TechTables Podcast
TechTables Podcast

Episode 69 · 11 months ago

Ep.69 StateRAMP: Onboarding Strategies [LinkedIn Live] with J.R. Sloan, CIO, State of Arizona



J.R. Sloan, CIO, State of Arizona

Connect w/ J.R.: LinkedIn

Nagarro Public Sector - Diamond Sponsor

And a huge thank you to Nagarro Public Sector. This live podcast would not be possible without the support and love of Nagarro. Nagarro Public Sector excels at helping senior technology leaders in digital disruption from Cloud, AI, Big Data, and digital product engineering to system integration work across platforms. To learn more about Nagarro, check out

We Cover:

  • "Cybersecurity is homeland security-" hear what JR means by this and how Arizona is leading the way in stewarding their citizen's data
  • JR deep dives into the genesis of Arizona's StateRAMP and shares his vision for where to go from here
  • Cybersecurity efficiency: how to vet vendors before the vested final stage
  • StateRAMP -  


Want to dive deeper? Check out my episode on TechTables -

And if you're a CIO or technology leader interested in coming on TechTables, shoot me an email at

Thank you for supporting Levity Media LLC ❤️, a small business growing private and public sector technology communities through fun and engaging conversations with top technology leaders. Learn more about Joe Toste (me) at

See what episodes I'm creating at

Welcome back to tech tables, Jr. Actually this is my first linkedin live. Can you believe that I actually haven't done it live? I'm surprised. This is your first and I'm excited to be your first linkedin live. I love that. Yeah, yeah, yeah, first, first one, although next week I'm doing I think, six interviews live. We're gonna be bringing the content. So anyway, super excited have you? Jr is the C I o for the State of Arizona and also the president of state ramp, and we're gonna be talking about state ramp today and I'm really excited about this. I've already interviewed J R. Episode Fifty. HOW LEADERS DO HYBRID? So if you're interested in hybrid work and how the State of Arizona is doing that really well, great conversation that I had with J R. Episode Sixty, World Class digital government in Arizona. That's another really great episode. So if you're curious about digital government in Arizona, what are they doing? How does Jr I think about this? That's another great episode. Both those are on tech tables, so make sure to catch those and uh, I think after this, I think in future go lives. I'M gonna have like my wife like add in links in real time and communicate with people. It's a little harder when you're just doing it by yourself, but that's okay. So I'M gonna post when this ends. I'M gonna add those links in that way anyone can catch those. I'm also going to add in the link after this interview for State Ramps Registration. So today we're talking all about state ramp. So if you're a vendor and you want to sign up, I'm gonna that's the page, and then if you are a state or local government and you want to sign up, I'm gonna drop that registration link State Ramp Dot Org. I think it's backslash. Hey, this podcast would not be possible without the support of Negaro. I really camp size is enough like Negaro as a big supporter and they excel at helping senior technology leaders and digital disruption, from cloud ai to big data and digital product engineering to system integration work across platforms. To learn more about Negaro, you can check out NEGARO DOT com. All right, let's get right into this. So J are there a lot of enterprise SAS companies selling to the federal government. We know cloud has exploded and the federal government needed a way to assess the level of risk for cloud service providers, and that's where fed ramp, the federal risk and authorization management program comes in order to sell to the U S government, you need to be fed ramp certified. Now we know that cyber attacks aren't only for the federal government and that's where state ramp comes in. That's great, so to create a common method to verify cloud security. So, for those who aren't familiar, can you walk us through what state ramp is? Sure, and I'll stop back just a little bit. You mentioned adoption of Saas and cloud environments and that's really been the key driver for actually driving security, as well as innovation and I think efficiencies across state governments, and not just state governments, for reaching down into the local and municipal governments as well. Because, frankly, as a citizen, like how many times you you interact with government entities, and I think too often. Today we touched on this. I think in our world class services you have to know which government enemy entity am I dealing with and within that, which department, and do I have to... to or how do I find their website? And as we're trying to get all this stuff done and do it faster, be more agile and power delivering services, cloud has been a key enabler for us in accomplishing those things. So as we adopt cloud services, we're putting data up there, all the data that that we deal with and and states deal with, a tremendous amount of regulated data, everything from health information to we carrying lots of social security information and social services information, driver's licenses, we have criminal justice information, tax information, just a variety of regulated data that we have to provide proper care for. We are custodians and stewards of that data and so we have to ensure the protection of data no matter where it is. And so state ramp is really the recognition that is as we are adopting cloud and needing to be good stewardes of that data in the cloud. Each state had to take on the burden of understanding, does this cloud provider that I'm going to work with do they have the right security controls in place to properly protect that data? And so we were having to stand up our own programs, do our own assessments and I'll say Arizona started our program were not too creative and we followed the federal m model. We called it as ramp just because we wanted to folks to recognize they had a lot of the same intent that the federal program did. But one of the key artifacts about, you know, people don't know about federal am is that if you're not if you don't already have a federal contract in place where you're actively engaged with the federal government, you can't raise your hand and say, Oh, I'd like to go through the federal process. So a lot of vendors that that we might deal with at the state level don't do business and may never do business with the federal but we need to do business with them. So we need to make sure that we can provide the right assurances and protections around that data. So we have that tension then of how do we put forth the right effort to do the assessment understand the position and the posture, security posture of these vendors from the vendor's perspective, as they're dealing now with fifty, fifty two different states and they may be going through slightly different processes over and over as they engage with each state to sell their products, and so state rapid really born out of a recognition of there's inefficiencies that every state is having to do this on their own, there's inefficiencies for vendors that they're having to go through this multiple times, and so it was really modeled off of the federal process and we had multiple states and the National Association of State Ce Ios came in and participated, the National Association of State Procurement Officers also participated, we had vendors into the state and local government space also participated and more than a thousand hours were put together to help craft and design the state ramp program and ensured that it was gonna provide good value on both sides, so it would provide the assurances that the states need that the vendors have been properly vetted, they go through the certification process. And the key component the State Ram brings over the program that we have an have had in the Arizona is this ongoing, continuous monitoring...

