Ted Cotterill, Indiana Chief Privacy Officer and General Counsel for the Management Performance Hub (MPH), speaks with Bill Sullivan, VP and General Manager for US Federal at Denodo, in a video interview, about setting up the State Risk and Authorization Management Program (StateRAMP), the key to effective governance, participation of various sectors in the program, importance of cyber supply-chain, getting StateRAMP certified, and how technology providers can expand market reach.
MPH is a state agency that provides data-driven solutions and analytics for the Indiana state government. Cotterill is the founding secretary and treasurer of StateRamp.
Speaking about the inception of the Federal Risk and Authorization Management Program (FedRAMP), Cotterill credits the two founding board members Joe Belaski and JR Sloan along with Liam McGrath, the Executive Director. He discusses setting up a non-profit StateRAMP in Indianapolis that serves all state and local government units and public education sectors across the country.
Adding on, Cotterill discusses the successful transition to Red5, which enables anyone moving to the cloud with this suite of cloud service providers that have gone through the process to be authorized. This, in turn, boosts confidence in the present cyber posture and allows continuous monitoring because technology and cyber risks are continuously evolving like customer expectations.
Continuous monitoring is the key to effective governance over the cloud service provider's cyber posture, says Cotterill. He notes that if the data is not on-prem anymore, an organization is obligated to treat the cloud service provider with care and StateRAMP makes that easy.
Moving forward, Cotterill stresses that it is crucial to treat cyber seriously and programs like StateRAMP enable it to manage it efficiently.
When asked about private sector participation, he states that the response has been amazing. He shares that Texas codified the idea of the RAMP, while in Arizona, it has been adopted across the board.
Cotterill speaks about the creation of opportunities from the state grant perspective because of the different levels of government in the U.S. To know more about StateRAMP, he asks to start with stateramp.org.
Regarding participation from commercial entities, Cotterill states that it is similar to federal, therefore while a high cyber bar is maintained, the organization wants to lower the entry barrier financially. He mentions that a smaller cloud provider could be leveraging AWS or Azure, and the data touch points in between raise concerns.
In continuation, Cotterill states that it is crucial to know about the cyber supply chain and all the links in it. Therefore even if the commercial entities participate in the program, the cyber standard is kept high while making it easy for them to participate.
Commenting on getting StateRAMP certified for vendors who are already FedRAMP certified, Cotterill mentions having a fast-track process that enables them essentially to come into the back door of StateRAMP. This shortens the time to receive a StateRAMP authorized or ready status to approximately 6 weeks.
Next, he states that another piece of value for cloud service providers with StateRAMP is the idea of “verify once, use many.” Cotterill says that those not in business with the federal government can go through the state grant process and get the authorized recognition. He then mentions the idea of a security snapshot which gives a point in time cyber security perspective to be able to submit with the bid to the government or the potential government client.
StateRAMP continues to work to iterate and find places to add value. But this idea of a platform that brings some uniformity to the way that cloud is procured is a big win for government clients.
Furthermore, Cotterill comments on how a vendor can leverage the StateRAMP environment. For instance, if Azure has gone through that process and has received recognition from the program, certainly another vendor can leverage it. The point of concern is the cyber supply chain.
Shedding light on how technology providers may want to expand market reach, he maintains that Indiana has 3,000 units of local government, and with 50-plus territories in the district, there is massive cyber proficiency in state governments
Therefore, it boils down to procurement efficiency, in making processes easier and StateRAMP adds value in that aspect. However, there is an untapped market, both at the state level from federal providers and in all of the local government units that lack cyber proficiency due to low staffing.
This leads to their involvement in the StateRAMP process. In conclusion, Cotterill states that it focuses on educating and upholding cyber but also helps cloud providers unlock potential.
CDO Magazine appreciates Ted Cotterill for sharing his success stories with our global community.