Arapahoe County & GovRAMP

About the Program

Protecting our County’s most sensitive and critical data is a team sport in Colorado. We have cybersecurity teams working non-stop to protect and defend our networks and systems from hackers, but the threats are always changing and we must work to stay ahead by strengthening those networks and systems. We must all work together to ensure the confidentiality, integrity, and accessibility of our County’s data.

One way we can do this is by ensuring that the vendors that touch or hold any of our critical data are meeting minimum cybersecurity standards – rather than just checking a box. This is where GovRAMP comes in.  

Standing for Risk and Authorization Management Program, GovRAMP has developed a roadmap for vendors to follow to demonstrate that they are meeting national cybersecurity standards through an externally verifiable process.  

Arapahoe County is excited to lead the way in adopting GovRAMP as a framework for our contract and procurement process to ensure that we are covering every angle possible when it comes to protecting our residents’ data and ensuring our overall security.

Learn more about this initiative on the Arapahoe County Website.

• When is GovRAMP Required?

  Not every contract will require GovRAMP authorization. To help begin to discern where GovRAMP does need to be required, the following is a list of survey questions:

  • Will the vendor process, transmit, and/or store non-sensitive State data, metadata, and/or data that may be released to the public that requires no additional levels of protection?
    • If yes, GovRAMP Low is recommended.
  • Will the vendor process, transmit, and/or store personally identifiable information (PII) as defined by the U.S. Department of Labor (DOL)?
    • If yes, GovRAMP Moderate is recommended.
  • Will the vendor process, transmit, and/or store protected health information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA)?
    • If yes, GovRAMP Moderate is recommended.
  • Will the vendor process, transmit, and/or store payment card industry (PCI) data as defined by the PCI Security Standards Council (PCI SSC)?
    • If yes, GovRAMP Moderate is recommended.
  • Will the loss or unavailability of the data that is processed, transmitted, and/or stored by the service provider result in a disruption to government operations?
    • If yes, GovRAMP Moderate is recommended.
  • Will the loss or unavailability of the data that is processed, transmitted, and/or stored by the service provider result in a loss of confidence or trust in the government?
    • If yes, GovRAMP Moderate is recommended.
  • Will the vendor process, transmit, and/or store criminal justice information (CJI) data?
    • If yes, GovRAMP Moderate is recommended. Note: States may add additional controls to GovRAMP Moderate to comply with the CJIS requirements.

   

  If you would like assistance determining when authorization may be needed, GovRAMP has a Program Management Office (PMO) Team that is happy to review upcoming solicitations, contract renewals, and other research to help proactively identify for the State and vendors when to implement GovRAMP.

  For additional information and insights in determining when GovRAMP may be required, we will have Data Classification training available here.

  Please also feel free to reach out to info@govramp.org for additional information on Data Classification.

• What is the GovRAMP Process?

  To learn more about how to obtain any of our GovRAMP statuses, visit our GovRAMP for Service Providers page.

  This page provides an overview of the GovRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the GovRAMP verification process. 

• New Contracts

  For new contracts,

  service providers needing to submit a letter of GovRAMP authorization (Snapshot, Ready status or Authorized status) in response to a respective solicitation.

  If the service provider is not already at Ready or Authorized status at the time a contract is awarded, they must submit a Progressing Snapshot score to demonstrate progress towards Ready or Authorized status.

  The Purchasing Division provides a centralized source for pricing, sourcing, quotations, order placement, vendor contact and general problem solving.

  To accomplish this, we assess the marketplace, determine the best way to acquire materials and services, and develop bid documents that are consistent with state laws, county policies and government procurement practices. Purchasing oversees all of the bid processes to ensure compliance with these standards. If you are a vendor looking to do business with the County, check out current bid opportunities or contact our office.

  If you need assistance, please visit the RMEPS website, or contact the RMEPS Vendor Support department at 1-800-835-4603, option 2.

   

• Existing Contracts

  The goal for existing contracts is to ensure that service providers demonstrate cybersecurity compliance before a contract renewal. The general guidance here is for service providers to begin working towards Ready or Authorized status (as determined by the general impact level) with at least 12 or 18 months respectively of the contract renewal date. 

• Who can I contact with questions?

  For additional questions, please reach out to:

  Nikki Rosecrans – Manager of Information Security and Compliance NRosecrans@arapahoegov.com

  Please email technical questions to info@govramp.org or visit our Service Providers page.