The Progressing Security Snapshot Program is GovRAMP’s “on-ramp” for cloud service providers (CSPs). It’s designed to help providers strengthen their security posture step by step while giving governments early, transparent insights into vendor maturity.
To keep the program meaningful, we’re introducing updates that ensure CSPs listed on the Progressing Product List (PPL) are not just participating — but actively improving.
Non-Zero Score Required: A product must score above zero before it can appear on the Progressing Product List.
Quarterly Progress Required: Providers must show improvement with each Snapshot. Identical or declining scores may trigger the escalation process.
Escalation & Non-Compliance: New structured process: informal discussion → formal notice → possible removal from the Progressing Product List (PPL).
Advisory Support: CSPs will continue to receive one hour of monthly advisory time to support their progress.
Evidence Refresh: All artifacts must be updated at least once every 12 months to remain valid.
Perfect Scores ≠ Finished: Even a 100% score doesn’t mean “done.” Progressing is not a terminal status — providers are expected to continue toward verified Core, Ready, Provisional, or Authorized status.
We heard from both CSPs and government partners that the program needed stronger guardrails.
Some providers enrolled but did not actively improve.
Others reached “perfect” scores but stopped short of advancing to verified status.
A few skipped advisory calls, missing opportunities to benefit from the program.
Listing products with zero scores or outdated evidence undermined trust in the PPL
By tightening requirements and clarifying expectations, we’re ensuring that every CSP listed is genuinely progressing — which benefits providers, governments, and ultimately, the security of the public sector.
All updates go into effect January 1, 2026. CSPs should take steps now to make sure their products remain in good standing.
Make sure your product has a non-zero Snapshot score before January 1, 2026.
Refresh all artifacts so nothing is older than 12 months.
Plan for quarterly improvements — even if your score is already high.
Use your monthly advisory call to identify and close gaps.
Remember: The Progressing Snapshot Program is an on-ramp, not the destination. The goal is always to reach Core, Ready, Provisional, or Authorized status.
You’ll see stronger assurance that products on the PPL are truly improving.
Quarterly Snapshots and refreshed evidence will give you more current data for risk-based decisions.
Perfect scores won’t mask stagnation — providers must show progress toward verified statuses.
The program now gives you greater confidence that every listed CSP is actively advancing their security posture.