GovRAMP
What is GovRAMP?
GovRAMP (formerly StateRAMP) is a cloud security program similar to FedRAMP but for state and local governments. Cloud Service Providers (CSP) that want to get a Cloud Service Offering (CSO) listed on the GovRAMP Authorized Product List need to secure a security status. The list of governments and educational institutions that recognize GovRAMP standards can be found here.
StateRAMP is a registered 501(c)(6) nonprofit membership organization comprised of service providers, third-party assessment organizations, and government officials that does business as GovRAMP. Rebranding to GovRAMP in 2025 was done to better capture the scope of the organization’s mission, which supports a “whole-of-state” approach to cybersecurity across all levels of government.
GovRAMP uses the NIST SP 800-53 security controls but includes additional parameters and guidance that address the unique elements of cloud computing.
The NIST SP 800-53 control families are:
- Access Control
- Awareness and Training
- Audit and Accountability
- Assessment, Authorization, and Monitoring
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical and Environmental Protection
- Planning
- Program Management
- Personnel Security
- Personally Identifiable Information (PII) Processing and Transparency
- Risk Assessment
- System and Services Acquisition
- System and Communications Protection
- System and Information Integrity
- Supply Chain Risk Management
GovRAMP Security Statuses
GovRAMP has six security status designations between its Authorized (verified) Product List and Progressing Products List.
Verified Offerings: Ready, Authorized, and Provisional
To be verified, the provider must meet minimum security requirements and provide an independent audit conducted by a 3PAO. GovRAMP recognizes three verified statuses: Ready, Provisional, and Authorized. Ready meets minimum requirements, Provisional exceeds minimum requirements and includes a government sponsor, and Authorized satisfies all requirements and includes a government sponsor.
Progressing Offerings: Active, In Process, and Pending
GovRAMP recognizes offerings in the process of working toward a verified offering. To be listed in progress, the provider must be engaged with a 3PAO for an independent audit. The in-progress statuses include Active, In Process, and Pending. Active is working toward Ready, In Process is working toward Authorized, and Pending has submitted a security package to the PMO and is awaiting a determination for a verified status.
GovRAMP Authorization Process
To become GovRAMP authorized, CSPs need to go through a multiple-step process that includes:
Become a GovRAMP member:
Service providers must become a GovRAMP member before their CSOs can be validated by the Program Management Office (PMO), obtain a GovRAMP security status, or be listed on the Authorized Product List (APL). Once a member, there is no limit to the number of products an organization can validate and list on the APL.
Complete a GovRAMP Security Snapshot
CSPs providers have the option to complete a GovRAMP Security Snapshot. The snapshot serves as a “pre-Ready” measurement and the criteria are designed to provide a gap analysis to validate a product’s current maturity in relation to meeting the Minimum Mandatory Requirements for GovRAMP Ready.
Request a snapshot here.
Identify Impact Level and Desired Status
Before engaging a 3PAO and submitting any documentation for review, a service provider must determine the appropriate security category using the Data Classification Tool. Each category represents a different set of data characteristics and corresponding security requirements ranging from non-private, generally accessible information to protected personally identifiable information (PII) or classified data.
Select a 3PAO
Select a 3PAO to complete a Readiness Assessment Report (RAR) or Security Assessment Report (SAR).
Complete the Required Documentation
A service provider pursuing Ready status must have 50% of their documentation completed so their 3PAO can complete a GovRAMP Readiness Assessment Report (SR-RAR).
Once a service provider has engaged with a 3PAO to conduct their GovRAMP Authorization Review, the provider must complete a GovRAMP System Security Plan (SR-SSP), GovRAMP Security Controls Matrix (SR-SCM), the Plan of Actions and Milestones (POA&M), and any other documentation required by the 3PAO so the 3PAO can complete a GovRAMP Security Assessment Plan (SR-SAP) and a Security Assessment Report (SR-SAR).
