Box attains StateRAMP Moderate Authorization


The last two years have seen a seismic shift in how local governments operate and deliver services to their citizens. The worldwide pandemic and now geopolitical conflict has created a keen focus on protecting information while enabling a seamless and frictionless digital-first reality. Meanwhile, bad actors are trying to capitalize on this shift, pushing out innovative malware strains designed to steal personal information and data. During this rapidly changing landscape, it’s important that organizations can know that they can rely on vendors to provide resilient, secure solutions. At Box we’re committed to maintaining the highest bar for security and compliance, and are excited to have received StateRAMP Moderate Authorized status, allowing state, local, and education (SLED) government agencies to use Box with confidence.

Box and StateRAMP

Box is thrilled to be an early adopter of StateRAMP and to have attained Authorized status, further proving our commitment to providing frictionless security and compliance. In partnership with LA City Employees Retirement System (LACERS) as our sponsor, Box has successfully demonstrated that we fully satisfyall StateRAMP security requirements. LACERS already trusts Box to help them protect very sensitive personal information that requires the highest of security standards, so to have them also sponsor us for StateRAMP authorization really validates our security-first approach to building the Box Content Cloud.

"At LACERS, we are responsible for the retirement, and ultimately the financial well-being and health of tens of thousands of individuals. Because of the gravity of this responsibility, we hold ourselves to the highest standards of security for our Member and employee data. Traditionally, this has restricted our ability to innovate our operations, but with Box, we found a partner company that held their solutions to those same high standards, which has allowed us to push the digital transformation of our organization forward. Given our compliance commitments to HIPAA and a variety of other operational compliance frameworks, Box’s built-in security features, such as their zero-trust architecture, SSO, email security, and enhanced governance features were a major selling point. Now with StateRAMP emerging as a new standard for cybersecurity, we are happy to partner with Box in their application for StateRAMP authorization.”

-Vikram Jadhav, Chief Digital Officer for LA City Employees Retirement System (LACERS)

State and local organizations need secure solutions

Today state and local governments face multiple cybersecurity challenges:increased cybersecurity breach attempts targeted at public services, shift to work-from-anywhere(WFA) employees has highlighted the need to enable secure collaboration in the cloud, organizations like Child Protective Services need to protect extremely sensitive personal information that would be potentially dangerous to leak, and government financial organizations are being targeted for valuable Personally Identifiable Information (PII). Fortunately, a StateRAMP Authorized solution like Box can help mitigate those concerns:

  • WFA workforce transition. StateRAMP Authorization makes it easy to select a cloud solution with the security controls to match previous on-premise solutions.
  • Health/Safety organizations. A StateRAMP Authorized solution has been investigated to ensure it can adequately secure the most sensitive data a state and local organization might hold.
  • Financial data/PII. Not only does StateRAMP’s high standard of security guarantee that client financial information can be trusted with an Authorized solution, the ongoing monitoring process means you can trust it to stay on the cutting edge of security.

Box’s content collaboration platform provides all the tools your organization needs to work together, with StateRAMP Authorized security controls that provide the security your data requires.

What is StateRAMP?

Inspired by FedRAMP (Federal Risk and Authorization Management Program), a centralized cybersecurity standard for federal cloud vendors, StateRAMP is a series of cybersecurity standards required from service providers offering solutions to state and local governments. In StateRAMPs own words, “StateRAMP simplifies security by providing state and local governments a common method for verification of cloud security.” With a membership formed of state and local officials, as well cloud service providers, StateRAMP provides a vetted list of approved vendors that can be trusted to meet the exacting cybersecurity standards required to safely offer cloud-based solutions to state and local government organizations.

“StateRAMP establishes common security criteria to standardize cloud security verification. We are excited that Box has joined our list of Authorized Products, offering a cloud solution that also meets the cybersecurity needs of State and Local organizations.”

-Leah McGrath, Executive Director for StateRAMP

StateRAMP recognizes 6 security statuses representing different stages in the authorization process, which are divided between Progressing and Verified buckets:

  • Progressing (Active, In Process, and Pending)
  • Verified (Ready, Provisional, and Authorized (Box))

Becoming certified by StateRAMP requires a 4-step security assessment involving a registered third party assessment organization. The security assessment is modeled on the same NIST 800-53 Rev. 4 controls used by FedRAMP, and is made to assess the risk impact levels for the data being handled and ensure that sufficient security controls are in place. The 4-step process is:

  1. Document, identifying the relevant impact levels and needed security controls
  2. Assess, gathering information on the solution capabilities and controls
  3. Authorize, testing the controls and identifying any gaps/weaknesses then delivering a verdict
  4. Monitor, continuous reporting on a monthly and quarterly basis, along with a yearly audit

Box can help our state and local customers protect their data

StateRAMP compliance is as much about how you use and implement Box solution as it is about the underlying architecture. Organizational security needs vary, so it is important to have a partner that is capable of helping you navigate the compliance process. Many of our customers leverage Box Consulting experts for implementation and deployment to complement their internal compliance and IT resources.

“Box’s investment in StateRAMP authorization demonstrates our dedication to raising the bar on security for our customers’ content. Helping our state, local, and education customers meet their high cybersecurity requirements is just one example of how Box has committed to fully meeting the cybersecurity needs of all of our customers.”

-Tom Cowles, Chief Compliance Officer for Box

Whether you are feeling the security growing pains from an increasingly remote workforce or looking for a content solution that can handle extremely sensitive personal information, Box is ready and able to help.