The Service Provider’s Guide to Strengthening Security Posture

The State Risk and Authorization Management Program (StateRAMP) was established in 2020 as a tool for State, Local, and Education (SLED) organizations to ensure that their contractors have the processes and capabilities necessary to meet state and local government policy requirements. It also helps service providers to improve their cybersecurity and security posture.

Service providers in StateRAMP are not legally required or mandated to work with the public sector. However, SLED organizations may require service providers to obtain a StateRAMP security status to do business together. The program already engages nearly three dozen states, local government agencies, and public education institutions. 

Providers and their products must meet StateRAMP’s security requirements to earn certification and placement on the StateRAMP Authorized Product List (APL). Earning StateRAMP authorization and making it onto the APL helps open doors to new business opportunities within the public sector. It conveys a deep commitment to providers’ cybersecurity practices as they strengthen and maintain their security posture.

The authorization process and adherence to StateRAMP requirements ensure providers and their products have a robust security foundation, reducing vulnerabilities and enhancing overall cybersecurity. StateRAMP’s security reviews and the work of third-party assessment organizations (3PAO) help identify and mitigate potential risks in a service provider’s offerings. By addressing any revealed risks or vulnerabilities and maintaining StateRAMP’s required ongoing monitoring, providers stay vigilant and enhance the overall security posture of their products or services.

While exact StateRAMP requirements may differ based on the specific level of authorization sought among other variables, the following areas of emphasis include some of the common security measures service providers may need to implement:

Access Controls

• • • Implement and enforce strong user authentication mechanisms.
    • Restrict access to organizational systems and sensitive data based on users’ roles and responsibilities. 
    • Monitor and log all user activity to detect and respond to any unauthorized system or network access.

Data Protection

• Encrypt sensitive or proprietary data at rest, in transit, and during processing.
• Implement processes and mechanisms to ensure data integrity and prevent unauthorized tampering or modifications.

Network Security and Vulnerability Management

• Implement firewalls, intrusion prevention and detection systems, and cybersecurity infrastructure tools to protect your network and systems.
• Regularly conduct comprehensive scans and assess all network systems for potential vulnerabilities.
• Segregate network components to reduce the impact of any potential security breaches. 
• Develop and implement patch management and incident response processes to address vulnerabilities appropriately and on time.

Security Training and Awareness

• Provide thorough and engaging cybersecurity training for all employees, including non-technical personnel, to increase awareness of security threats, essential policies, and best practices.

Ongoing Monitoring and Compliance 

• Implement continuous monitoring and reporting processes to detect and respond to real-time security incidents or threats.
• Maintain detailed documentation that demonstrates thorough ongoing compliance with StateRAMP security requirements.
• Regularly provide evidence of continuous improvement efforts through assessments, security screenings, and audits.

Being included on the StateRAMP Authorized Product List can serve as a distinct competitive advantage when bidding for state or local government contracts. Demonstrating that your offerings have undergone rigorous security evaluation processes can also significantly boost trust and credibility with government agencies and potential customers. The six unique, verified security statuses recognized on the StateRAMP APL follow.

• Authorized: Service providers with a StateRAMP Authorized status have completed all security and system validation, and the provider’s sponsoring government partner has accepted the provider’s completed security package. Authorized is the highest StateRAMP authorization level for products demonstrating compliance with all required security controls by impact level.

• Ready: Providers and products recognized as Ready meet StateRAMP’s minimum requirements but lack additional security and system validation.

• Provisional: A provider or product applying for Authorized status may be assigned Provisional status by their sponsoring government partner or the approvals committee if their security package meets most, but not all, requirements. Providers with a Provisional status must comply with continuous monitoring and submit further documentation to obtain Authorized status.

StateRAMP also recognizes offerings that are in the process of working toward a verified status. Providers must engage with a 3PAO to have their products listed as in progress. The three progressing statuses include:

• Active: Providers and products with an Active designation are working toward StateRAMP Ready status.
• In Process: The In Process status is applied to products and providers working toward achieving verified StateRAMP Authorized status.
• Pending: Providers and products designated as Pending have submitted a security package to the StateRAMP program management office (PMO) and are awaiting a determination for a verified status.
  

FedRAMP is a government-wide program that promotes adopting cloud services across federal agencies while ensuring providers meet the stringent cybersecurity requirements necessary at a national level. 

For providers with an existing contract or aspirations of earning work with federal-level agencies and organizations, FedRAMP represents both a mandatory requirement and a powerful business enhancement tool. The comprehensive and rigorous FedRAMP authorization process can significantly improve and strengthen an organization’s cybersecurity and security posture. 

StateRAMP and FedRAMP standards share some similarities and or complementary overlapping requirements. Many FedRAMP requirements are natural, next-level progressions and advancements of standards achieved through StateRAMP—so much so that providers with existing or in-progress federal authorizations are eligible for StateRAMP’s Fast Track process.

Meeting FedRAMP standards requires a commitment to continuous improvement and adherence to best practices in cybersecurity. The process encourages organizations to enhance their security policies, procedures, and technical controls, fostering a culture of security and resilience. Achieving FedRAMP authorization not only demonstrates compliance with federal security standards but also provides a competitive advantage in the government contracting space.

