Your FAQs Answered

GovRAMP is a nonprofit organization that unites governments, service providers, and independent assessors to strengthen trust in the cloud.

Built on the NIST SP 800-53 Revision 5 framework, GovRAMP helps governments verify the security of cloud products through a standardized, risk-based approach. Its “verify once, serve many” model reduces costs, eliminates redundancy, and promotes shared cybersecurity standards across the public sector.

By fostering collaboration between governments and industry, GovRAMP empowers participants to achieve secure, scalable cloud adoption that protects sensitive data and drives innovation.

GovRAMP operates as a 501(c)(6) nonprofit organization governed by a Board of Directors composed primarily of state and local government officials.

The program’s governance model is designed to ensure transparency and balance, with both public and private sector participation through committees, councils, and task forces.

These groups collaborate to advance GovRAMP’s mission—developing fair, effective cybersecurity standards that promote consistency and trust in cloud procurement.

The GovRAMP Authorized Product List (APL) and Progressing Product List (PPL) showcase verified and progressing cloud service offerings on the GovRAMP website.

Authorized Product List (APL):

The APL includes verified offerings with a security status of Core, Ready, Provisionally Authorized, or Authorized. To be verified, products must meet minimum security requirements and complete an independent audit conducted by an approved Third-Party Assessment Organization (3PAO).

• Core confirms implementation of 60 foundational NIST controls selected based on the MITRE ATT&CK Framework and aligned with the Moderate Impact Level baseline.

• Ready products meet requirements defined by the Minimum Ready Minimum Mandatory Requirements Policy.

• Provisionally Authorized products have met the Authorization requirements but rely on interconnected technologies that are not yet GovRAMP or FedRAMP Authorized; those technologies must have a current GovRAMP Security Snapshot.

• Authorized is the highest level of verification, for products that have demonstrated compliance with all required controls by impact level.

Products that hold both a GovRAMP Authorized status and a Federal JAB status are displayed as Authorized, Federal JAB.

Progressing Product List (PPL):

The PPL includes offerings that are actively working toward verification. To appear on the PPL, a product must either:

• Be enrolled in the GovRAMP Progressing Snapshot Program, or

• Have engaged with a Third-Party Assessment Organization (3PAO) to conduct an independent audit for Ready or Authorized.

Progressing statuses include:

• Security Snapshot: Enrolled products preparing for or awaiting Snapshot scores.

• Active, In Process, and Pending: Products advancing toward Ready or Authorized status, with Pending offerings currently under PMO review.

The APL and PPL are both hosted on the Program Participants page, which is updated daily.

GovRAMP simplifies cloud security by establishing a standardized method for verifying provider security practices.

Through independent assessments, consistent criteria, and ongoing continuous monitoring, governments can confidently adopt cloud solutions that meet rigorous cybersecurity requirements.

This collaborative framework helps governments reduce risk, streamline procurement, and strengthen the overall security posture of the public sector.

GovRAMP documentation is maintained in the Document & Templates page on the GovRAMP website.

When new drafts are posted for public comment or updates are published, notifications are shared through the GovRAMP website, email newsletter, and PMO communications. To stay informed, subscribe using the form at the bottom of this page.

GovRAMP membership is open to state, local, tribal, and territorial governments; higher education institutions; and private-sector organizations that use or provide IaaS, PaaS, or SaaS solutions handling government data.

There are several membership types to meet different needs:

• Government Memberships are available to individuals and participating government or educational organizations at no cost.

• Private-Sector Memberships are available to service providers, consultants, and

• Third-Party Assessment Organizations (3PAOs) at varying levels based on engagement and benefits.

Learn more about available options on our Public Sector Membership page and Private Sector Membership page.

GovRAMP offers multiple ways for members to participate and contribute to the program’s mission.

Members may serve on committees, working groups, and task forces that inform standards, policies, and program direction. Each opportunity brings together government and industry voices to collaborate on advancing secure, efficient, and fair verification practices.

If you’re interested in learning more about participation opportunities, contact info@govramp.org.

GovRAMP provides sample procurement language, templates, and resources to help governments align cloud contracts with standardized security requirements.

To request guidance or access available templates, contact the Government Engagement Team at get@govramp.org. You can also explore helpful tools on our Documents page.

