Authorized / Provisional Verification
Achieve the highest level of verified security in GovRAMP.
Authorized Verification represents the most comprehensive level of security validation in GovRAMP—confirming that your product meets all required controls through independent assessment and government review.
This status demonstrates the highest level of trust, positioning your organization to support critical public-sector systems and data.
The Highest Standard of Trust
Authorized and Provisional Verification confirm full alignment with GovRAMP requirements through comprehensive third-party assessment and government approval.
This level of verification requires:
-
A complete Security Assessment Report (SAR) conducted by a 3PAO
-
Full documentation aligned to GovRAMP requirements
-
Government sponsorship or approval through the GovRAMP Approvals Committee
Achieving this status allows you to:
-
Demonstrate the highest level of validated security
-
Support high-impact government use cases
-
Strengthen trust with public sector buyers
-
Differentiate your product in competitive procurement environments
Understanding Authorized vs. Provisional Verification
Same level of trust—different dependency status
Authorized Verification
- All requirements fully met and validated
- Complete alignment with GovRAMP standards
- No outstanding dependencies
- Demonstrates the highest level of verified security
Provisionally Authorized Verification
- Authorized requirements fully met and validated
- Relies on interconnected technology not yet GovRAMP or FedRAMP verified
- May include limited items tracked through a Plan of Action and Milestones (POA&M)
- Eligible to transition to Authorized once dependencies are resolved
How to Achieve Authorized Verification
Authorized Verification follows a structured process that builds on prior readiness and validation.
Step 7
Obtain Government Sponsorship or Approval
To achieve Authorized Verification, your security package must be approved by a government sponsor or the GovRAMP Approvals Committee.
You may secure sponsorship directly from a government organization or leverage the GovRAMP Approvals Committee, which serves as an appointed sponsor to review and confirm your package meets all requirements.
Step 9
Maintain Through Continuous Monitoring
Perform monthly continuous monitoring activities to maintain your verified status.
Leverage Existing Federal Work
If you have existing federal security documentation, GovRAMP enables you to reuse that work to accelerate your path to verification—without repeating a full assessment.
GovRAMP Fast Track allows providers to submit existing materials such as:
- Readiness Assessment Reports (RAR)
- Security Assessment Reports (SAR)
- Continuous Monitoring (ConMon) documentation
These materials are reviewed by the PMO to determine alignment with GovRAMP requirements—reducing time, cost, and duplication.
This includes providers participating in evolving federal initiatives such as FedRAMP 20x.
Accelerate Your Path to Verification
Reuse your federal documentation to streamline your GovRAMP assessment and reduce duplication.
Reduce time. Lower cost. Avoid duplication. Move forward with confidence.
Demonstrate the Highest Level of Security
Products that achieve Authorized or Provisional Verification are listed on the Authorized Product List (APL), signaling the highest level of validated security to government buyers.
This visibility positions your organization for the most security-sensitive public sector opportunities.
Engage an Approved 3PAO
Authorized Verification requires an independent assessment conducted by a GovRAMP-approved Third-Party Assessment Organization (3PAO).
Engaging a GovRAMP 3PAO ensures your controls and documentation are evaluated against program requirements and prepares your product for successful review and approval.
How GovRAMP and the GovRAMP PMO Work Together
Authorized Verification FAQs
-
How much does GovRAMP Core cost?
GovRAMP Core includes a one-time annual PMO assessment fee, which covers review of submitted documentation, validation of the required security controls, and product listing on the Authorized Product List (APL). No 3PAO audit is required for Core Status.
Annual PMO Assessment Fee for Core Status:
-
$9,000 – Providers with less than $1M in annual revenue
-
$11,000 – Providers with $1M to $5M in annual revenue
-
$17,000 – Providers with over $5M in annual revenue
-
-
How much does continuous monitoring for GovRAMP Core cost?
Once Core Status is awarded, providers are enrolled in Quarterly Continuous Monitoring (ConMon). This is a recurring fee billed each quarter, based on provider revenue.
Quarterly Continuous Monitoring Fee for Core Status:
-
$250 per quarter – Providers with less than $1M in annual revenue
-
$500 per quarter – Providers with $1M to $5M in annual revenue
-
$1,000 per quarter – Providers with over $5M in annual revenue
-
-
Who sees my continuous monitoring reports?
GovRAMP Core includes enrollment in quarterly Continuous Monitoring (ConMon), which is reviewed by the GovRAMP Program Management Office (PMO). While full ConMon data is not public, Participating Governments may request access to your ConMon profile through GovRAMP, ensuring transparency for procurement officials while protecting sensitive provider information. Providers must approve the requested access to enable Participating Governments viewing privileges.
-
Will I be listed on the Authorized Product List (APL)?
Yes. Once you are approved for GovRAMP Core, your cloud product will be listed on the GovRAMP Authorized Product List (APL) as a Core-verified offering. This visibility signals to government buyers that you’ve achieved formal validation and are progressing toward Ready or Authorized status.
-
What is the review method for GovRAMP Core?
Core assessments are conducted directly by the GovRAMP PMO. The review focuses on validating implementation of 60 foundational controls selected based on the MITRE ATT&CK Framework and aligned with the Moderate Impact Level. The review includes documentation analysis, scan result validation, and overall program posture evaluation—no 3PAO assessment is required.
-
Is GovRAMP Core a self-attestation?
No. GovRAMP Core is not a self-attestation. Evidence must be submitted to the GovRAMP PMO for review. Examples of acceptable documentation include a completed OCM/SSP and other artifacts outlined in our guidance documents.
-
Does GovRAMP have an official definition of 'cloud'?
Yes. GovRAMP aligns its definition of 'cloud computing' with the NIST SP 800-145 standard. This includes traditional service models like IaaS, PaaS, and SaaS, as well as hybrid or emerging models that meet the essential cloud characteristics outlined by NIST.
-
Can bug bounty programs count toward pen testing controls?
While bug bounty programs can provide useful insights, GovRAMP currently requires that penetration testing follow formal testing procedures as outlined in our guidance documents. Continuous or crowdsourced testing methods, like bug bounties, are not formally accepted as standalone evidence at this time.
-
Is there a list of optional controls like pen testing and citizenship shared with governments?
Yes. We provide participating governments with guidance documents that outline required and optional security elements, including considerations around pen testing and personnel requirements. If you’re a government official looking for direction, contact get@govramp.org to request access.
-
Will GovRAMP Core influence broader government adoption?
-
Does GovRAMP Core require a 3PAO audit?
No. A 3PAO assessment is not required to achieve Core status. Instead, evidence is reviewed directly by the GovRAMP PMO to validate compliance with the required 60 controls and supporting documentation.
-
Are policies and procedures required for Core?
Yes. Policies and procedures are part of the required documentation for GovRAMP Core. These include, but are not limited to, your Configuration Management Plan, Incident Response Plan, and Contingency Plan. Refer to the Step 3 guidance on the Core page.
-
Does GovRAMP require U.S. citizenship for employees?
No. GovRAMP does not require U.S. citizenship for employees. However, some governments may impose additional requirements depending on the type of data processed, stored, or transmitted. Always review the terms of your solicitation to determine any agency-specific constraints.
Sign Up for GovRAMP Program Updates
Receive the latest news and announcements about GovRAMP programs, resources, and security updates — including changes to the Progressing Snapshot Program and upcoming educational opportunities.