States Share How They Are Leveraging GovRAMP to Improve Consistency, Efficiency and Oversight
Indianapolis, IN — April 22, 2026 — Arizona, Indiana, Massachusetts, Minnesota, Nevada, New Hampshire, North Carolina, North Dakota, Oregon, Texas and Utah are among the states using GovRAMP to strengthen cybersecurity, streamline vendor risk management and reduce duplication in technology procurement.
GovRAMP released a new government engagement roundup highlighting how these states are leveraging the program as part of their broader third-party risk management and cybersecurity strategies.
As states face continuing cyber threats, growing reliance on cloud services and increasing pressure to modernize procurement, CIOs and CISOs are focused on improving consistency in vendor security requirements while avoiding repetitive assessments. The examples below illustrate how states are applying GovRAMP in practical ways to support secure technology adoption across agencies.
“Each of these states is using GovRAMP in a way that aligns with its own governance, procurement and security priorities,” said Leah McGrath, executive director of GovRAMP. “What they share is a focus on improving consistency, reducing unnecessary burden and strengthening oversight of the vendors that support critical public services.”
How States Are Leveraging GovRAMP
Arizona
Modernizing statewide vendor risk management
JR Sloan, Arizona state CIO, highlighted Arizona’s transition from AZRAMP to GovRAMP:
“Arizona’s migration from AZRAMP to GovRAMP represents a major modernization milestone for our state. By shifting to nationally aligned standards, we are reducing redundancy, improving efficiency for vendors, and ensuring a more consistent approach to managing security across agencies.”
Indiana
Elevating statewide cyber readiness
Hemant Jain, Indiana state CISO, said GovRAMP supports consistency across agencies:
“GovRAMP has helped Indiana advance our statewide approach to cybersecurity in direct alignment with Governor Braun’s executive order for a defined Enterprise Standard. By establishing a clear security standard for our vendors and the data they handle, we’re positioning Indiana to adapt quickly to emerging threats, while continually building a stronger security posture.”
Massachusetts
Streamlining and accelerating security reviews
Anthony O’Neill, Massachusetts state CISO, emphasized efficiency:
“GovRAMP has significantly streamlined how Massachusetts conducts security reviews for technology vendors. By relying on a trusted framework, we’re reducing review times, eliminating redundant assessments and giving agencies a clearer faster path to onboard secure solutions.”
Minnesota
Strengthening protection for sensitivity data
John Israel, Minnesota state CISO, highlighted assurance for high-risk systems:
“GovRAMP plays an important role in how Minnesota evaluates and oversees solutions that handle our most sensitive data. It provides added confidence that vendors are prepared to protect critical systems and resident information against evolving cyber threats.”
Nevada
Strengthening statewide cybersecurity requirements
Tim Galluzi, Nevada state CIO, spoke to Nevada’s upcoming requirements effective July 1, 2026:
“Nevada’s GovRAMP‑based requirements reflect our commitment to strengthening cybersecurity statewide. GovRAMP gives us a clear, repeatable way to understand vendor security posture and set expectations from day one.”
New Hampshire
Streamlining secure technology procurement
Denis Goulet, New Hampshire state CIO, noted the procurement benefits:
“Third party cyber risk management is a priority for the state of NH, and GovRAMP is right with us in this endeavor. By referencing GovRAMP in our contracts, New Hampshire is reducing repetitive security assessments, accelerating procurement and strengthening our cybersecurity posture.”
North Carolina
Advancing consistent third‑party risk management
Bernice Russell‑Bond, North Carolina’s State CISO, Department of Information Technology, said new requirements are already helping:
“GovRAMP‑aligned requirements that took effect April 1 are streamlining evaluation processes and setting clearer expectations for vendors serving the state. GovRAMP brings much‑needed consistency to how we manage third party cyber risk.”
North Dakota
North Dakota – Strengthening third‑party risk through continuous monitoring
Josh Kadrmas, North Dakota Information Technology senior GRC manager, emphasized ongoing value:
“As we’ve incorporated GovRAMP into our third‑party risk management program over time, we’ve seen real value from the continued iterations to its security program. Each refinement has made the program more usable for both agencies and vendors, providing a clearer and more consistent way to assess risk and support secure procurement across the state. Access to GovRAMP authorization package documents further enables continuous monitoring of critical vendors, strengthening due diligence and ongoing compliance.”
Oregon
Ensuring consistent vendor security expectations
Cinnamon Albin, Oregon deputy CISO and cyber risk and governance director, highlighted alignment:
“Using GovRAMP into our contracting process helps ensure each vendor meets a consistent security baseline, supporting a unified security posture across agencies.”
Texas
Reducing duplication and improving accountability at scale
Tony Sauerhoff, Texas state CIO and executive director of DIR, emphasized predictability:
“GovRAMP helps Texas reduce duplicative assessments, set clear expectations for suppliers, and improve accountability across a large and complex technology ecosystem the third-party landscape. It’s accelerating our work to protect the systems Texans rely on every day.”
Utah
Improving consistency in vendor security documentation
Alan Fuller, Utah state CIO, reflected on Utah’s experience:
“Since Utah’s GovRAMP requirements took effect in 2025, we’ve seen meaningful improvements in the consistency and quality of security documentation across vendors. GovRAMP has helped us create a repeatable, dependable model for managing third party cyber risks statewide.”
About GovRAMP
GovRAMP is a nonprofit membership organization dedicated to advancing consistent, trusted cybersecurity practices across state, local, tribal, and educational government. Guided by its mission to make cybersecurity easier to understand, implement, and maintain, GovRAMP provides a standardized framework, independent validation, and community-driven education that help governments adopt secure cloud solutions with confidence while enabling service providers to demonstrate trusted security through clear, evidence-based practices. By bringing together public and private sector partners, GovRAMP supports policy collaboration, strengthens shared assurance, and helps build a more resilient cybersecurity ecosystem that protects government services, data, and the communities they serve. Learn more at GovRAMP.org or contact our Government Engagement Team at get@govramp.org.