The International Trade Administration has a complex mission of supporting U.S. companies in exporting, enforcing trade laws. and increasing foreign direct investment.

In this conversation, Stan Kowalski, ITA’s director of organizational excellence and strategic delivery will share how ITA is modernizing digital services, expanding self-service options and using AI tools to help customers find what they need faster. In addition, Sean Hetherington the director of federal civilian at Adobe will provide the industry perspective of supporting federal agencies.

Featured topics:

• Harnessing AI tools to help automate tasks and enhance efficiency
• Using customer and employee feedback loops to redesign services and boost satisfaction
• Aligning CX, EX and emerging technologies to drive continuous improvement across mission operations

The post A closer look at high-impact service providers: The ITA edition first appeared on Federal News Network.

CHICAGO — When Mike Braun took office as governor of Indiana in January, he quickly found he needed to address two critical issues.

First, Indiana state agencies were woefully behind in how they were using and managing technology.

Second, he understood the systems and applications implemented throughout the state were at risk of cyber attack.

“I was surprised how disaggregated and disorganized it was. In our state government, that’s about 30,000 employees spread across about 60 or 70 agencies. There was no central technology theme. It seemed like everyone was doing their own thing,” Braun said during the second annual GovRAMP Cyber Summit in October. “The thing I heard most is [the employees] didn’t like it; it wasn’t working and it was almost outdated. We were spending a fortune on it, not to mention the cybersecurity side of it. I guess the only blessing would have been, since it wasn’t that great, had it been taken down, it would have been then the real motivation to maybe fix it.”

Braun said he has slowly been improving the processes to buy and apply technology to state services. But when it came to cybersecurity, he moved fast.

In March, Braun signed an executive order that among other things mandated the implementation of a risk and authorization management program (RAMP) for cloud computing services.

“If we want to be the leading state, not only on technology but in how to protect it, whether that be education, healthcare, infrastructure, even things like utility rates, then we needed to be there and we weren’t. That’s why I put it into as high a gear as I could. That’s what that executive order was about,” he said.

Indiana’s mandate to use a RAMP comes on the heels of a growing use of the GovRAMP, formerly known as StateRAMP, initiative.

Leah McGrath, executive director of GovRAMP, said the service now includes 70 participating state and local governments, 33 states and around 400 private sector members, 10% of which are small businesses with under $5 million in annual revenue.

GovRAMP has added about eight new state participants over the last year. McGrath said she credits the continue growth of states and companies to meeting them where they are and not trying to force them into a one-size-fits all approach to cybersecurity.

“With our security program, what we’ve learned, especially when we are working with states and local governments, education and the providers who serve them, is that we needed to be able to build out a program that’s not a binary choice of, are you fully authorized or not? So we really have worked over the course of the last few years to create a step-by-step program,” McGrath said. “It’s more a question of, where are you in your journey? Are you progressing? And are you taking those steps forward so that we can make visible, here’s the risk and then our participating governments can make really informed decisions that fit their risk appetite and need.”

GovRAMP continues to grow

One way GovRAMP is creating a more flexible program is through the recently updated Progressing Snapshot Program that kicks into gear on Jan. 1.

McGrath said GovRAMP launched the Snapshot Program in 2023 in direct response after hearing from states and companies, both of whom wanted better visibility in the cyber journey.

The Progressing Snapshot Program will update state participants on the progress companies are making in reaching the different levels of GovRAMP – low, moderate and eventually high baselines.

“What we’ve done with GovRAMP is by working with our program management office is we created a centralized, shared service, and so the changes are going to have a positive impact on our participating governments,” she said. “The way that it works is by having that centralized program management office function, they’re reviewing all the packages. They’re reviewing all the Progressing Snapshot Program statuses and where the vendors are. The providers have the ability, through our PMO portal, to give access to the participating governments. Governments can ask for access. Once they’re given access, one of the things that we heard that was really important is they don’t have time or interest to log in every day and see what’s happening. So what we have instituted is a continuous monitoring escalation policy. So once a government’s been given access to the continuous monitoring of a provider’s package or product information, then if there is something that is escalated, you have a vulnerability. That will trigger a notification to our governments to log in and take a look, because something changed that they need to be aware of, so that they can take action if they need to.”

At the same time, GovRAMP is initiating a new “core status” effort, which is administered by its PMO and provides a structured, standards-based milestone approach to help vendors more quickly provide secure cloud services, but it doesn’t require an immediate leap to full authorization.

McGrath said vendors must implement and demonstrate that they meet 60 controls under the MITRE Attack framework to achieve core status.

“Once you’ve demonstrated via evidence that you’ve met these 60 controls, you achieve a core status, and now you roll into quarterly continuous monitoring,” she said. “Core is a GovRAMP status and it’s like 20x for FedRAMP. What’s unique about core, as we’ve been working with our participating governments, is it could be a stepping stone to what’s next. It could be, you’re GovRAMP core, you meet the requirements to begin a contract with an agency, but they want you to become authorized because you’re handling some really sensitive data. So you have 12-to-18 months to go the distance of full authorization. Or it could be a terminal status, meaning core is all a government may require, depending on the data and the impact of the potential security.”

