When the Steering Committee developed GovRAMP in 2020, they modeled it in part after the federal government’s security assessment program, FedRAMP. Building upon FedRAMP’s ten years of experience, the Steering Committee worked to develop a security review program specifically designed for state and local governments.
What do GovRAMP and FedRAMP have in common?
- Both programs are built on National Institute of Standards and Technology (NIST) Special Publication 800-53 Rev. 4 requirements and are in the process of incorporating Rev. 5.
- Both require third party assessment organization (3PAO) audits and continuous monitoring.
- GovRAMP and FedRAMP use impact levels of low, moderate, and high that align with NIST controls.
- They utilize verified statuses of Ready and Authorized.
How are they different?
GovRAMP is organized as a 501c(6) and is governed by a Board of Directors. Since GovRAMP is a non-profit, our mission is to promote cybersecurity best practices through education, advocacy, and policy development to support our members and improve the cyber posture of state and local governments and the citizens they serve.
In contrast, FedRAMP is funded by the Office of Management and Budget and their focus is on completing the security assessment and providing a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. GovRAMP prioritizes helping providers by supplying them with security templates and resources, reducing time to market, and eliminating barriers to access security verification.
Additionally, there are differences in the level of involvement between the organizations, the service providers completing security reviews, and the government agencies receiving security reporting. GovRAMP’s Project Management Office is designed as a shared resource between providers and government entities while the FedRAMP PMO serves purely as a reviewing body.
With GovRAMP, state and local governments have visibility into continuous monitoring reporting and the security postures of their vendors. In contrast, FedRAMP documentation is only visible to the federal agencies who work with providers, so states and local governments are unable to view verified product and/or security documentation.
Continuous monitoring is critical to preventing cyber-attacks, and GovRAMP gives states the ability to consistently check the security posture of the vendors who serve them. Giving states access to a secure repository ensures consistency in application of standards.
Additionally, if providers are unable to secure a government sponsor, GovRAMP provides an alterative option. Comprised of five government members, the GovRAMP Approvals Committee is charged with serving as the body for Government Sponsorship for GovRAMP Provisionally Authorized and Authorized statuses.
Another difference between GovRAMP and FedRAMP relates to their security statuses. GovRAMP Ready statuses do not expire, and providers do not have to have a contract with governments to receive a Ready or Authorized status. With FedRAMP, providers have 12 months once they achieve Ready to find an agency sponsor to become Authorized.
GovRAMP Ready signals that providers meet minimum requirements while Authorized means providers have a government sponsor. Building an ecosystem of providers is a priority for GovRAMP, so contracts will not expire due to the lack of a sponsoring agency.
GovRAMP’s Provisionally Authorized status is awarded by a government sponsor while FedRAMP’s Provisional status is awarded by the Joint Authorization Board. GovRAMP’s Provisionally Authorized Status shows the progression the provider is making and demonstrates that they have exceeded the minimum requirements and completed a full Security Assessment Report. However, it also indicates that they have another requirement to complete and have most likely established a timeline with their government to close out any remining security requirements.
Lastly, GovRAMP has developed a Fast Track option for companies who have FedRAMP ATO, P-ATO, or Ready status. To learn more about GovRAMP Fast Track, you can read our recent blog post, What Is GovRAMP Fast Track.
If I am a provider with FedRAMP status, why should I consider GovRAMP?
Submitting a product to GovRAMP for review will primarily benefit your state and local government clients as well as reduce the burden on your organization to provide security reporting to each individual state and maintain multiple instances of your security documentation.
By giving States access to continuous monitoring documentation, they are receiving the visibility they need to best manage risk for their constituents. Over time, more state and local governments will request access into their IaaS, PaaS, and SaaS provider’s security documentation and reporting to ensure their systems are secure.
Rather than having to submit documentation to multiple states, providers can store it in a secure repository where they can maintain a single, verified instance of their security reporting that can satisfy the needs of all their state and local government clients.
What are the benefits of GovRAMP to state and local governments?
State and local governments can benefit from the resources the centralized Project Management Office offers. GovRAMP informs states whether their vendors can deliver the services they need in a way that complies with best practices in cloud and cybersecurity. Additionally, the GovRAMP PMO serves as a partner in the verification process and works with the sponsoring government to provide transparent and accessible reporting on a consistent basis.
Governments can rely on the PMO to provide explanations and rationale for best practices as well as education on security requirements and control families. When a government begins working with a GovRAMP provider or serves as a government sponsor, the PMO will provide onboarding documentation and resources so the government members know exactly what to expect on a monthly basis and how to interpret the reporting provided by the PMO.
What is the cost?
GovRAMP’s goal is to help reduce costs for both providers and state and local governments. By standardizing security requirements in contracts and RFPs, procurement officials can have assurance their vendor pool of IaaS, PaaS, and/or SaaS solutions meet all the necessary security requirements and are actively engaged in continuous monitoring to ensure ongoing security compliance. As a result, time and money can be saved for both governments and service providers.
Every time a provider must complete a custom audit, they are delayed the time they can get to work to serve constituents. GovRAMP aims to be a shared resource for both state and local governments creating a level playing field with known standards and expectations. Since GovRAMP is organized as a non-profit and the heart of our mission is education and best practices, we exist to help strengthen the security posture of vendors.
To help providers prepare for a security assessment and PMO review, there are over 60 samples and procedures on the GovRAMP website which are reviewed and updated regularly by the GovRAMP Standards and Technical Committee. The Project Management Office exists to offer guidance and help, reducing the need for providers to hire consultants.
If you are interested in becoming a GovRAMP member, register here: https://govramp.org/register/