The State of Arkansas and StateRAMP

The State of Arkansas has chosen to utilize the StateRAMP program to validate and verify NIST 800-53 compliance for products that have the ability to impact the State’s data to protect their systems and the citizens they serve.

About the Program

Why StateRAMP

Protecting our State’s most sensitive and critical information is a team sport in Arkansas. We have cybersecurity teams working non-stop to protect and defend our networks and systems from hackers, but the threats are always changing, and must work to stay ahead by strengthening those networks and systems.

One way we can do this is by ensuring that the products that touch or hold any of our critical data are meeting minimum cybersecurity standards. This is where StateRAMP comes in.

StateRAMP (State Risk and Authorization Management Program) has developed a roadmap for vendors to follow to demonstrate through an externally verifiable process that they are meeting national cybersecurity standards.

Arkansas is excited to strengthen out cyber defenses by adopting StateRAMP as a framework for our contract and procurement process to ensure that we are covering every angle possible when it comes to protecting our residents’ data and ensuring our overall security.

Learn more about StateRAMP on stateramp.org.

The Process

Act 504

OIT and DPA are teaming up to help implement StateRAMP in Arkansas. Together, OIT and DPA have worked to update Arkansas’s cybersecurity procedures and policy language to require StateRAMP authorization for vendors that touch or hold our data. Additionally, Arkansas’s solicitation and contract language is in the process of being updated so that agencies can make the process as seamless as possible.

Act 846

The updated language and templates will be available here once finalized.

When is StateRAMP required?

Not every contract will require StateRAMP validation. The State of Arkansas’s Office of Information Technology (OIT) will determine when StateRAMP validation is required.

For those products that do require StateRAMP validation, the following is a list of survey questions to help determine the appropriate impact level:

Will the vendor process, transmit, and/or store non-sensitive State data, metadata, and/or data that may be released to the public that requires no additional levels of protection?
- - If yes, StateRAMP Low is recommended.
Will the vendor process, transmit, and/or store personally identifiable information (PII) as defined by the U.S. Department of Labor (DOL)?
- - If yes, StateRAMP Moderate is recommended.
Will the vendor process, transmit, and/or store protected health information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA)?
- - If yes, StateRAMP Moderate is recommended.
Will the vendor process, transmit, and/or store payment card industry (PCI) data as defined by the PCI Security Standards Council (PCI SSC)?
- - If yes, StateRAMP Moderate is recommended.
Will the loss or unavailability of the data that is processed, transmitted, and/or stored by the service provider result in a disruption to government operations?
- - If yes, StateRAMP Moderate is recommended.
Will the loss or unavailability of the data that is processed, transmitted, and/or stored by the service provider result in a loss of confidence or trust in the government?
- - If yes, StateRAMP Moderate is recommended.
Will the vendor process, transmit, and/or store criminal justice information (CJI) data?
- - If yes, StateRAMP Moderate is recommended. Note: States may add additional controls to StateRAMP Moderate to comply with the CJIS requirements.

For additional questions on identifying what qualifies for StateRAMP requirements, please contact the Arkansas OIT.

For additional questions and clarification of impact levels, please review our recorded data classification training here. [link needed]

Please also feel free to reach out to info@stateramp.org

What is the StateRAMP process?

StateRAMP enables vendors to become authorized through a sequence of steps that are streamlined and can translate across participating states in order to reduce redundancy and improve efficiency.

The three stages of StateRAMP validation are StateRAMP Security Snapshot, StateRAMP Ready and StateRAMP Authorized.

The Security SnapShot is a gap analysis for vendors to identify any areas that may not meet standards yet. This helps to ready them for the full review. The remaining steps are more in-depth and a full overview is listed here: https://stateramp.org/wp-content/uploads/2022/12/Authorized-Service-Provider-Getting-Started-Guide.pdf

NEW CONTRACTS

EXISTING CONTRACTS

Announcements

No Announcements at this time.

State Bidding Opportunities

Click below to see the list of current government solicitations for the State of Arkansas.

Arkansas Procurement

Click below to learn more about how to do business with the State.

Arkansas Standards and Guidelines

Click below to see the State’s Standards and Guidelines.

Contact Information and Trainings

Contact Information and Educational Opportunities will be listed here as they become available.

StateRAMP Overall Statement

StateRAMP is accepted by Arkansas and other states. Click below to see a list of StateRAMP’s participating governments.

State and Local Government

Contact us and schedule a conversation to get started. For more information about how StateRAMP works with governments, visit our Governments page.

Providers

For many service providers, meeting security standards and supplying documentation to governments can be time consuming and costly. StateRAMP allows service providers to leverage their verified IaaS, PaaS, and SaaS solutions across multiple government contracts. Learn more about the benefits and process for service providers, or contact our team to get started.