Confidence in and transparency about GovRAMP are major reasons why the program is gaining more and more users.

Jeff Maxon, the chief information technology officer for the state of Kansas, said his office just issued a new cloud security policy requiring the use of vendors who meet the minimum standards of GovRAMP or the federal government program known as FedRAMP.

“We’re starting to set the governance in place to more broadly adopt GovRAMP and what they’re providing because we know we’re not going to do everything ourselves. We need to rely on the vendors, but we also don’t have the resources internally to assess and audit each of those vendors,” he said. “That’s where GovRAMP really steps in and helps the states and takes that burden off the states, and gives us a degree of confidence that the vendors we’re using have things in place to protect themselves.”

Nikki Rosecrans, the chief information security officer for Arapahoe County, Colorado, added GovRAMP and FedRAMP authorized vendors provide her with the confidence that the cloud security tool is secure and will be kept up to date through a rigorous oversight process.

“We have it written into our procurement language. We have it outlined for our larger vendors who transmit or process some of the most sensitive data, so your personally identifiable information, criminal justice information or your personal health information. That is a part of our requirement for those third party vendors,” Rosecrans said.

Collaborating with procurement experts

Driving cloud security standards through the procurement process is one of GovRAMP’s ongoing initiatives to expand its reach.

GovRAMP worked with National Association of State Procurement Officials (NASPO) on a multi-state cooperative purchasing agreement for cloud and software solutions that is run by Utah.

Nick Hughes, the senior cooperative portfolio manager at NASPO, said the award includes 51 suppliers. Hughes said NASPO is in the process of awarding an updated 10-year contract for cloud and software solutions that will be more flexible, letting companies join in the middle of the contract and making it easier for awardees to add new technologies as they mature.

Hughes said by working with GovRAMP and the National Association of State CIOs, NASPO is ensuring everyone is speaking the same language.

“It’s making sure we have some type of translation to get on that same page. So we have regular meetings that are really good to get us on the same page because it’s constantly evolving. With GovRAMP, they’ve been heavily involved with the new solicitation for cloud and software solutions,” he said. “They are helpful in making sure there are terms that are going to be applicable for this type of security standard. They help us answer questions like ‘Are we going to implement the security standards within the solicitation or make it optional for the states? And then also, can we navigate when a state signs on can they restrict security standards for an executive branch agency or have it broadly applied to the entire jurisdiction or geography of the state?’ They’ve been critical in helping answer questions from suppliers too.”

NASPO current manages about 63 different cooperative agreements for everything from technology to playground equipment to managing the Agriculture Department’s Women, Infant and Children (WIC) infant formula rebate program.

The continued partnership between acquisition and technology officials isn’t just to create cooperative contracts.

Vendors seeing benefits too

JR Sloan, the Arizona CIO and incoming vice president of NASCIO, said the state has incorporated GovRAMP requirements into their contracts.

“We’re working it through our processes. Things in government take kind of going to turn over, and the fact that we had a RAMP program before GovRAMP existed was helpful,” he said. “And yet, I will tell you that we are much better position today as we approach new procurements with awareness across all of the individuals. Arizona is a more federated environment, decentralized and yet in that community, I can tell you that folks are aware of what GovRAMP is, what the benefits are and how do we engage in the state’s procurement process to ensure that they are on the right path to success.”

The benefits aren’t just for the states. But vendors who participate in RAMP-type programs also see significant advantages.

John Lee, the vice president of cloud services at Carahsoft, said vendors participating in the FedRAMP program, for example, are seeing increased profits.

“If I’m a vendor, I’m actually seeing like a 30% price increase for a moderate solution. So diving a little bit deeper, 20% increase for the low impact levels and we’re seeing about 33% increase for the FedRAMP high. And we’re seeing like a 48% increase in cost when you’re dealing with the Defense Department Impact Level four, and almost a 65% increase because there’s additional security controls that you have to do in order to get those across the board,” Lee said. “So as a vendor, we’re seeing there is that government’s is willing to pay for that additional security that’s in place.”

Joe Bielawski, the president of knowledge services and a member of the GovRAMP board, said going forward the focus area for GovRAMP is the harmonization among existing cybersecurity standards.

He said GovRAMP is working with federal agencies, including the FBI and the General Services Administration, on standard overlays for programs like CJIS or FedRAMP.

“At the end of the day, I look at GovRAMP  and ask how do we simplify a very, complex world? The fact that we have been able to, as an organization, have 33 plus states, 60 plus cities, towns and other political subdivisions adopting GovRAMP is a great accomplishment,” Bielawski said. “But in that process of simplifying a framework that everyone can agree to and then overlaying these other frameworks to make it simpler, more easy for adopting GovRAMP will solve a big challenge we all have.”

The post Indiana’s push toward cyber standards highlights growth of GovRAMP first appeared on Federal News Network.