• The City of Fishers will enter or renew contracts with cloud computing services and give preferential awards to those cloud computing services that comply with StateRAMP requirements beginning January 1, 2024.
• StateRAMP certification requirements are preferred for all contracts for cloud computing services products entered or renewed on or after that date.

The City of Fishers will use the below list to assist it in determining whether the product, application, or service in question is a cloud computing service. Essential characteristics of a cloud computing service are:

• On-demand Self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
• Broad Network Access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
• Resource Pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.
• Rapid Elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
• Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

Cloud computing service products subject to StateRAMP authorization.

The successful proposer’s cloud computing service product offering(s) that process, store, transmit and/or could impact government data should, at a minimum, be enrolled in the StateRAMP Progressing Snapshot Program until the product achieves StateRAMP Ready, Authorized, or Provisional Status. The Security Snapshot serves as an attestation to the providers capabilities to achieve full authorization.

Cloud service products not subject to StateRAMP authorization.

Certain cloud computing services are out of scope of StateRAMP requirements due to the unique characteristics of the cloud computing service. Cloud computing services are out the scope of StateRAMP provided the service does not:

• process, store, or transmit confidential city-controlled data (except as needed to provide a login capability or as it relates to ecommerce purchasing/reserving/booking for agency functions, e.g., username, password, email, or information required for enabling multifactor authentication); or
• have access to read or modify confidential city-controlled data on agency systems such that any security incident might affect such systems.

A cloud computing service that meets the above requirements may be considered out of scope of StateRAMP requirements if the services falls under one of the following characteristics and categories:

• Consumption-focused cloud computing services such as advisory services, market research, or other resources that are used to gather research or advisory information.
• Graphic design or illustration products.
• Geographic Information Systems (GIS) or mapping products.
• Email or notification distribution products.
• Social media platforms and products.
• General business productivity products.
• Cloud computing services used to deliver training.
• Cloud computing services used to transmit copies of nonconfidential data as required by external governing bodies for purposes of accreditation and compliance; and
• Web applications or services used for purchasing supplies, travel and booking accommodations, reservations, or other general purpose procurement applications that only access payment information of the agency or agency personnel.

A cloud computing service that is out of scope of StateRAMP requirements is not subject to the StateRAMP certification preference established herein. However, the cloud computing service must still comply with any required control baselines established by the City of Fishers.

Collaboratively, the Business Solutions Group (BSG) and Information Technology (IT) departments are responsible for determining whether a cloud computing service is out of scope for StateRAMP and maintaining an inventory of cloud computing services that it has designated as out of scope. While these cloud services are out of scope, BSG and IT will still use care when procuring or using such services.

StateRAMP Progressing Security Snapshot Program. It is the preference of the City of Fishers that products without a StateRAMP status of Ready, Authorized, or Provisional, should enroll in the StateRAMP Progressing Security Snapshot Program, complete quarterly Snapshots, and provide monthly progress reporting to StateRAMP until StateRAMP Ready, StateRAMP Authorized, or StateRAMP Provisional status is obtained. The requirements for this contract are outlined below. If the provider does not already have a StateRAMP status of Ready, Authorized, or Provisional the appropriate status must be achieved in the following timeframes: (1) StateRAMP Ready should be obtained not later than 18 months after execution of this contract, (2) StateRAMP Authorized or Provisional status should be obtained not later than 24 months after execution of this contract. Subsequent Security Snapshots should reflect progress toward increased security controls and StateRAMP status.  The City of Fishers must be granted visibility and access through StateRAMP for progress reviews as requested.

StateRAMP Ready. Products with StateRAMP Ready status should maintain StateRAMP Ready status for the duration of the contract. The City of Fishers should be granted visibility and access through StateRAMP for continuous monitoring as requested.

StateRAMP Authorized and StateRAMP Provisional. Products with StateRAMP Authorized or StateRAMP Provisional status must maintain either a StateRAMP Authorized status or a StateRAMP Provisional status for the duration of the contract. The City of Fishers should be granted visibility and access through StateRAMP for continuous monitoring as requested.

Preferential review will be given a vendor who submits one of the following with the contract terms:

• Proof of current StateRAMP Authorized status in the form of a StateRAMP Letter
• Proof of current StateRAMP Ready status in the form of a StateRAMP Letter
• Valid StateRAMP Security Snapshot Score, and proof of enrollment in the StateRAMP Progressing Security Snapshot Program

Continuous Monitoring – When a StateRAMP Security Snapshot or StateRAMP Authorized is provided, the vendor(s) will grant access to continuous monitoring and reporting upon receiving award for StateRAMP Security Snapshot, Ready status and Authorized status through the life of the contract to the City of Fishers. The City of Fishers reserves the right to request and review all Third-Party Assessment Organization (3PAO) audits, risk assessments, vulnerability assessments, and penetration tests of the contractor’s environment. The contractor shall respond to all flaws discovered by providing a mutually agreed upon timeframe to resolve the issue and/or implement a compensating control.

StateRAMP Status – Contracts will be entered into with selected respondent(s) offering a product that processes, stores, transmits and/or could impact government data, with preference given if the proposal includes written documentation that the product has either achieved a minimum of StateRAMP Provisional status or has a valid StateRAMP Security Snapshot at the time of proposal submission.

Any deviation from these requirements must be approved by the Chief Security Officer and Business Solutions Department. Information about StateRAMP can be found at www.stateramp.org

StateRAMP enables service providers to become authorized through a sequence of steps that are streamlined and can translate across participating states and local jurisdictions in order to reduce redundancy and improve efficiency.  

The three stages of StateRAMP validation are StateRAMP Security Snapshot, StateRAMP Ready and StateRAMP Authorized. 

To access the Getting Started Guide for Providers, click here.