Lifetime Citizen Portal Access — AI Briefings, Alerts & Unlimited Follows
Oregon pursuing StateRAMP membership to streamline cloud security vetting
Loading...
Summary
State CIO and CISO told the committee Oregon has joined or is engaging with StateRAMP to reduce duplicate vendor security assessments and eventually prefer StateRAMP-authorized vendors in procurement processes.
State Chief Information Officer Terrence Woods and State Chief Information Security Officer Ben Goreski told the Joint Legislative Committee on Information Management and Technology that Oregon is actively pursuing adoption of StateRAMP, a state-focused security authorization program, to speed procurement and reduce duplicate vendor security reviews.
Woods said one of his first requests after taking office was to "get us on StateRAMP, like get us on there yesterday," and Goreski said the state now participates in StateRAMP membership activities and is working to align procurement and legal terms so agencies will "request StateRAMP first."
The nut graf: StateRAMP is a vendor-assessment and continuous-monitoring program modeled on federal FedRAMP and NIST cybersecurity standards. Officials said StateRAMP can reduce the time cybersecurity teams spend re-evaluating vendors because vendors that obtain StateRAMP authorization complete rigorous, standardized security assessments that other states can rely upon.
Goreski told the committee the cybersecurity office has invested in the StateRAMP process and is a member of a council advising StateRAMP. He said that when a vendor undergoes StateRAMP assessment "on their own nickel" and attains authorization, Oregon’s internal assessment work can be reduced because the vendor’s controls and reports are already validated. The plan described to the committee is to move from accepting StateRAMP assessments, to preferring StateRAMP vendors, and ultimately to requiring StateRAMP authorization once procurement and legal procedures are aligned.
Committee members asked how many vendors participate in StateRAMP and whether the program would narrow competition. Goreski said the StateRAMP ecosystem includes hundreds of vendors and that the program can increase—not decrease—competition by making it easier for vetted vendors to be used across states. He said StateRAMP also performs ongoing monitoring rather than a single point-in-time assessment, which better meets the continuous-review needs of cloud and SaaS providers.
Ending: Officials said StateRAMP adoption is ongoing, procurement and legal staff are working on contract language to embed StateRAMP requirements, and the cybersecurity office will continue to report progress to the committee.