...component which is vital to really understand. Not just did you show me the documentation and you show me that you have the processes of procedures, but I can now see that it's having the proper effect in your environment on an ongoing basis. So that's, I'll say, a kind of quick overview and the Y and the why it's important for state ramp. I love that. Also, I love how different states are. They took the ramp. So there's the A Z ramp. So we've got the Arizona ramp. Texas they've got text ramp. So I just let every state is like taking their own piece of value. We'll actually go a little bit deeper into that in a few more questions. But so it's been almost a year since state ramps been launched. R I think it was planning, was implementation. So where would you say Arizona is, because I know there was like the initial pilot, but you weren't just in it for the pilot. You're in it for actually implement it. And then where do you two going with Arizona and state ramp? Yeah, honestly, Joe, we're still the pilot right. We're the first state that is really adopting state ramp. We're trying to do what we I think, what we try to do on a regular basis in Arizona, which is to lead where we can. And cybersecurity. Arizona has been been a top priority for the governor for his entire administration and he continues to make investments and to elevate cybersecurity understanding. The cybersecurity for him is Homeland Security and it's that important. So Arizona's were still in the pilot phase. I expect the pilot to run, you know, really well in the two we want to exercise all elements of the statement program we've got things we want to work on in terms of not just okay, how do we onboard new vendors new products, because when you look at State Ramp you're not certifying the vendor, you're certifying the application of the you know, the various you know products that they might have that they offered to states. So as we on board those, we want to see how that process works start to finish with a ramp. We also have, like I said, two hundred, almost two hundred and fifty vendors that that we have done our own process on and we need to work through how we transition those vendors who into state ramp Um and of course I think every state will need to continue to have some ability to to have its own own process to to assess a vendor, whether it's for whatever the circumstances are like. With every policy, every standard you have, and there's all you always have to have the okay if, if there's a need for an exception, how do you hand the states will need to have, you know, sort of an exception handling. I think you know we're definitely gonna have that in Arizona. I think if you you know, I know you talk a lot with with Mandy and Texas. They've got a very solid approach and and they're going to have an exception process as well. But state ramp is going to be a great partner, I believe, for Arizona and for really all the states going forward to help address this issue of cloud service provider application security compliants. Yeah, no, I love that. I'm just kind of curious around how you're the president of state ramp. What was the I'm...

...just naturally curious around what was the story behind leading up to that of joining state ramp or being that founding member that you felt like hey, I really want to take ownership of this and helps state ramp lead in the country. I'll go back to the genesis of state ramp right. So I'm it's it's literally my last meeting, person, meeting I had before we all went home and I was I was in my office. I had a meeting with Joe Bulowski from Knowledge Services. He and I were talking about cloud and security and what's arizone doing to help ensure a security compliance with our cloud cud vendors and and he was asking me about what are some of the challenges that you see with that, and I was talking about, Hey, I've got a lot of resources that we're having to deploy on this and we've really had to work hard on how the security review process fits into our overall procurement and acquisition processes and I talked about that. The scalability is a concern. The amount of resources that I have to put in this as a concern, I said, and I see the burden on vendors as well, and I said I really wish there was something like a state ramp. And it was at that point that Joe pushed a card across the business card, across the table to me. The said state ramp on it and that was really the start for me. I was I was in at that point. I was excited to see just how aligned I think we were in our visions for what this could be and it's really been a privilege to participate in the process all the way along Arizona. It's not just been me. There's a lot of the team from Arizona and including our Sisco Tim Romer, terms of our shout out. He's awesome. Him, Tim Tim's awesome. Multiple members of our Cyber Command team have participated in the Standards Committee and just the entire process of getting sharing the model that we have put together, benefiting from seeing what other states had done, hearing getting good input from the vendor community and the supplier community on on what they what's going to make it valuable for them, and I think we really got a lot of great input. It has helped to guide things. Yeah, I love the I think just talking about the challenges, the problems on I think both sides right, both on the the state side and the local side, and then on the vendor side. And you said you don't actually you have to certify the the products. It's not the vendors to do the security assessment review on each product. Is that right? Yeah, that's right. When we when we go through the process, it's not. We're not saying like hey, you know, we'll pick someone big, CISCO, right. We assessed Cisco and they're like all good to go. Okay, now Cisco is a big enough organization. Right. They do participate in Fed ramp. Again, modeled after fed ramp. It's gonna be applications web X, right, they were one familiar with web actually, we've all used it. That application had to go through its own discrete process and so it wasn't something that didn't know. Even though Cisco Likely reuses a lot of the processes and controls throughout the organization, each application functions somewhat independently and it will hold data independently and there needs to be assessed independently. Yeah, I know,...