Submit a Security Review Request
Before a CSP can submit their completed documentation to the GovRAMP PMO, the provider must complete the Security Review Request Form. After submitting the form, the GovRAMP PMO team will reach out to schedule an intake call and begin their security review.
Security Package Approval
To obtain Authorized status, a security package needs approval from the Approvals Committee or a Government Sponsor. They will serve as the authorization officials and confirm the package meets GovRAMP requirements.
Obtain Your Status
If the 3PAO attested that the provider meets all required security controls, the GovRAMP PMO verified the findings, a government sponsor or GovRAMP Approvals Committee accepted the provider’s security package, and all outstanding issues and/or inquiries have been resolved, the provider’s security status on the GovRAMP APL will be changed to Authorized.
A Ready status indicates the product meets GovRAMP’s minimum mandatory requirements and most critical controls.
Continuous Monitoring
Once the provider has obtained a verified status, the provider must begin providing the required documentation for monthly continuous monitoring reporting to maintain their GovRAMP security status, as detailed in the GovRAMP Continuous Monitoring Guide.
The GovRAMP Fast Track program allows products that have FedRAMP Ready status to bypass the audit, allowing for the authorization to take weeks instead of months.
The Benefits of GovRAMP Authorization
Dozens of state and local government entities require any cloud-based services they purchase to hold a GovRAMP security status. Not having GovRAMP Authorization could eliminate service providers from potentially valuable business opportunities.
Implementing the security controls required for GovRAMP authorization will give your organization more confidence in the security of your systems and services.
How We Can Help
CompliancePoint’s team of cybersecurity experts offers decades of experience your organization can leverage. We can help design and implement controls that will meet all GovRAMP requirements. Once implemented, we can help manage your security program on an ongoing basis to ensure continuous compliance.
What is GovRAMP
GovRAMP (formerly StateRAMP) is a cloud security program similar to FedRAMP but for state and local governments. Cloud Service Providers (CSP) that want to get a Cloud Service Offering (CSO) listed on the GovRAMP Authorized Product List need to secure a security status. The list of governments and educational institutions that recognize GovRAMP standards can be found here.
StateRAMP is a registered 501(c)(6) nonprofit membership organization comprised of service providers, third-party assessment organizations, and government officials that does business as GovRAMP. Rebranding to GovRAMP in 2025 was done to better capture the scope of the organization’s mission, which supports a “whole-of-state” approach to cybersecurity across all levels of government.
GovRAMP uses the NIST SP 800-53 security controls but includes additional parameters and guidance that address the unique elements of cloud computing.
The NIST SP 800-53 control families are:
- Access Control
- Awareness and Training
- Audit and Accountability
- Assessment, Authorization, and Monitoring
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical and Environmental Protection
- Planning
- Program Management
- Personnel Security
- Personally Identifiable Information (PII) Processing and Transparency
- Risk Assessment
- System and Services Acquisition
- System and Communications Protection
- System and Information Integrity
- Supply Chain Risk Management
GovRAMP Security Statuses
GovRAMP has six security status designations between its Authorized (verified) Product List and Progressing Products List.
Verified Offerings: Ready, Authorized, and Provisional
To be verified, the provider must meet minimum security requirements and provide an independent audit conducted by a 3PAO. GovRAMP recognizes three verified statuses: Ready, Provisional, and Authorized. Ready meets minimum requirements, Provisional exceeds minimum requirements and includes a government sponsor, and Authorized satisfies all requirements and includes a government sponsor.
Progressing Offerings: Active, In Process, and Pending
GovRAMP recognizes offerings in the process of working toward a verified offering. To be listed in progress, the provider must be engaged with a 3PAO for an independent audit. The in-progress statuses include Active, In Process, and Pending. Active is working toward Ready, In Process is working toward Authorized, and Pending has submitted a security package to the PMO and is awaiting a determination for a verified status.
