May 5, 2025 – INDIANAPOLIS, IN – GovRAMP today announced the official launch of GovRAMP Core, a new verified security status that expands the nation’s most trusted cybersecurity framework for public-sector cloud solutions. GovRAMP Core is a first-of-its-kind designation that bridges the critical gap between early-stage visibility and full authorization, offering a faster, lower-cost path to validated cybersecurity assurance for both providers and government buyers.
Developed in response to direct feedback from states, local governments, and cloud service providers, GovRAMP Core verifies the implementation of 60 priority NIST controls selected based on the MITRE ATT&CK Framework and aligned with the GovRAMP Moderate Impact Level baseline. GovRAMP Core includes quarterly continuous monitoring and is assessed directly by the GovRAMP Program Management Office (PMO)—eliminating the need for a third-party assessment organization (3PAO) at this stage.
Charlie Rote, Deputy CISO for the State of Maine and Chair of GovRAMP Standards & Technical Committee stated, “Core Status offers a niche but valuable capability for states to manage third-party risk—providing an additional tool to assess vendor security while enabling cloud providers to demonstrate readiness without requiring a full 3PAO assessment. This supports a risk-based approach, giving agencies the flexibility to evaluate and adopt lower-risk solutions with effort proportionate to the risk involved, while maintaining consistent security expectations.”
GovRAMP Core has already gained early traction among state procurement leaders. Several participating governments, including Arizona and Utah, are planning to integrate Core Status into contracts where traditional authorization may be cost-prohibitive or time-restrictive, or use it as a steppingstone to a higher authorization level.
“Progressing Snapshot still plays a vital role in helping providers demonstrate early progress,” said Leah McGrath, Executive Director of GovRAMP. “GovRAMP Core builds on that foundation, offering formal validation where it’s needed most—without compromising standards or slowing innovation. It’s the next step in a more accessible, scalable path to authorization.”
Key Features of GovRAMP Core:
- Verification of 60 top-priority controls aligned to the MITRE ATT&CK Framework and the Moderate Impact Level baseline
- PMO-led assessment—no third-party (3PAO) audit required
- Includes Quarterly Continuous Monitoring to strengthen visibility and maintain buyer confidence
- Formal visibility on the GovRAMP Authorized Product List (APL) for increased visibility and buyer confidence
- Supports multiple pathways—GovRAMP Core can serve as a destination for lower-risk or lower-value contracts, or as a verified stepping stone toward full GovRAMP Ready or Authorized status
- Designed for scalable use in procurement and contract enforcement
Cloud service providers can begin applying for GovRAMP Core Status starting May 5, 2025, via the GovRAMP website. New documentation templates and application guidance are now available at https://govramp.org/providers/core/. For questions, please reach out to info@govramp.org.
About GovRAMP
GovRAMP is the leading authority on cloud security standards for state and local governments, providing a standardized approach to assessing and authorizing cloud services. GovRAMP empowers government agencies and their vendors to navigate the complexities of cloud security with confidence. Learn more at GovRAMP.org.