GovRAMP Progress Report 2025 Shows Cloud Providers Improve Security Controls by 40–60% in First Year

Published January 22, 2026

New data confirms Progressing Security Snapshot Program accelerates security maturity and strengthens government confidence

Indianapolis, IN — January 22, 2026 — GovRAMP today released its Progress Report 2025, a comprehensive, data-driven analysis of the GovRAMP Progressing Security Snapshot Program (PSSP), demonstrating measurable and sustained improvements in cloud security maturity among participating Cloud Service Providers (CSPs)—advancing protections for the government data they support.

Drawing from more than 28,600 control-level data points across 181 anonymized CSPs over seven quarters, the report shows that CSPs participating in the PSSP improve security control performance by 40–60% within their first year, with the most significant gains occurring between the second and fourth quarters of participation.

“The Progressing Security Snapshot Program is proving that compliance, when done right, drives real security outcomes,” said Tony Sauerhoff, President of the GovRAMP Board of Directors. “Consistent engagement leads to faster learning, stronger evidence, and meaningful alignment with government security expectations. This is what maturity looks like in practice.”

From Baseline to Readiness: A Proven Onramp to Authorization

The Progressing Security Snapshot Program (PSSP) provides CSPs with quarterly assessments and advisory feedback aligned to NIST 800-53 Rev. 5, creating a structured, iterative approach to security improvement. Rather than a one-time evaluation, the PSSP establishes a repeatable cadence that helps providers close gaps, build defensible evidence, and strengthen operational discipline over time.

According to the report, CSPs achieve a passing status on individual controls in an average of 2.2 quarters, with early progress most commonly seen in areas such as incident response and identity assurance—helping providers build momentum early in their security journey.

“The Progressing Security Snapshot Program gave us a clear structure for improving our security posture over time,” said Mike Tiemeyer, Chief Information Security Officer at Butterfly Network. “The quarterly cadence helped us focus on the right controls at the right time, and that foundation played a key role in preparing us for formal assessment and ultimately achieving GovRAMP Authorization.”

Independent Assessors See Measurable Readiness Gains

Third Party Assessment Organizations (3PAOs) report that CSPs entering assessments after the PSSP participation demonstrate greater readiness, clearer evidence, and fewer remediation cycles—reducing friction and improving assessment efficiency.

“Providers who come through the Progressing Security Snapshot Program arrive far more assessment-ready,” said Petar Besalev, EVP of Cybersecurity and Compliance Services at A-LIGN. “They understand evidence expectations, have operational proof in place, and move through assessments more efficiently. That readiness positions us to deliver a more effective assessment experience for PSSP participants.”

Government Confidence Through Leading Indicators

For government agencies, PSSP participation is increasingly serving as a leading indicator of vendor security maturity, providing earlier visibility into a provider’s commitment to continuous improvement.

“The Progressing Security Snapshot Program enables us to make risk-informed decisions earlier in the process,” said Ken Weeks, Chief Information Security Officer for the State of New Hampshire. “It helps us understand which providers are actively investing in security and building the practices needed to protect public data—well before formal authorization. Given the pace of change in the industry, this early perspective is vital to our procurement processes.”

Key Findings from the 2025 Report Include:

CSPs that remain in the PSSP for four or more quarters achieve 50% higher pass rates than early-exit peers
Configuration management controls are the most challenging—but also the strongest indicators of long-term maturity
GovRAMP’s quarterly cadence builds repeatable security habits, not one-time checklists

About GovRAMP

GovRAMP is a nonprofit membership organization dedicated to advancing standardized cloud security for state and local governments, education, and public sector entities. Through collaboration, education, and verified security programs, GovRAMP helps governments and their vendors build trust, strengthen cybersecurity practices, and protect public data. Learn more at GovRAMP.org.

Media Contact
marketing@govramp.org
www.govramp.org