To become a GovRAMP-approved Third-Party Assessment Organization (3PAO), firms must be:

• A2LA-accredited to ISO/IEC 17020:2012 standards, and

• FedRAMP-recognized as an authorized 3PAO.

Professionals who advise, represent, or contract with organizations participating in GovRAMP—such as attorneys, consultants, and advisory firms—are welcome to become members of the GovRAMP community.

Advisory firms and consultants that support service providers or governments in compliance, risk management, or procurement may join through Private-Sector Membership. Membership connects you to key updates, resources, and networking opportunities that help you better support your clients’ participation in GovRAMP.

Learn more about available membership tiers and benefits on the Private Sector Membership page.

You can access your GovRAMP member account at any time by visiting members.govramp.org/portal or selecting “Sign In” from the footer of the GovRAMP website.

Once logged in, members can update their contact information, view invoices, manage subaccounts, and access exclusive member resources.

If you experience any issues accessing your account, please contact your dedicated Account Manager, or info@govramp.org for assistance.

To reset your password, select “Forgot Password” on the member login screen and follow the instructions in the email you receive.

If you do not receive a password reset email within a few minutes, check your spam or junk folders. If you still need help, contact your dedicated Account Manager or info@govramp.org, and our team will manually reset your credentials.

If you registered for a GovRAMP account but haven’t received your confirmation email, start by checking your junk or spam folder.

If you’re still unable to locate it, your dedicated Account Manager or info@govramp.org, and our team will resend the confirmation email so you can activate your account.

Primary account holders can add new users to their organization’s membership account by logging into the portal and selecting the “Subscriptions” tab from the dashboard.

From there, click “View Subaccounts” and share the Subaccount URL provided at the bottom of the page with colleagues who need access.

Each user must create their own login credentials using that shared link to connect their account to your organization.

You can update your organization’s name, address, or billing information by logging into your GovRAMP member account and selecting “Manage Account.”

If your organization changes membership tiers or needs to update its designated contacts, please reach out to your dedicated Account Manager or info@govramp.org,  and our team will assist with the update.

For questions about membership status, renewals, or tier upgrades, contact your dedicated Account Manager, or our Membership Manager, Olivia Maple at olivia@govramp.org.

The GovRAMP Program Management Office (PMO), operated by RAMPQuest, manages the verification and continuous monitoring processes that support governments and service providers throughout their participation in the program.

The PMO is responsible for:

• Reviewing and validating submitted security documentation,

• Providing independent verification of audit results,

• Issuing determination letters for Ready and Authorized statuses, and

• Overseeing ongoing compliance through continuous monitoring.

GovRAMP’s founding PMO plays a vital role in ensuring program consistency, technical integrity, and responsiveness to community feedback. 

The duration of a PMO review depends on the completeness and quality of the documentation submitted, as well as the provider’s readiness to respond to follow-up requests.

Once all required materials have been received, most reviews are completed within several weeks. The PMO maintains ongoing communication with providers throughout the process, offering status updates, clarification as needed, and timely notification upon review completion.

All security packages submitted to the GovRAMP PMO are securely stored within a FedRAMP Moderate Authorized cloud environment.

Access is restricted to PMO staff, designated service provider representatives, and authorized government officials. Any additional access must be explicitly approved by the service provider.

This approach ensures all information remains confidential and protected in alignment with federal cybersecurity best practices.

Upon completion of its independent validation and verification process:

• For Ready Reviews, the PMO issues a Ready Letter directly to the service provider.

• For Authorization Reviews, the final review package is submitted to the sponsoring government’s Authorizing Official (AO) for approval and signature prior to delivery to the provider.

Following authorization, the product enters Continuous Monitoring (ConMon) to maintain ongoing compliance with GovRAMP requirements.

Continuous Monitoring (ConMon) begins immediately upon the award of a verified security status. The process ensures providers maintain compliance and governments retain confidence in ongoing performance.

Under ConMon, providers must:

• Submit monthly and quarterly security reports to the PMO,

• Conduct annual assessments with an approved 3PAO, and

• Remediate Plan of Action and Milestones (POA&M) items according to prescribed timelines.

This framework enables proactive risk management and ensures that verification remains current and reliable over time.

