Last Updated on December 20, 2024
What is AZRAMP? Here’s What CSPs Need to Know.
The US state of Arizona first launched its Arizona Risk and Authorization Management Program (AZRAMP) cybersecurity framework for cloud service offerings back in 2015. While Arizona now also recognizes State Risk and Authorization Management Program (StateRAMP) and Federal Risk and Authorization Management Program (FedRAMP) authorizations, AZRAMP continues to thrive, with over 300 vendors approved as of March 2023.
This article explains AZRAMP basics and what CSPs looking to do business with Arizona state/local government entities and universities need to know.
What is AZRAMP?
AZRAMP is an assessment methodology that evaluates and confirms whether a cloud service provider’s cybersecurity and data protection posture and capabilities are in alignment with minimum standards. Like its namesake and forerunner FedRAMP, AZRAMP is based on the publication NIST 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.
AZRAMP focuses on three key capabilities that CSPs must demonstrate:
- Risk management—the ability to identify, rank, and mitigate cyber risks.
- Cybersecurity audits—the ability to show that implemented controls are effective and meet AZRAMP standards.
- Continuous monitoring—Demonstrating effective processes that continuously gather and analyze relevant IT data to detect cyber threats.
Under AZRAMP, CSPs must provide documentation that proves they meet a wide range of security and data protection thresholds. Vendors that meet these requirements must also fill out a 30-question survey and undergo a security assessment to complete the approval process.
AZRAMP versus StateRAMP
Why not just pursue StateRAMP authorization instead of AZRAMP and gain access to potential business in states other than Arizona? The downside is that time, cost, and effort are all greater with StateRAMP.
Representing a lower bar to entry with lower costs and fewer hurdles than either StateRAMP or FedRAMP, AZRAMP has successfully validated more vendors over an equivalent time period than either of the two nationwide programs, while upholding a cybersecurity and data protection standard deemed effective for Arizona’s government agencies.
But that lower barrier to authorization comes with a price—one-way reciprocity. Arizona recognizes StateRAMP authorization in lieu of AZRAMP authorization, because StateRAMP requirements are a superset of AZRAMP requirements. But AZRAMP authorization is only valid in Arizona and not in any other states.
The StateRAMP program is modeled on AZRAMP, but they vary significantly. Some major differences include:
- While Arizona uses in-house auditors to approve AZRAMP vendor status, StateRAMP requires applicants to use one of the few (currently about 45) third-party assessors that are authorized to conduct FedRAMP assessments. This makes StateRAMP audits more expensive and potentially harder to schedule than AZRAMP audits.
- StateRAMP’s authorization process is also more arduous than AZRAMP’s and the decision process often takes significantly longer.
- Like FedRAMP, StateRAMP requires vendors to demonstrate continuous compliance, while CSPs seeking AZRAMP authorization need only reconfirm their ongoing compliance periodically or in response to a cyber incident. Continuous compliance requires more robust governance and data management.
AZRAMP versus FedRAMP
Why not pursue a coveted FedRAMP Authority to Operate (ATO) and automatically meet all AZRAMP and StateRAMP program requirements as well? Like with StateRAMP, FedRAMP compared to AZRAMP has more controls, a more costly and risky approval process, and a much longer approval cycle.
FedRAMP also emphasizes US federal government cloud security requirements rather than state-level requirements. While both programs align with NIST 800-53, control implementation guidance may be less strict for AZRAMP than for FedRAMP.
For example, AZRAMP may accept CIS Level 1 profiles as an applicant’s benchmark for configuration management, while FedRAMP now requires compliance with the more rigorous DISA STIGS to address the equivalent control.
Benefits of achieving AZRAMP authorization
For CSPs that want to do business with Arizona state agencies, city governments, and/or institutions of higher education, achieving AZRAMP authorization offers several important benefits, including:
- Access to contracts that are only open to AZRAMP authorized vendors.
- Enhanced stakeholder trust and confidence due to a highly credible third-party attestation that your cybersecurity posture is robust, and you can protect sensitive data.
- Improved cybersecurity capabilities including strong risk management and monitoring, thus reducing the chances of a data breach.
- A higher standard for control implementation that will support or ensure compliance with a wide range of industry, state, and/or federal cybersecurity regulations.
Should my business pursue AZRAMP authorization?
According to Mike Craig, founding principal and CEO at Vanaheim Security, the central factor in choosing which cloud service authorizations to pursue is your current and projected book of business. Some preliminary questions to answer include:
- Do you firmly plan to conduct business just within the state/local government and education (SLED) sector in Arizona?
- Do you have plans, aspirations, or market demand to seek SLED business outside of Arizona?
If AZRAMP authorization would enable you to serve your current clients and prospects, you might choose to establish that cybersecurity level first and then pursue StateRAMP.
If your business plan calls for selling your offering(s) outside Arizona, it might make sense to aim for StateRAMP authorization first, to avoid the extra cost, time, and effort of achieving first AZRAMP and then StateRAMP authorizations. But other factors, such as available budget, bandwidth, and expertise, may also come into play.
What’s next?
For more guidance on this topic, listen to Episode 144 of The Virtual CISO Podcast with guest Mike Craig, founding principal and CEO at Vanaheim Security.