Skip Navigation
BlackBerry Blog

What Does “StateRAMP Authorized” Really Mean?

CYBERSECURITY / 07.14.22 / Bob Day

Sometimes shopping for cybersecurity technology is like visiting the wine section at your grocery store.

Catchy names and label colors are everywhere. And if you read the descriptions, they all claim to be the best vino on the planet in one way or another. This leaves you scratching your head, wondering: Which one will be most enjoyable with the pork chops?

And that’s when you spot it: A bottle with a small gold medal sticker on the label. You don’t need to rely on the winemaker telling you their creation is excellent. No, this time, a third-party team of experts judged it to be that way. And they also greatly simplified your buying process. You are going to serve a gold medal winner with tonight’s meal.

In the search for vetted and verified cybersecurity tools, there are a small handful of reputable third-party validators who can similarly bestow a universally respected mark of excellence. StateRAMP is one of them.

The StateRAMP process was created to help state, local, educational, tribal, and territorial (SLED) governments evaluate their cloud solution providers. But it can serve as a guide for any organization seeking guidance and validation, because of what it reveals about approved cybersecurity and IT vendors.

StateRAMP Approval Process for Cybersecurity and Cloud

I’ve fielded a lot of questions (and questionnaires) from CISOs and CIOs about the security of our products and how they handle data. The organizations and agencies they protect essentially need to know, what is our cybersecurity vendor’s cybersecurity posture?

This is one of the reasons I am a fan of StateRAMP and its vetting process: There must be meaningful third-party validation on key security and data questions to move through each level of the process.

The end goal, according to StateRAMP, is “to manage cyber risk and protect critical data, systems, and infrastructure from cyber-attacks and ransomware,” by thoroughly vetting cloud vendors.

This type of validation is crucial information when so many state and local government IT operations are moving to the cloud. The numbers tell the story here: The government cloud market is expected to reach $28.8 billion this year, according to MarketsandMarkets™.

What Is StateRAMP “Authorized?”

When a solutions provider is “authorized” by StateRAMP, it means the provider meets specific security benchmarks and was independently audited by a third-party assessment organization (3PAO). And to ensure ongoing security compliance and risk mitigation, providers agree to continuous monitoring requirements in order to maintain a verified security status.

What Types of Data and Security Evaluations Occur Through StateRAMP?

Seeing a cybersecurity solution listed on the StateRAMP Authorized Vendor List gives governments and procurement officials confidence in the data security capabilities of service providers offering IaaS, SaaS, and/or PaaS solutions.

These solutions will do the following:

  • Store, and/or transmit government data
  • Handle personally identifiable information (PII), protected health information (PHI) which must remain HIPPA compliant, and/or payment card data (PCI)
  • Pass third-party verification that the vendor will “meet and maintain the government’s published cybersecurity policies”
  • Provide monthly status reports on the overall security posture of the cloud service 
  • Pass an annual third-party assessment and comprehensive penetration testing

Security and system validation is never easy, but when you see a vendor has made it through this process, you know a standardized approach was used to verify their security posture and prove their cybersecurity compliance to the SLED community.

Announcing a New StateRAMP Authorized Endpoint Security Solution

Part of what spurred me to write this article is pride in some news we just received: BlackBerry® Protect* is now “StateRAMP Authorized.”

BlackBerry Protect is an AI-based endpoint protection platform (EPP) that blocks cyberattacks and provides controls for safeguarding against sophisticated threats—with no human intervention, internet connections, signature files, heuristics, or sandboxes required.

Now you can be even more confident in the cybersecurity partner you choose. We don’t have a little gold medal symbol like you see on a bottle of wine, but third-party experts have vetted and verified the way we operate.

And I hope checking out the StateRAMP Authorized Vendor List will help you evaluate cloud-based cybersecurity vendors.

BlackBerry works with local, regional, state, territorial, and national governments and agencies around the world for their cybersecurity needs.

Three FedRAMP-approved BlackBerry® services are currently on the StateRAMP list:

* BlackBerry Protect has been renamed to CylancePROTECT®.

Bob Day

About Bob Day

Bob Day is a U.S. Coast Guard Rear Admiral (Ret.) and President, BlackBerry Government Solutions.