GovRAMP announces a new early-stage security maturity assessment tool for cloud products. The GovRAMP Security Snapshot was approved by the GovRAMP Standards and Technical Committee and adopted by the Board as a “pre-Ready” measurement and gap analysis to provide insights for providers and the governments they serve.
The intent of the Security Snapshot is to offer providers a first step toward achieving a verified GovRAMP security status. The criteria are designed to provide a gap analysis that validates a product’s current maturity in relation to meeting the Minimum Mandatory Requirements for GovRAMP Ready, including controls and select additional requirements that would have a significant impact on the state of the system.
“One question we have heard from our provider members is how to get started with GovRAMP. At the same time, our government members have expressed the need for a gap analysis measurement that goes beyond self–attestation and can be consistently applied across products to provide insights into risk maturity as providers work toward GovRAMP Authorization,” said Leah McGrath, Executive Director of GovRAMP.
“The GovRAMP Security Snapshot is an exciting development that answers the needs our members have expressed and helps providers take their first step toward verifying the security of their cloud products for government,” said McGrath.
Providers can begin the GovRAMP Security Snapshot process by becoming a member and submitting an online form, which will go live in January. Once a GovRAMP Security Snapshot is completed, a letter will be issued to the Provider with a product’s security maturity score. Governments will be able to request Snapshot scores from Providers to gain better insight into the security posture of third–party cloud solutions, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) products.
The GovRAMP Security Snapshot can be utilized throughout the procurement process, as governments may utilize the Snapshot to determine the risk associated with products being considered for procurement. The Snapshot may also be used by Governments to assess progress toward GovRAMP Authorization for products once contracted.
“I appreciate the time the Standards & Technical committee, along with the GovRAMP team, spent developing the GovRAMP Security Snapshot,” said Dan Lohrmann, Chair of the GovRAMP Standards & Technical Committee. “The snapshot has been a missing piece for providers to get started, and we are excited to offer this service to providers and government.”
The GovRAMP Security Snapshot reviews will take around three weeks to complete and will provide a moment in time representation of a product’s security maturity. GovRAMP recommends a valid Snapshot is not older than 12 months.
“The GovRAMP Security Snapshot allows us to identify gaps so we can develop resources to help service providers achieve Ready status,” said Noah Brown, GovRAMP PMO Director. “I compare the GovRAMP Security Snapshot to the 2-mile run on the Army ACFT. Before you begin a training program, you need to run two miles and score your time. Before beginning the GovRAMP Readiness Assessment Report, the snapshot can help service providers identify where they are in comparison to GovRAMP Ready requirements.”
Snapshot reviews will be available in January and fees will range from $500-$1500, based on a tiered structure. The updated fee structure can be found here. A letter is provided with the GovRAMP Security Snapshot Score. Scores are not publicly posted and any sharing of Scores is at the discretion of the provider.
Visit govramp.org to view the criteria for GovRAMP Security Snapshots.
Register for an introductory webinar here.