Written by Benjamin Freed
StateRAMP, a two-year-old group working to build standardized security rubrics for state and local IT vendors, said Tuesday that several more governments and other organizations have begun using its standards. announced to
These new partners include the K12 Security Information Exchange, a group lamenting the lack of security standards for elementary school technology providers, and the University of North Carolina system suggested by StateRAMP Executive Director Leah McGrath. Higher education system for adopting standards.
Just as the Federal Risk and Authorization Management Program (FedRAMP) uses a network of external rating agencies to evaluate the security of cloud vendors that do business with the U.S. government, StateRAMP has the same requirements for state and local sellers. There are evaluators who do things. It also provides ongoing monitoring of approved products. These services are now being extended to the education sector, McGrath told his StateScoop.
She said major universities like UNC are responsible for protecting data belonging to thousands of students and staff and hiding sensitive research from malicious attackers looking to steal intellectual property. I’m here. Universities with medical schools are also subject to laws governing patient data.
“We started seeing opportunities there. With so many public universities working with the state, it really became a natural transition or expansion,” McGrath said.
North Carolina is one of the first 10 states to start validating cloud vendors with StateRAMP. McGrath said the state’s Department of Information Technology cybersecurity strategy made it easier for the University of North Carolina to participate.
“The great thing about North Carolina is that we have a statewide approach,” she said. “Where [UNC is] As with state governments, there was no standardized way to manage compliance through continuous monitoring. We have the ability and flexibility to work with them, whether it’s centralized or decentralized procurement of IT. ”
‘A growing crisis’
However, the K-12 field works a little differently.
At a webinar hosted by K12 Six on Tuesday, McGrath said he saw new opportunities for StateRAMP in the K-12 space as well. School districts across the country have been hit by ransomware for years, most recently in Los Angeles. Also, the COVID-19 pandemic has prompted schools to adopt more cloud-based applications.
“As we have witnessed this trend of modernization, we must also recognize the additional responsibilities it brings to each of us,” McGrath said. “I have three of her teenage children and have been through the pandemic, so I know a lot about the educational tools to help us get through.”
K12 Six executive director Doug Levin has been critical of edtech’s security standards, reiterating his concerns on Tuesday. Of the roughly 1,300 cybersecurity incidents K12 Six has counted since 2016, he said, 55% are due to vendors.
“This is an increasingly serious crisis,” said Levin, referring to recent data breaches related to Battelle for Kids and Illuminate Education.
McGrath told StateScoop that there are 40 to 50 school districts that can sign the group’s standards through their local governments that have adopted StateRAMP.
“They are starting conversations like that,” she said.
“Are you connected?”
In addition to K12 Six and UNC, StateRAMP began adopting its standards on Tuesday, including agencies in Colorado, Maine, North Dakota, Vermont, West Virginia, and judicial agencies in Arkansas and Nebraska. announced another number of state governments. .
At the local level, McGrath said StateRAMP is also currently working with the New York State Government IT Directors Association, which could potentially reach counties, cities and towns across the state. The organization also works with Fayetteville State University, another public university in North Carolina.
While there are complex issues for every organization that adopts StateRAMP’s model, McGrath says there are common issues that apply across government and education.
“Is this a cloud solution?” she said. “Are you transmitting, processing, or storing personal or sensitive data? Or could it affect your data? Connected, connected? It is an issue that must be considered.”