GovRAMP Authorization Process
To become GovRAMP authorized, CSPs need to go through a multiple-step process that includes:
Become a GovRAMP member:
Service providers must become a GovRAMP member before their CSOs can be validated by the Program Management Office (PMO), obtain a GovRAMP security status, or be listed on the Authorized Product List (APL). Once a member, there is no limit to the number of products an organization can validate and list on the APL.
Complete a GovRAMP Security Snapshot
CSPs providers have the option to complete a GovRAMP Security Snapshot. The snapshot serves as a “pre-Ready” measurement and the criteria are designed to provide a gap analysis to validate a product’s current maturity in relation to meeting the Minimum Mandatory Requirements for GovRAMP Ready.
Request a snapshot here.
Identify Impact Level and Desired Status
Before engaging a 3PAO and submitting any documentation for review, a service provider must determine the appropriate security category using the Data Classification Tool. Each category represents a different set of data characteristics and corresponding security requirements ranging from non-private, generally accessible information to protected personally identifiable information (PII) or classified data.
Select a 3PAO
Select a 3PAO to complete a Readiness Assessment Report (RAR) or Security Assessment Report (SAR).
Complete the Required Documentation
A service provider pursuing Ready status must have 50% of their documentation completed so their 3PAO can complete a GovRAMP Readiness Assessment Report (SR-RAR).
Once a service provider has engaged with a 3PAO to conduct their GovRAMP Authorization Review, the provider must complete a GovRAMP System Security Plan (SR-SSP), GovRAMP Security Controls Matrix (SR-SCM), the Plan of Actions and Milestones (POA&M), and any other documentation required by the 3PAO so the 3PAO can complete a GovRAMP Security Assessment Plan (SR-SAP) and a Security Assessment Report (SR-SAR).
Submit a Security Review Request
Before a CSP can submit their completed documentation to the GovRAMP PMO, the provider must complete the Security Review Request Form. After submitting the form, the GovRAMP PMO team will reach out to schedule an intake call and begin their security review.
Security Package Approval
To obtain Authorized status, a security package needs approval from the Approvals Committee or a Government Sponsor. They will serve as the authorization officials and confirm the package meets GovRAMP requirements.
Obtain Your Status
If the 3PAO attested that the provider meets all required security controls, the GovRAMP PMO verified the findings, a government sponsor or GovRAMP Approvals Committee accepted the provider’s security package, and all outstanding issues and/or inquiries have been resolved, the provider’s security status on the GovRAMP APL will be changed to Authorized.
A Ready status indicates the product meets GovRAMP’s minimum mandatory requirements and most critical controls.
Continuous Monitoring
Once the provider has obtained a verified status, the provider must begin providing the required documentation for monthly continuous monitoring reporting to maintain their GovRAMP security status, as detailed in the GovRAMP Continuous Monitoring Guide.
The GovRAMP Fast Track program allows products that have FedRAMP Ready status to bypass the audit, allowing for the authorization to take weeks instead of months.
The Benefits of GovRAMP Authorization
Dozens of state and local government entities require any cloud-based services they purchase to hold a GovRAMP security status. Not having GovRAMP Authorization could eliminate service providers from potentially valuable business opportunities.
Implementing the security controls required for GovRAMP authorization will give your organization more confidence in the security of your systems and services.
How We Can Help
CompliancePoint’s team of cybersecurity experts offers decades of experience your organization can leverage. We can help design and implement controls that will meet all GovRAMP requirements. Once implemented, we can help manage your security program on an ongoing basis to ensure continuous compliance.
Failure to comply with relevant requirements can have a devastating impact on your organization. Don't take chances, let our experts help.
Frequently Asked Questions
FedRAMP is a security framework federal agencies require of their Cloud Service Providers (CSPs). GovRAMP is a similar program, but it is recognized by local and state governments.
GovRAMP is the Government Risk and Authorization Management Program.
Some state and local governments require Cloud Service Providers to hold a GovRAMP security status.