The PMO retains all submitted documentation, audit findings, and related correspondence in accordance with GovRAMP’s established data retention and archival policies.

All materials are securely stored to preserve the integrity of the program’s historical record, support future assessments, and ensure traceability across review cycles.

Please contact govramppmo@rampquest.com to request support.

The Progressing Security Snapshot Program provides a structured, early-stage security assessment designed to help cloud service providers benchmark their security maturity.

Using a standardized scoring methodology based on critical NIST SP 800-53 Revision 5 controls, the Snapshot evaluates how closely a product aligns with the requirements for GovRAMP Ready.

The program helps providers gain actionable insights, streamline their verification process, and build confidence before pursuing full authorization. Governments also use the Snapshot as a reference point for evaluating vendor readiness and risk.

Providers can participate by becoming a GovRAMP member and submitting a Service Request Form to the Program Management Office (PMO).

After submission, the PMO provides detailed instructions for scheduling the review and submitting supporting documentation. Before the one-hour Snapshot call, providers should review the Snapshot Scoring Criteria and gather evidence demonstrating compliance with applicable controls.

The Snapshot call is a collaborative session led by the PMO to discuss artifacts, clarify documentation, and identify potential next steps.

The Security Snapshot scoring methodology is based on a subset of NIST SP 800-53 Revision 5 controls, mapped to GovRAMP’s Ready-level requirements.

Each control family is evaluated for completeness and maturity, producing a standardized score that reflects the provider’s overall readiness for GovRAMP verification.

Upon completion of the Snapshot review, the GovRAMP PMO issues a Snapshot Score Letter summarizing results and recommendations.

Scores are confidential and not published publicly. Providers may share their results at their discretion with government partners, consultants, or 3PAOs.

GovRAMP recommends refreshing your Snapshot annually, as it reflects a moment-in-time assessment of your product’s security maturity and progress toward verification.

Governments use the Security Snapshot Program as a tool to assess vendor readiness and risk during the procurement process.

A Snapshot score provides an early indicator of a provider’s security posture, helping governments compare offerings, inform contract requirements, and identify products progressing toward full verification.

The Snapshot Program enables governments to make informed, risk-based procurement decisions while supporting transparency across the GovRAMP ecosystem.

The Security Snapshot Program follows GovRAMP’s published fee schedule. Pricing is scaled by company size and annual revenue.

The PMO aims to deliver Snapshot results within three weeks of payment. If a provider has time-sensitive solicitations or procurement deadlines, the PMO will make every effort to accommodate the request.

GovRAMP recognizes two categories of security statuses—Verified Offerings, listed on the Authorized Product List (APL), and Progressing Offerings, listed on the Progressing Product List (PPL).

Verified Offerings (APL):

Products on the APL have completed GovRAMP’s verification process and achieved one of the following statuses:

• Core — Confirms implementation of 60 foundational NIST controls, selected based on the MITRE ATT&CK Framework and aligned with the Moderate Impact Level baseline.

• Ready — Indicates the product meets the requirements defined in the Minimum Ready Minimum Mandatory Requirements Policy.

• Provisionally Authorized — Assigned when a sponsoring government or the GovRAMP Approvals Committee determines a product meets Authorization requirements but relies on interconnected technologies not yet GovRAMP or FedRAMP Authorized. Those interconnected systems must have a current GovRAMP Security Snapshot per the Authorization Boundary Guidance.

• Authorized — The highest level of verification, confirming full compliance with all required security controls by impact level.

Products that hold both a GovRAMP Authorized status and a Federal JAB status are displayed as Authorized, Federal JAB on the APL.

Progressing Offerings (PPL):

Products on the PPL are actively working toward verification. To be listed, a product must either:

• Be enrolled in the GovRAMP Progressing Snapshot Program, or

• Have engaged with an approved Third-Party Assessment Organization (3PAO) to conduct an independent audit for Ready or Authorized.

Progressing statuses include:

• Security Snapshot — Enrolled products preparing for or awaiting Snapshot scores.

• Active — Working toward Ready.
  In Process — Working toward Authorization.

• Pending — Under review by the GovRAMP PMO for a verified status determination.

Both the Authorized Product List (APL) and Progressing Product List (PPL) are maintained on the Program Participants page and updated daily.

