The City of Fishers & StateRAMP

About the Program

What is StateRAMP?

StateRAMP is a registered 501(c)(6) nonprofit membership organization comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third party assessment organizations, and government officials. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place. StateRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments. StateRAMP (State Risk and Authorization Management Program) has developed a roadmap for vendors to follow to demonstrate through an externally verifiable process that they are meeting national cybersecurity standards.

Why StateRAMP?

Protecting Fishers’ most sensitive and critical information is a team sport. While cybersecurity teams work non-stop to protect and defend networks and systems from bad actors, threats are always changing. Firms must be proactive by strengthening those networks and systems. One way to accomplish this is by ensuring providers and products with any critical data are meeting minimum cybersecurity standards, at the least. This is where StateRAMP comes in. 

StateRAMP has partnered with the City of Fishers to assist providers with ensuring that their products are meeting those minimum security controls as indicated by StateRAMP in accordance with the NIST 800-53 security controls, while also affording them the benefit of transferable credentials through standardized cybersecurity verification. This allows providers to verify once to serve many. Product cybersecurity validation can be used with any of our participating governement members.

Learn more about StateRAMP on stateramp.org.

Overview

The City of Fishers is working towards a standardized approach to the security assessment of cloud computing services. Cloud computing service is defined by the City of Fishers as having the meaning assigned by the United States Department of Commerce National Institute of Standards and Technology (NIST) Special Publication 800-145. According to the NIST definition, cloud computing is “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

  • The City of Fishers will enter or renew contracts with cloud computing services and give preferential awards to those cloud computing services that comply with StateRAMP requirements beginning January 1, 2024.
  • StateRAMP certification requirements are preferred for all contracts for cloud computing services products entered or renewed on or after that date.

The City of Fishers will use the below list to assist it in determining whether the product, application, or service in question is a cloud computing service. Essential characteristics of a cloud computing service are:

  • On-demand Self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
  • Broad Network Access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
  • Resource Pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.
  • Rapid Elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
  • Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

Cloud computing service products subject to StateRAMP authorization.

The successful proposer’s cloud computing service product offering(s) that process, store, transmit and/or could impact government data should, at a minimum, be enrolled in the StateRAMP Progressing Snapshot Program until the product achieves StateRAMP Ready, Authorized, or Provisional Status. The Security Snapshot serves as an attestation to the providers capabilities to achieve full authorization.

Cloud service products not subject to StateRAMP authorization.

Certain cloud computing services are out of scope of StateRAMP requirements due to the unique characteristics of the cloud computing service. Cloud computing services are out the scope of StateRAMP provided the service does not:

  • process, store, or transmit confidential city-controlled data (except as needed to provide a login capability or as it relates to ecommerce purchasing/reserving/booking for agency functions, e.g., username, password, email, or information required for enabling multifactor authentication); or
  • have access to read or modify confidential city-controlled data on agency systems such that any security incident might affect such systems.

A cloud computing service that meets the above requirements may be considered out of scope of StateRAMP requirements if the services falls under one of the following characteristics and categories:

  • Consumption-focused cloud computing services such as advisory services, market research, or other resources that are used to gather research or advisory information.
  • Graphic design or illustration products.
  • Geographic Information Systems (GIS) or mapping products.
  • Email or notification distribution products.
  • Social media platforms and products.
  • General business productivity products.
  • Cloud computing services used to deliver training.
  • Cloud computing services used to transmit copies of nonconfidential data as required by external governing bodies for purposes of accreditation and compliance; and
  • Web applications or services used for purchasing supplies, travel and booking accommodations, reservations, or other general purpose procurement applications that only access payment information of the agency or agency personnel.

A cloud computing service that is out of scope of StateRAMP requirements is not subject to the StateRAMP certification preference established herein. However, the cloud computing service must still comply with any required control baselines established by the City of Fishers.

Collaboratively, the Business Solutions Group (BSG) and Information Technology (IT) departments are responsible for determining whether a cloud computing service is out of scope for StateRAMP and maintaining an inventory of cloud computing services that it has designated as out of scope. While these cloud services are out of scope, BSG and IT will still use care when procuring or using such services.

