Upcoming Changes to the GovRAMP Progressing Snapshot Program

  • Published
To help prepare, GovRAMP is hosting a live webinar on September 23, 2025, from 9–10 AM ET. Join us to hear directly from GovRAMP and the GovRAMP PMO about what’s changing, what’s staying the same, and the steps you can take now to stay in good standing. Register for the webinar

Effective January 1, 2026 

The Progressing Snapshot Program is GovRAMP’s “on-ramp” for cloud service providers (CSPs). It’s designed to help providers strengthen their security posture step by step while giving governments early, transparent insights into vendor maturity. 

To keep the program meaningful, we’re introducing updates that ensure CSPs listed on the Progressing Product List (PPL) are not just participating — but actively improving.

What’s Changing? 

  • Non-Zero Score Required
    A product must score above zero before it can appear on the Progressing Product List. 
  • Quarterly Progress Required
    Providers must show improvement with each Snapshot. Identical or declining scores may trigger the escalation process. 
  • Escalation & Non-Compliance
    New structured process: informal discussion → formal notice → possible removal from the Progressing Product List (PPL). 

What’s Staying the Same? 

  • Advisory Support – CSPs will continue to receive one hour of monthly advisory time to support their progress. 
  • Evidence Refresh – All artifacts must be updated at least once every 12 months to remain valid. 
  • Perfect Scores ≠ Finished – Even a 100% score doesn’t mean “done.” Progressing is not a terminal status — providers are expected to continue toward verified Core, Ready, Provisional, or Authorized status. 

Why These Changes? 

We heard from both CSPs and government partners that the program needed stronger guardrails. 

  • Some providers enrolled but did not actively improve. 
  • Others reached “perfect” scores but stopped short of advancing to verified status. 
  • A few skipped advisory calls, missing opportunities to benefit from the program. 
  • Listing products with zero scores or outdated evidence undermined trust in the PPL 

By tightening requirements and clarifying expectations, we’re ensuring that every CSP listed is genuinely progressing — which benefits providers, governments, and ultimately, the security of the public sector. 

When Do These Changes Take Effect? 

All updates go into effect January 1, 2026. CSPs should take steps now to make sure their products remain in good standing. 

What This Means for You 

For Cloud Service Providers (CSPs): 
  • Make sure your product has a non-zero Snapshot score before January 1, 2026. 
  • Refresh all artifacts so nothing is older than 12 months. 
  • Plan for quarterly improvements — even if your score is already high. 
  • Use your monthly advisory call to identify and close gaps. 
  • Remember: The Progressing Snapshot Program is an on-ramp, not the destination. The goal is always to reach Core, Ready, Provisional, or Authorized status. 
For Governments: 
  • You’ll see stronger assurance that products on the PPL are truly improving. 
  • Quarterly Snapshots and refreshed evidence will give you more current data for risk-based decisions. 
  • Perfect scores won’t mask stagnation — providers must show progress toward verified statuses. 
  • The program now gives you greater confidence that every listed CSP is actively advancing their security posture. 

Share this post: