Harmonizing Cybersecurity: Insights from the Inaugural StateRAMP Cyber Summit
The inaugural StateRAMP Cyber Summit held in Indianapolis brought together leaders from federal, state, and local governments, along with private sector executives, to address a pressing issue: the need for harmonization of cybersecurity regulations. As cyber threats evolve and become increasingly complex, the summit underscored the importance of establishing a unified set of cybersecurity standards that can be adopted by agencies and vendors alike.
The Need for Cybersecurity Standards
Over the past four years, it has become evident that without a baseline of cybersecurity requirements, state and local agencies face significant challenges in protecting their systems and sensitive data from cyber threats. JR Sloan, the Arizona state chief information officer and co-founder of StateRAMP, emphasized the value of StateRAMP in providing a framework that not only benefits state agencies but also extends to local municipalities. He noted that cities and counties are eager to leverage the advantages of emerging technologies and cloud solutions while grappling with the same cybersecurity challenges.
With approximately 25 states participating in StateRAMP and over 400 certified vendors—many of whom also meet federal standards under the FedRAMP program—the initiative is gaining traction. This collective effort aims to streamline cybersecurity practices across various levels of government, ensuring that all entities can effectively defend against cyber threats.
Defending Critical Infrastructure
The urgency of establishing a shared cybersecurity framework like StateRAMP has never been more apparent. As cyber threats have shifted from data breaches to more sophisticated attacks, including ransomware and assaults on critical infrastructure, the need for robust defenses is paramount. Joe Bielawski, president of Knowledge Services and co-founder of StateRAMP, highlighted the evolution of threats, noting that critical infrastructure, such as water systems and electric grids, is particularly vulnerable.
Ken Weeks, the chief information security officer for New Hampshire, echoed this sentiment, revealing that many community drinking water and wastewater systems lack adequate security measures. To address these vulnerabilities, New Hampshire has implemented the Municipal Cyber Defense Program, which provides hands-on training for operators and educational seminars for local officials. This proactive approach aims to raise awareness and equip municipalities with the knowledge necessary to safeguard their systems.
The Challenge of Cybersecurity Catch-Up
Counties like Arapahoe in Colorado are also striving to catch up in the realm of cybersecurity. Nikki Rosecrans, the county’s CISO, shared that Arapahoe County recently issued its first information security policy, which aims to educate non-IT staff about data protection. By adopting the Center for Internet Security (CIS) framework, the county is taking steps to ensure that all employees understand their role in maintaining cybersecurity.
Rosecrans expressed a desire for more standardized cybersecurity controls, advocating for harmonization between frameworks like CIS and StateRAMP. This sentiment resonated with many attendees at the summit, who recognized that a unified approach would simplify compliance and enhance overall security.
The Value of Cyber Harmonization
The benefits of harmonizing cybersecurity standards extend beyond compliance; they also create significant value for vendors. Dan Lohrmann, field CISO for Presidio and former CISO for Michigan, highlighted the efficiency gained when states do not have to reassess solutions for every request for proposals (RFP). This streamlined process can lead to substantial cost savings for vendors, allowing them to focus on delivering secure solutions rather than navigating a patchwork of requirements.
John Lee, vice president of cloud solutions at Carahsoft, noted that achieving StateRAMP or FedRAMP certification can lead to increased revenue for vendors, with some experiencing up to a 60% boost in public sector sales within the first year. This "Good Housekeeping seal of approval" instills confidence in government procurement officials, who are increasingly prioritizing cybersecurity in their purchasing decisions.
Strengthening Coordination Between Cybersecurity and Procurement
The summit also highlighted the growing collaboration between cybersecurity leaders and procurement officials. Jamie Schorr, chief cooperative procurement officer with the National Association of State Procurement Officials, noted that the relationship between Chief Information Security Officers (CISOs) and acquisition leaders has strengthened significantly. This collaboration allows procurement officials to select suppliers that meet minimum cybersecurity standards, ultimately reducing risk and enhancing security across the board.
Meredith Ward, deputy executive director of the National Association of State CIOs (NASCIO), emphasized the importance of breaking down silos in cybersecurity. As cyber threats target all levels of government indiscriminately, it is crucial for CISOs to build relationships with other agency leaders to foster a more comprehensive approach to cybersecurity.
Conclusion
The inaugural StateRAMP Cyber Summit served as a pivotal moment in the ongoing effort to harmonize cybersecurity standards across federal, state, and local governments. As cyber threats continue to evolve, the need for a unified approach has never been more critical. By collaborating and sharing best practices, government leaders and private sector executives can work together to create a safer digital landscape for all. The insights gained from this summit will undoubtedly shape the future of cybersecurity, ensuring that agencies are better equipped to defend against the ever-growing array of cyber threats.
For more information and resources from the StateRAMP Cyber Summit, you can explore additional articles and videos here.