StateRAMP attracts more states and the education sector
Written by Benjamin Freed
StateRAMP, the two-year-old group working to create a standardized security rubric for national and local IT vendors, announced Tuesday that several other governments and other organizations have begun using its standards.
These new partners include the K12 Security Information Exchange, a group that has lamented the lack of security standards for elementary school technology vendors, and the University of North Carolina System, which, according to Leah McGrath, executive director of StateRAMP, could be the first of several public higher education systems to adopt the standards.
Just as the Federal Risk and Authorization Management Program, or FedRAMP, uses a network of external rating agencies to assess the security of cloud providers doing business with the U.S. government, StateRAMP has assessors who do the same for state and local vendors. It also offers continuous monitoring of approved products. These services are now being extended to the education sector, McGrath told StateScoop.
Major universities like UNC, she said, are responsible for protecting data belonging to thousands of students and staff, and keeping sensitive research secret. malicious actors seeking to steal intellectual property. Universities with medical schools are also subject to laws governing patient data.
“We started to see opportunities there, and because so many public universities work with the state, it became a real natural transition or expansion,” McGrath said.
North Carolina was one of the first 10 states to start using StateRAMP to validate its cloud providers. McGrath said the state Department of Information Technology’s cybersecurity strategy made it easy for the University of North Carolina to participate.
“What’s great about North Carolina is you have a statewide approach,” she said. “Where [UNC is] similar to state government is that there was no standardized way to manage compliance with ongoing monitoring. Whether it’s centralized or decentralized IT procurement, we have the capacity and flexibility to work with them.
“A Growing Crisis”
The K-12 field works a little differently, however.
During a webinar hosted by K12 Six on Tuesday, McGrath said she also saw new opportunities for StateRAMP in the K-12 space. School districts across the country have been bombarded with ransomware for years — including, recently, in Los Angeles — and the COVID-19 pandemic has also prompted schools to adopt more cloud-based apps.
“As we have seen this modernization trend, we also need to be aware of the added responsibility it brings to each of us,” McGrath said. “I have three teenagers and we lived through the pandemic, so I know very well the educational tools that have gotten us through.”
K12 Six executive director Doug Levin criticized security standards in edtech and repeated those concerns on Tuesday. Of the approximately 1,300 cybersecurity incidents recorded by K12 Six since 2016, 55% originated from a vendor, he said.
“This is a growing crisis,” Levin said, noting recent data breaches involving Battelle for Kids and Illuminate Education.
Thanks to local governments that have adopted StateRAMP, there are between 40 and 50 school districts that could adhere to the group’s standards, McGrath told StateScoop.
“They’re starting to have these conversations,” she said.
‘Is it connected?’
In addition to K12 Six and UNC, StateRAMP on Tuesday announced another round of state governments that have begun adopting its standards, including agencies in Colorado, Maine, North Dakota, Vermont and Virginia- Western, as well as the judicial branches of Arkansas and Nebraska. .
At the local level, McGrath said StateRAMP is now also working with the New York State Government CIO Association, potentially allowing it to reach counties, cities and towns across that state. The organization also works with Fayetteville State University, another public college in North Carolina.
While each organization incorporating StateRAMP’s model has its complexities, McGrath said there is a common set of issues that apply across government and education.
“You always have to ask, is this a cloud solution?” she says. “Does it transmit, process or store private or confidential data? Or could it impact your data? Are you connected, is he connected? This is the question that every K-12 school, every organization will need to address.