...that's fantastic. And how do you think about crafting the rules and structures for cybersecurity and state ramp while still providing the flexibility and agility for state and local governments to deploy new cloud technologies quickly? I think it's a key part of it's a key enabler. So let's talk about some of the challenges. You know that that we were having when we look back at the whole acquisition process, because what didn't change throughout all of this joe is that the state is still we're the steward. We're the person who are the people that are accountable for what happens with that data. If it's a bad day in any state and there's a data breach, but the states responsible for that. We can't point and say, Oh, it was that, it was this cloud provider that didn't do the right thing. Ultimately, we are on we are on the hook for it. That's why maybe we've seen some hesitancy in some environments for folks adopting clouds. They think, Oh, do I not have control? The fact is that these cloud service provider partners are investing far more in their security infrastructures and technologies than states and locals will ever be able to invest. The answer on can we be secure in the cloud is absolutely can we, and potentially we are more secure in working with good cloud partners and then we can be with the budgets that we have available to us on our own. I just it's going to be a key enable and what state ramp really does is that in the acquisition process, where you don't want to be is you've gone through your RFP, you've done your evaluation, you've selected your vendor, everyone's all excited to start this project and go and someone raises their hand and says, Hey, what about security? Do we do? We know that this vendor is capable of protecting the data that we're going to give them and all of a sudden you stopped the project and we had that happened in Arizona many years ago, and so we recognize that we have to pull the security review further up in in the process and make sure that we're not holding up the project. Now. The flip side of that is, if you're doing this on your own, is at if you have fifty vendors responding to an RFB, you can't assess all fifty of them. That's just not a reasonable way to spend resources. So you're trying to figure you're trying to find that balance between how do I vet down to the likely vendors, how have I ensured that maybe there's at least a high level review that's happened before we get to the best in final and then how do I ensure that the final review for the awarded vendor happens in a timely manner that doesn't hold up the project. So where state rap comes in is that that entire process could be completed and effectively the vendor certified before they ever even respond to a solicitation or an RFP. Yeah, I know that's great around safety and not having to stop a project. That sounds really painful, by the way, to go through the whole RFP process, which I haven't been through because I don't ever submit an RP for anything, but from what I hear from the vendors who work with the government, the RFP process can be quite painful sometimes. Yeah, we don't want to stop the process. So that's really great. So some other C I O S and C so you've been talking to a lot that are coming on board. You're having these conversations with state Ram if they're...

...they want to get certified. If you're a vendor and you want to get certified, how long does that take, both for the state level and if you're a vendor partner? I'm going to give a classic governmental response, like it depends. Um really it does depend on where are you in, let's say, your overall like security journey. If you are a vendor and you've participated in your larger vender, are you participated in the Feder ramp program you're pretty much in a good spot and there's a fast track process to really look at what was the nature of your fed ramp authorization and that could you could really move through the process with State Ram. If you have had some security audits, let's say you've done like sock to or or some of the other security audits that that are available Pc, I say that will probably put you in a good spot because you've already had to demonstrate that you have the documentation, the procedures, the security controls, and it's really it's that same type of process. Um. Now, if you're starting from such and and this is new ground for you, I'm not knowing you know how to go through that process. It's going to be there. There's the third party assessment organization that's going to work with you. UH, they'll walk through the processes, they'll identify the gaps, they'll provide you the guidance on on what you need to do to close those gaps. And and also, and if a Rense, and repeat on assessins or a gap as there a mitigation for that. How do we close that gap? And then ultimately you get to the point of being ready and achieving authorization. That's great. As we were gonna WE'RE gonna wrap up. I think this was a great short teaser into state ramp that I really like. There are a lot of deeper podcasts on state ramp. I listened to a few. They were fantastic and there's actually a few on the state ramp, I think homepage if you go there, state Ram Dot Org. And then also the Nacio podcast is fantastic. I was listening to a Gal. What was her name? Nancy? Oh, Nancy Rain SEC is out of Texas. She may have been talking about it, but Leah McGrath is the executive director. Lea McGrath. Yes, yes, Leah. Yeah, she was great. She's on a whole another level. Obviously she's the executive director, so she really has she really knows, she really knows the INS and outs of it. But before we wrap up, I was kind of curious because I was like, okay, so jr just recently went to Nacio and then I was like, I know there's some water cooler conversations. So I was picturing you, like hey, cee I o and other state, have you heard of state ramp? Are you actively pitching, like how did you have those conversations there at Nacio or I'm just trying to see if there was any good conversations that you had that came out of that. Yeah, so the NASCIO annual event, which obviously is a major event, was great. We were finally back in person this year. We were up in Seattle, Beautiful City, and do you do you answer your question, Joe? It's it was really more of a pull than a push. I had a number of states come and ask me about state up, about...

