and cyber infrastructure must evolve to protect against ever growing threats through ongoing evaluation of security verification requirements and continuous monitoring. Bringing users and providers together to support, promote, and develop cybersecurity initiatives gives us our best chance at strengthening cybersecurity for state and local governments.

If you are interested in speaking with someone from StateRAMP, email info@stateramp.org or visit www.stateramp.org/events to register to attend a webinar or event.