Core Verification

Core Verification FAQs

• How much does GovRAMP Core cost?

  GovRAMP Core includes a one-time annual PMO assessment fee, which covers review of submitted documentation, validation of the required security controls, and product listing on the Authorized Product List (APL). No 3PAO audit is required for Core Status.

  Annual PMO Assessment Fee for Core Status:

  • $9,000 – Providers with less than $1M in annual revenue

  • $11,000 – Providers with $1M to $5M in annual revenue

  • $17,000 – Providers with over $5M in annual revenue

• How much does continuous monitoring for GovRAMP Core cost?

  Once Core Status is awarded, providers are enrolled in Quarterly Continuous Monitoring (ConMon). This is a recurring fee billed each quarter, based on provider revenue.

  Quarterly Continuous Monitoring Fee for Core Status:

  • $250 per quarter – Providers with less than $1M in annual revenue

  • $500 per quarter – Providers with $1M to $5M in annual revenue

  • $1,000 per quarter – Providers with over $5M in annual revenue

• Who sees my continuous monitoring reports?

  GovRAMP Core includes enrollment in quarterly Continuous Monitoring (ConMon), which is reviewed by the GovRAMP Program Management Office (PMO). While full ConMon data is not public, Participating Governments may request access to your ConMon profile through GovRAMP, ensuring transparency for procurement officials while protecting sensitive provider information. Providers must approve the requested access to enable Participating Governments viewing privileges.

• Will I be listed on the Authorized Product List (APL)?

  Yes. Once you are approved for GovRAMP Core, your cloud product will be listed on the GovRAMP Authorized Product List (APL) as a Core-verified offering. This visibility signals to government buyers that you’ve achieved formal validation and are progressing toward Ready or Authorized status.

• What is the review method for GovRAMP Core?

  Core assessments are conducted directly by the GovRAMP PMO. The review focuses on validating implementation of 60 foundational controls selected based on the MITRE ATT&CK Framework and aligned with the Moderate Impact Level. The review includes documentation analysis, scan result validation, and overall program posture evaluation—no 3PAO assessment is required.

• Is GovRAMP Core a self-attestation?

  No. GovRAMP Core is not a self-attestation. Evidence must be submitted to the GovRAMP PMO for review. Examples of acceptable documentation include a completed OCM/SSP and other artifacts outlined in our guidance documents.

• Does GovRAMP have an official definition of 'cloud'?

  Yes. GovRAMP aligns its definition of 'cloud computing' with the NIST SP 800-145 standard. This includes traditional service models like IaaS, PaaS, and SaaS, as well as hybrid or emerging models that meet the essential cloud characteristics outlined by NIST.

• Can bug bounty programs count toward pen testing controls?

  While bug bounty programs can provide useful insights, GovRAMP currently requires that penetration testing follow formal testing procedures as outlined in our guidance documents. Continuous or crowdsourced testing methods, like bug bounties, are not formally accepted as standalone evidence at this time.

• Is there a list of optional controls like pen testing and citizenship shared with governments?

  Yes. We provide participating governments with guidance documents that outline required and optional security elements, including considerations around pen testing and personnel requirements. If you’re a government official looking for direction, contact get@govramp.org to request access.

• Will GovRAMP Core influence broader government adoption?

  Yes. One of the goals of introducing Core is to expand adoption and create an accessible, verified entry point into the security program. We are already seeing interest from states such as Utah, Arizona, and Texas.

• Does GovRAMP Core require a 3PAO audit?

  No. A 3PAO assessment is not required to achieve Core status. Instead, evidence is reviewed directly by the GovRAMP PMO to validate compliance with the required 60 controls and supporting documentation.

• Are policies and procedures required for Core?

  Yes. Policies and procedures are part of the required documentation for GovRAMP Core. These include, but are not limited to, your Configuration Management Plan, Incident Response Plan, and Contingency Plan. Refer to the Step 3 guidance on the Core page.

• Does GovRAMP require U.S. citizenship for employees?

  No. GovRAMP does not require U.S. citizenship for employees. However, some governments may impose additional requirements depending on the type of data processed, stored, or transmitted. Always review the terms of your solicitation to determine any agency-specific constraints.