Arizona and StateRAMP
The Arizona Strategic Enterprise Technology Office published Policy 1100: Cloud First in 2019, which required that all state business units use cloud computing services (IaaS and PaaS) and commercial cloud-based applications (SaaS), for any new information technology investment. To ensure adequate security requirements, Arizona delegates security risk management to the individual business units, which are required to conduct a security assessment with third parties for systems that process, store, or transmit confidential data. Arizona Policy 4470, Data Governance Documentation Policy requires, that contractual requirements and other documents that specify the explicit requirements for IT security compliance.
How do I know if my system will be required to comply?
The “covered information systems” distinction is conferred by the Data Policy Council to determine which information systems must comply with Arizona’s Data Governance Policies, using the following criteria as guidelines: Systems are considered “covered information systems” based on one or more of the following considerations:
- The cost of the Information System exceeds $1,000,000.
- The Information System provides a critical business function.
- The Information System provides data or data services to external applications or systems.
- The Information System consumes data or data services from external applications or systems.
- The data includes sensitive, private or confidential data.
- The data is published for consumption by the public.
- A process to access the data exists or is being developed and requires a level of security equivalent to SICAM Assurance Model Level 2 or higher. (See NIST Special Publication 800-63).
What is the compliance timeframe? Arizona enables organizations to adopt a staged approach to full compliance. The timeline below is helpful to understand implementation schedules.
- Pre-Proposal. The Arizona bid and proposal process requires applicable organizations to submit a completed Arizona Baseline Infrastructure Security Controls Prerequisite (35 questions) assessment spreadsheet. This spreadsheet requires entries for security implementations for 36 NIST SP 800-53 controls.
- Within 30 Days After Award: Within thirty days of award, the awarded contractor is required to register with Arizona StateRAMP program office, where they are ultimately issued a StateRAMP Membership Number.
- Within 45 Days After Award required contractors must complete the AZRamp 325 Moderate Impact Control spreadsheet and fill out columns from I to N and submit to State Chief Privacy Officer (Enterprise Security, Privacy & Risk Compliance team) AZRamp 325 Moderate.
- Within One Year of Award the awarded contractor is required to obtain a StateRAMP NIST Moderate Impact Authorization (authorized or provisional) security status. Supporting documentation required to obtain AZRamp Moderate the AZRamp include an IT System Security Plan (SSP) or Written Information Security Program (WISP) to obtain AZRamp Moderate (respond to Column F controls and control enhancements), or contact the State Chief Privacy Officer (Enterprise Security, Privacy & Risk Compliance team) with questions via GRC@AZDOHS.gov.
Low or Moderate Impact?
Arizona requires data categorization that aligns with the NIST categorizations of “Low Impact” and “Moderate Impact,” using the following guidance:
- Low Impact: If a Contractor may process, transmit, or store non-sensitive State Data, metadata, and/or Data that may be released to the public that requires no additional levels of protection during its Work under the Contract, then the Contractor shall follow the NIST Low Impact security controls as directed by the State Chief Privacy Officer (Enterprise Security, Privacy & Risk Compliance team).
- NIST Moderate Impact: If a Contractor may process, transmit, or store one or more of the following types of Data during its work under the Contract, then the Contractor is required to implement NIST Moderate Impact security controls (authorized or provisional) status:
- Personal identifiable information (PII) as defined by U.S Dept. of Labor (DOL).
- Protective health information (PHI) as defined by HIPAA.
- Payment card industry (PCI) Data as defined by PCI Security Std. Council (PCI SSC).
- Criminal justice information (CJI) Data.
- Federal tax information (FTI) Data defined by IRS 1075.
- Data that if lost or unavailable would either be disruptive to government operations or cause a loss of confidence of trust in the government.
- Directed by the State Chief Privacy Officer (Enterprise Security, Privacy & Risk Compliance team).