GovRAMP recognizes multiple verified statuses—Core, Ready, Provisionally Authorized, and Authorized—each representing a different milestone in the verification process.

• Core: Core status confirms that a product has implemented 60 foundational NIST controls, aligned with the MITRE ATT&CK Framework and the Moderate Impact Level baseline. It establishes an early benchmark for foundational cloud security.

• Ready: Ready status indicates the product meets the minimum requirements defined by the Minimum Ready Minimum Mandatory Requirements Policy. This demonstrates a provider’s readiness to pursue full authorization.

• Provisionally Authorized: Provisionally Authorized status may be assigned by a sponsoring government or the GovRAMP Approvals Committee when a product meets Authorization requirements but depends on interconnected technologies not yet GovRAMP or FedRAMP Authorized. Those systems must have a current GovRAMP Security Snapshot in accordance with the Authorization Boundary Guidance.

• Authorized: Authorized is the highest level of verification and is granted to products that have demonstrated full compliance with all required security controls by impact level. Products with both GovRAMP Authorized and Federal JAB status are listed as Authorized, Federal JAB on the APL.

Each verified status reflects measurable progress in building trusted, compliant, and independently validated cloud solutions for governments.

GovRAMP’s security framework is built on the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5, which outlines controls to address known risks to information and cloud systems.

These controls form the foundation of GovRAMP’s standardized, risk-based approach—ensuring consistency across assessments, enhancing government confidence, and aligning public-sector cybersecurity with national best practices.

Federal, state, and local governments can view all service providers registered with GovRAMP and their current status on the Program Participants page.

To access a service provider’s full continuous monitoring or reporting information, governments may contact the Government Engagement Team at get@govramp.org. Service providers must approve any requests before access is granted.

No. Using an infrastructure with a GovRAMP Authorized status does not automatically make the SaaS or PaaS GovRAMP compliant.

Each layer—IaaS, PaaS, and SaaS—must be independently evaluated for its own security authorization. However, software that resides on an authorized infrastructure may inherit applicable security controls, which can be documented in the provider’s system security package.

Yes, providers may make “on-the-spot” fixes during an assessment conducted by a 3PAO. However, any changes made must still be documented in the GovRAMP Security Assessment Report (SR-SAR) and verified by the 3PAO to maintain transparency and audit integrity.

To become an approved GovRAMP Third-Party Assessment Organization (3PAO), a firm must:

• Be A2LA-accredited under ISO/IEC 17020:2012, and

• Be FedRAMP-recognized as an authorized 3PAO.

GovRAMP accepts any 3PAO meeting these standards. Service providers seeking a Ready or Authorized status are responsible for engaging and compensating their chosen 3PAO.

The A2LA certification ensures 3PAO independence and quality are maintained regardless of payment source.

Service providers must work with a GovRAMP-approved 3PAO to conduct annual assessments and to evaluate significant changes made to their system, platform, or service offering.

This independent oversight ensures ongoing compliance and maintains the integrity of each provider’s verified status.

GovRAMP establishes time-based requirements for remediating Plan of Action and Milestones (POA&M) items:

• High-risk items: 30 days

• Moderate-risk items: 90 days

• Low-risk items: 180 days

These timelines apply to all system levels and help ensure risks are promptly addressed to maintain compliance.

No. While many service providers work directly with a sponsoring government, those without a sponsor may leverage the GovRAMP Approvals Committee, which serves as the authorizing body on behalf of participating governments.

The Approvals Committee ensures fairness and accessibility for providers pursuing Authorization without a direct government partner.

Eligible sponsors include government officials or employees who serve as Chief Information Officers (CIOs) or their designees, representing state, local, tribal, or territorial governments, or public higher education institutions.

Government sponsors must first become GovRAMP Individual Government Members before sponsoring a product for Authorization consideration.

GovRAMP does not impose geographic hosting requirements for data at the Low or Moderate impact levels.

However, many state and local governments have their own requirements for data residency and system maintenance within the U.S. GovRAMP recommends providers verify these requirements prior to contracting.

Providers working with High impact data may have additional restrictions related to foreign nationals, contractors, or data access locations.

For specific questions, contact info@govramp.org.