...the Arizona's experience with it, asking some of the same questions we've talked about them and really, I think, looking to understand how does this fit into, you know, their overall strategies, and is their flexibility for them? Some of those types of questions. Last week I was at a different Nacio event, which is what they call their ce I o confidential and so we had probably thirty five C I o s there and in the room next door we had about the same number of SISSOS and we had a first meeting of chief privacy officers from the states and this was this is a unique event that Nacio puts on. There's there are no vendors there. So it's literally two days or two and a half days of water cooler. We got to decide what's on the agenda. What are we talking about? What are the things that are relevant to us, and we spend our time. We were talking about what's our operating model, what's our business model? Is C I o states? How's that evolving? How's it changing? How do things like cloud technologies affect what we're doing where we're not the owner operator of the cloud service or the services that we're providing, but we're partnering with cloud providers to help the state be more elastic, more agile, have more scale and be able to just move faster in in adopting new technologies and innovating. We spend time talking about cybersecurity and what are the what are the trends that we're seeing? Obviously there's lots of talk around the cyber funding that's coming down from a federal perspective. We had a whole the whole Webinar that that will continue to go on that as those states continue to understand what the federal guidances and the rules surrounding how those funds get distributed. And we spend time talking about diversity, equity, inclusion and talent management and how we're how we're making sure that we've got the best talent on board and that how diversity and equity factors into that and how we're ensuring that our our organizations reflect the community around us and not just the benefits of that, but the opportunity within that to really serve our constituents better. When, finally, uh, not, probably not surprising, we spend some time talking about okay, what are the you know, legacy things that we have in our environments? What are what's going on with modernization of applications? What are some of the key trends, key enablers that are? They're happening in that space? And so again it was, yeah, lots of good conversations, a lot of fun made. Be Spent time talking about digital services as well. What are the new trends? But what are the what are some of the partners are helping to solve key problems? How are we all moving forward? Yeah, I love that. Was that in Kentucky, by chance it was. It was Lexington, Kentucky. So I was at task last week in Austin and which is I don't even actually know the acronym off the top of my head, I do, but it's seven twenty in the morning and anyways, it's like the Texas Association of systems and I don't know. So I'm there and then on the agenda is like prerecorded message from Mandy Crawford and I was like laughing, so I actually took a snapshot of it, circled her section, texted it to her and was like this is a great way to scale yourself, by the way, just have prerecorded messages everywhere you go. And so awesome. Jr, thanks again for...

...hopping on tech tables live. First one live and I know I just love having these conversations with you and we've had the opportunity to meet and have breakfast. I even brought my daughter along when we met last time, which is so fun. And I'm actually gonna be in Arizona this week, crazy this Thursday. If anyone's there, I'm hearing Tim Romer speak eggs and cybersecurity. Doesn't get much better than eggs and cybersecurity. So I think it's at the Arizona Chamber of Commerce. If I'm got that, it might be that one, might be that one. I don't know. I'm I'm looking at that one. I've got a different event that I'm committed to that day and then I'm I'm on a cyberpanel Friday morning. So yeah, no, I love it. I love it. Thanks for dropping in and right after this I'm gonna drop the links for the two episodes that I have with Jr, episode fifty, episode sixty on tech tables and I'm gonna drop the state ramp. If you have any questions for Jr, please drop them in the comments below. I can always email those to him. And Yeah, looking forward to I'm just seeing you next time, J R. Thanks for coming on tech tables. Appreciate it. Thanks, Joe. Always great to talk with you. Look forward to the next time we get to connect. How about Great Christmas right now? Merry Christmas.

In-Stream Audio Search


Search across all episodes within this podcast

Episodes (54)