StateRAMP Progressing Security Snapshot Program. It is the preference of the City of Fishers that products without a StateRAMP status of Ready, Authorized, or Provisional, should enroll in the StateRAMP Progressing Security Snapshot Program, complete quarterly Snapshots, and provide monthly progress reporting to StateRAMP until StateRAMP Ready, StateRAMP Authorized, or StateRAMP Provisional status is obtained. The requirements for this contract are outlined below. If the provider does not already have a StateRAMP status of Ready, Authorized, or Provisional the appropriate status must be achieved in the following timeframes: (1) StateRAMP Ready should be obtained not later than 18 months after execution of this contract, (2) StateRAMP Authorized or Provisional status should be obtained not later than 24 months after execution of this contract. Subsequent Security Snapshots should reflect progress toward increased security controls and StateRAMP status.  The City of Fishers must be granted visibility and access through StateRAMP for progress reviews as requested.

StateRAMP Ready. Products with StateRAMP Ready status should maintain StateRAMP Ready status for the duration of the contract. The City of Fishers should be granted visibility and access through StateRAMP for continuous monitoring as requested.

StateRAMP Authorized and StateRAMP Provisional. Products with StateRAMP Authorized or StateRAMP Provisional status must maintain either a StateRAMP Authorized status or a StateRAMP Provisional status for the duration of the contract. The City of Fishers should be granted visibility and access through StateRAMP for continuous monitoring as requested.

Preferential review will be given a vendor who submits one of the following with the contract terms:

  • Proof of current StateRAMP Authorized status in the form of a StateRAMP Letter
  • Proof of current StateRAMP Ready status in the form of a StateRAMP Letter
  • Valid StateRAMP Security Snapshot Score, and proof of enrollment in the StateRAMP Progressing Security Snapshot Program

Continuous Monitoring – When a StateRAMP Security Snapshot or StateRAMP Authorized is provided, the vendor(s) will grant access to continuous monitoring and reporting upon receiving award for StateRAMP Security Snapshot, Ready status and Authorized status through the life of the contract to the City of Fishers. The City of Fishers reserves the right to request and review all Third-Party Assessment Organization (3PAO) audits, risk assessments, vulnerability assessments, and penetration tests of the contractor’s environment. The contractor shall respond to all flaws discovered by providing a mutually agreed upon timeframe to resolve the issue and/or implement a compensating control.

StateRAMP Status – Contracts will be entered into with selected respondent(s) offering a product that processes, stores, transmits and/or could impact government data, with preference given if the proposal includes written documentation that the product has either achieved a minimum of StateRAMP Provisional status or has a valid StateRAMP Security Snapshot at the time of proposal submission.

Any deviation from these requirements must be approved by the Chief Security Officer and Business Solutions Department. Information about StateRAMP can be found at www.stateramp.org

StateRAMP enables service providers to become authorized through a sequence of steps that are streamlined and can translate across participating states and local jurisdictions in order to reduce redundancy and improve efficiency.  

The three stages of StateRAMP validation are StateRAMP Security Snapshot, StateRAMP Ready and StateRAMP Authorized. 

To access the Getting Started Guide for Providers, click here.

Announcements & Educational Opportunities

Stay tuned for future engagement opportunities and announcements!

Bidding Opportunities

Click below to see the list of current government solicitations for the City of Fishers.

City of Fishers

Business & Development

Click below to learn more about how to do business with the City.

StateRAMP Templates & Resources for Providers

Click below for additional guidance on the validation process and requirements.

Contact Information

For additional information on City of Fishers’ opportunities, please contact the Fishers Business Solutions Group at  BSGEmail@fishers.in.us.

For additional information on how to get started with the StateRAMP process, please contact info@stateramp.org.

Other Participating Governments

StateRAMP is accepted by Fishers, as well as other cities and states. Click below to see a list of StateRAMP’s participating governments.

State and Local Government

Contact us and schedule a conversation to get started. For more information about how StateRAMP works with governments, visit our Governments page.

Providers

For many service providers, meeting security standards and supplying documentation to governments can be time consuming and costly. StateRAMP allows service providers to leverage their verified IaaS, PaaS, and SaaS solutions across multiple government contracts. Learn more about the benefits and process for service providers, or contact our team to get started.