Enhancements, improvements, and additions of security measures across the following areas are some of the most common types of actions providers must take to meet FedRAMP’s mandates:

• Digital and Physical Access Controls

• Adopt advanced user authentication processes and mechanisms requiring the use of multi-factor authentication (MFA), secure password managers, or similar tools.
• Enforce role-based access controls and adhere to the principle of least privilege to ensure users only receive the minimum necessary access and permissions to perform their individual duties.
• Implement robust physical security controls, restricting individuals’ access to sensitive areas such as data centers, servers, and other critical infrastructure.

• Data Encryption and Supply Chain Security

• Employ state-of-the-art encryption on all organization data at rest, in transit, and during procession to ensure advanced protection of sensitive customer information, proprietary data, or trade secrets.
• Develop ironclad measures and mechanisms to manage and protect data encryption keys securely.
• As you conduct business and grant access to or send data across your supply chain, ensure that third-party suppliers, sub-contractors, and vendors adhere to encryption and security requirements.

• Incident Response, Reporting, and Recovery 

• Establish and maintain a cyber incident response plan outlining procedures for identifying, responding to, and recovering from cybersecurity incidents.
• Develop processes for promptly reporting cyberattacks, data breaches, and other security incidents to the appropriate local or federal authorities.

• Network Security and Configurations

• Deploy firewalls, intrusion detection and prevention systems, and other advanced network security controls to ensure against unauthorized or malicious access.
• Implement a robust configuration management process to control and track changes to network systems. 
• Apply secure configuration settings to hardware, software, and network components.

• Continuous Compliance, Monitoring, and Training
  • Ensure continued compliance with FedRAMP security requirements through thoroughly maintained and organized documentation.
  • Maintain ongoing monitoring processes that regularly review and audit internal security controls and provide real-time threat alerts.
  • Continue to teach best practices and develop personnel through comprehensive cybersecurity training and security awareness programs. 

FedRAMP represents an opportunity for service providers to reach a new tier of potential customers and global impact. It also requires an enhanced commitment to security posture by providers who can reliably meet the levels of service and security mandated by federal government contracts. The FedRAMP PMO gives providers one of three official FedRAMP designations: Ready, In Process, or Authorized.

• Ready: The FedRAMP Ready designation indicates that a recognized 3PAO attests to the provider’s security capabilities and that the PMO has reviewed and accepted a readiness assessment report (RAR). The provider’s RAR documents their offering’s system information, compliance with federal mandates, and ability to meet FedRAMP security requirements. Designated as FedRAMP Ready means a provider has expressed interest in becoming a federal agency partner while sharing information indicating they can meet several baseline FedRAMP criteria.
• In Process: This designation applies to providers that are actively making progress working toward FedRAMP authorization—either with a sponsoring federal agency that expresses interest in using the provider’s product or through the joint authorization board (JAB) process.
• Authorized: The FedRAMP Authorized designation is reserved for providers that have successfully completed the FedRAMP authorization process with a sponsoring federal agency or the JAB. Being designated FedRAMP Authorized indicates all FedRAMP requirements have been met, and a provider’s security package is available for agency reuse across the federal level.

The COVID-19 pandemic instigated a “Great Resignation” across industries, and cybersecurity wasn’t immune to its effects. Many in-demand professionals discovered their skills were more valued elsewhere, while some discovered exponentially expanded remote work possibilities, and others burned out of the profession entirely.

The worldwide cybersecurity workforce has grown nearly 9% from 2022 to almost 5.5 million professionals, according to the International Information System Security Certification Consortium’s (ISC2) 2023 Cybersecurity Workforce Study. However, the global workforce gap is growing even faster. That’s good news for aspiring security professionals entering an industry in need but an additional challenge for organizations’ recruitment and human resources leaders.

As new technologies and evolving threats boost cyber risk faster than most security teams can handle, organizations can play their part in reducing talent shortages using a unique human-centric framework.

In its research and report titled “The Changing Faces of Cybersecurity: Closing the Cyber Risk Gap,” Deloitte examines Canada’s evolving cybersecurity workforce and develops a new cyber talent framework to tackle the skills shortage through a human-centric lens. Deloitte’s model centers around seven distinct personas—Advisor, Defender, Firefighter, Hacker, Scientist, Sleuth, and Strategist. Each role has unique talents, capabilities, knowledge, and skills.

In this approach, broad, transferable capabilities across tasks and work environments take priority over specific skill sets and abstracted knowledge lists. Instead of focusing hiring and training efforts around narrow technical knowledge or specific skills (which are certainly still important), the report determines organizations are better served thinking in terms of broad personas and uncovering professionals with sustainable capabilities portable across different roles and responsibilities. Every service provider is responsible for addressing cyber talent gap challenges and building a stronger future cybersecurity workforce. Educating young people about cybersecurity and a focus on STEM (science, technology, engineering, and math) education is one way to build interest in STEM- or cyber-related career paths.  

