Key Takeaways
- The Progressing Security Snapshot Program, a quarterly check-in program, is helping cloud companies strengthen their cybersecurity and increase confidence in their products from government clients.
- The program provides quarterly assessments and advisory feedback to cloud companies, aligned with the National Institute of Standards and Technology (NIST) SP 800-53 Revision 5.
- Cloud companies that participate in the program improve their security control performance over time and typically reach passing status on individual controls in a timeframe of slightly longer than two quarters.
- The program boosts government confidence in cloud providers and provides earlier insight into vendor risk, allowing governments to see how vendors’ security practices mature over time.
- The ultimate goal of the program is to get better resources to the public sector and to raise the entire ecosystem of security through shared responsibility and structured feedback.
Introduction to the Progressing Security Snapshot Program
The Progressing Security Snapshot Program, a quarterly check-in program, is helping public-sector-adjacent cloud companies steadily strengthen their cybersecurity, leading to increased confidence in their products from government clients. The program, which is run by the nonprofit cybersecurity advisory group GovRAMP, provides quarterly assessments and advisory feedback to cloud companies, specifically aligned to the federal government-issued National Institute of Standards and Technology (NIST) SP 800-53 Revision 5. This program is designed to help cloud companies improve their cybersecurity postures and increase confidence in their products from government clients.
How the Program Works
The Progressing Security Snapshot Program works by checking in with its subscribers quarterly, providing them with benchmarks and advice for improving their cybersecurity postures. The program starts with a baseline review of 40 NIST controls and follows providers through quarterly reassessments as they build evidence and close cybersecurity gaps. Rather than being a one-time scorecard, it is designed to show progress over time, allowing governments to see how vendors’ security practices mature as they move toward GovRAMP readiness or authorization. This approach allows governments to get earlier insight into vendor risk and provides cloud companies with a clear understanding of their security strengths and weaknesses.
Benefits of the Program
The program has been shown to be effective in improving the security control performance of cloud companies over time. According to the report, cloud companies that participate in the program typically reach passing status on individual controls in a timeframe of slightly longer than two quarters. The program also boosts government confidence in cloud providers, as it provides a clear understanding of their security practices and postures. New Hampshire CISO Ken Weeks said in a statement that the snapshot program helps his state "understand which providers are actively investing in security and building the practices needed to protect public data — well before formal authorization. Given the pace of change in the industry, this early perspective is vital to our procurement processes.”
Governance and Membership
GovRAMP is a nonprofit organization that was launched as StateRAMP in 2020. The organization offers a standardized risk assessment that allows vendors to work with participating state and local jurisdictions. Currently, 30 states are members, along with local governments, higher education institutions, at least one tribal government, and one federal entity. The organization’s risk management assessments, programs, and outreach are guided by state government leaders, industry representatives, and other experts. GovRAMP also maintains an Authorized Product List, which has three potential designations: Authorized products, Provisional products, and Ready products.
Ultimate Goal of the Program
The ultimate goal of the Progressing Security Snapshot Program is to get better resources to the public sector and to raise the entire ecosystem of security through shared responsibility and structured feedback. According to Mattie Gullixson, one of the report’s authors, "Our goal is to try and create a system in which it takes as little lift as possible on the government side to verify security while still providing continuous monitoring of a provider’s posture.” The program is designed to be a learning system, and it provides a framework for cloud companies to improve their security practices and postures over time. By providing quarterly assessments and advisory feedback, the program helps cloud companies to identify and address cybersecurity gaps, ultimately leading to increased confidence in their products from government clients.