Many different skill sets and backgrounds are needed, however, including from non-STEM backgrounds, and there are many ways organizations can innovatively expand their available talent:

• Consider People in Traditional IT Roles: Many cybersecurity professionals begin their careers in other areas of information technology. The technical skills gained in other traditional IT roles are near-universally transferable assets to cybersecurity. As emerging technologies such as artificial intelligence, machine learning, automation, and cloud services continue to gain influence in the industry, traditional IT staff could become less in demand than cybersecurity-minded professionals with a valuable combination of analytical capabilities and soft skills such as critical thinking, problem-solving, communication, and other non-technical skills.

• Embrace Diverse Career-Shifters: Today’s working professionals rarely remain in one industry their entire careers. Candidates transitioning out of business operations or other fields will require technical training, but those eager to learn and comfortable in a fast-paced environment often adapt and excel quickly. Taking advantage of mid-career shifters’ skills, capabilities, and experience can help organizations add valuable diversity and maturity to their teams.

• Tap Into Other Non-Traditional Talent Sources: Expand your cybersecurity recruitment pipeline to alternative and previously untapped sources of new talent. Engaging with business administration, political science, risk management, and legal program graduates can provide a deeper early, initial pool of candidates with desirable critical thinking, quantitative, and leadership skills. Veterans’ programs can become another valuable source for meeting experienced individuals with some technical background and non-traditional education. Hiring based on candidates’ potential and learning ability instead of purely technical skill sets can help infuse an attitude of constant self-improvement into your company culture.

3 Tips for Acquiring Cybersecurity Talent

Organizations seeking skilled cybersecurity talent may need to refine their recruitment and hiring strategies. To stand out among crowded job boards and retain staff for long-term continuity that contributes to a stronger cybersecurity posture, Security Intelligence suggests three tips on hiring amid today’s workforce landscape.

1. Relax Requirements on New or Entry-Level Roles
   Passionate, highly capable cybersecurity professionals may be eager to work for an organization like yours; however, if they aren’t given a chance based on missing a certification or two that, in a perfect world, you wished they already possessed, you could be missing out on a major, potentially organization-changing asset. While some roles must maintain advanced requirements based on heightened security responsibilities, don’t let a lack of experience or a few unchecked boxes dissuade you from hiring, training, and developing eager and capable talent.
2. Don’t Bait and Switch Job Descriptions
   Keep job posts clear and accurate, providing detailed responsibilities, expectations, and security duties. With more demand than supply, highly skilled professionals can often afford to pick and choose their work destinations. Other open positions in the industry incline professionals to not tolerate deception during the hiring and onboarding process. If you advertised for a cybersecurity developer but have your new hire working on incident response, you may be setting them up for failure and planting seeds for a disgruntled employee.
3. Cultivate and Empower Your Talented Leaders of Tomorrow
   In most industries, the best way for professionals to secure a raise or promotion is to leave for another company. While outside hires will always be a part of filling cybersecurity positions, especially senior roles, developing continuity and long-tenured employees with experience in multiple roles within an organization can significantly contribute to a stronger security posture. If upper or middle management roles are mostly filled from external postings rather than internal promotions, employees may leave thinking upward mobility isn’t possible.

As you pursue a stronger security posture, incorporating both security awareness and security training into the company culture reduces company-wide risk and encourages continual improvement. While often related, security awareness and security training concepts are unique.

What’s the difference between security awareness and security training?

Security awareness includes educating employees on the overall security-related issues affecting the organization. When encouraged or required to address and regularly re-examine relevant cybersecurity concerns, employees at every level become more aware of their impact and accountability toward maintaining the organization’s security standards.

Security training focuses on teaching specific knowledge and special, relevant skills to the appropriate personnel. Security training can include anything from useful guidance on revised security best practices to new methods and tools for handling sensitive data or preventing cyber incidents.

Why is security awareness and training so important?

Per TechTarget’s latest deep dive on cybersecurity awareness and training, the valuable benefits of effective employee security awareness and training include the following.

• Minimizing Risk: Proper security awareness measures and training initiatives can prevent and minimize the risk of data breaches, cyberattacks, and other digital security incidents by empowering employees to be more proactive in identifying potential threats.

• Limiting Data Loss: When employees better understand the significance of safeguarding sensitive information and know how to prevent data leaks, companies can have confidence that their intellectual property and critical resources are safe and secure.

• Preventing Financial Loss: Among the more than 550 organizations surveyed in the 2023 IBM Security Cost of a Data Breach Report, the global average cost of a breach was nearly $4.5 million. By reducing the likelihood of cybersecurity incidents and data breaches, organizations can create a stronger security posture and resilient environment that minimizes financial losses.
  

• Reducing Human Error: Almost three-quarters of data breaches involve the human element, according to Verizon’s 2023 Data Breach Investigations Report (DBIR). By providing training opportunities that equip employees with relevant knowledge and new skills, organizations can become naturally more resilient against security threats.
  
• Cultivating a Cybersecurity Mindset: Targeted training and awareness efforts contribute to an overall company culture that keeps security front of mind. Regularly revisiting common cyber risks and staying on top of evolving threats helps build a resilient mindset and strong security posture.