State of Arizona and GovRAMP

Frequently Asked Questions

• What is GovRAMP?

  Founded at the beginning of 2020, GovRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments.

  As a 501(c)6 nonprofit, our mission is to promote cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve. GovRAMP is comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third-party assessment organizations, and government officials. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.

• Do I need both GovRAMP and AZRAMP?

  No. If you have an active AZRAMP status, will be able to use your AZRAMP status until it expires. There will be no further renewals for AZRAMP statuses and at the point of expiration, you will need to have an appropriate GovRAMP or FedRAMP status as defined by Arizona Department of Homeland Security (ADOHS).
  
  

• Is there reciprocity between GovRAMP and TX-RAMP or any other frameworks?

  AZRAMP will only be accepting GovRAMP or FedRAMP.

  This allows for Arizona to maintain their commitment to upholding the NIST 800-53 standard and streamline the oversight process.

  GovRAMP does offer a Fastrack option for FedRAMP products.

  While GovRAMP provides reciprocity with TX-RAMP, compliance with TX-RAMP does not afford you a GovRAMP security status. The following will not be accepted:

  • TXRAMP

  • SOC 2

  • ISO 27001

  • HITRUST

  Reason for Non-Acceptance

  The 2018 National Cyber Strategy of the USA  identifies NIST as the only Cybersecurity Framework (CSF) for assessing SaaS, PaaS, or IaaS vendor environments.

  The State of Arizona is not authorized to accept any other form of CSF for this assessment to include; self-attestations, trust documents, third-party assessments to include COBIT, ISO/IEC 27000 series, PCI, SOC 2 or SOC 3 reports. Therefore, we will require a copy of your organization’s Systems Security Plan (SSP) or Written Information Security Program (WISP) for our evaluation process.

   

• If I am awarded a contract, how long will we have to get the product assessed? What if the product doesn't currently hold a GovRAMP status?

  For data stored, transmitted, and processed in protected systems, a verified status of GovRAMP Core may be required to satisfy AZRAMP’s minimum requirements. If applicable, this status must be achieved no later than 12 months from contract execution. Should ADOHS require a higher-level terminal status of Ready/Authorized, this requirement shall be included in the contract, and the products must meet this status within the timeframe outlined in the resulting contract, which shall be in conformance with the timeframes below:

  If a verified status of Core is required, the status must be achieved no later than 12 months of the resulting contract award.

  If a verified status of Ready is required, a provider will be allowed a minimum of 12 months from contract award date to ensure the contracted product has achieved Ready status, not to exceed 18 months.

  If a verified status of Authorized is required, a provider will be allowed a minimum of 18 months from contract award date to ensure the contracted product has achieved Authorized status, not to exceed 24 months.

  Any additional assessment requirements, such as regulatory compliance including, but not limited to CJIS, HIPAA, et al., shall also be determined by ADOHS and incorporated into the contract terms.

  Upon award of contract, if the protected system does not currently hold a GovRAMP verified status, the provider will be required to participate in the GovRAMP Progressing Snapshot program prior to any data being transferred, stored or processed with the expectation that progress will be made on a quarterly basis. A provider may also provide a letter from the GovRAMP PMO indicating that the product currently holds an Active, In Process, or Pending status, indicating that the product is in the pipeline to receive a GovRAMP Ready, Authorized, or Provisionally Authorized status.

• How do I get a GovRAMP status?

   To learn more about how to obtain any of our GovRAMP statuses, visit our GovRAMP for Service Providers page.

  This page provides an overview of the GovRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the GovRAMP verification process. 

• Do I need to tell AZRAMP I am enrolled in the Progressing Snapshot program or have a product with a verified GovRAMP status?

  Yes, if you are enrolled in GovRAMP’s Progressing Snapshot program or have a verified GovRAMP status, you will need to include a GovRAMP letter indicating the product verified and the status achieved, when responding to a solicitation to do business with the State of Arizona.

  As of July 1, 2025, for new contracts, based on the data impact level, ADOHS will select the appropriate level of risk assessment required for the procurement and determine the necessary terminal status to be defined within the contract for the product. A “terminal security status” is a status where a product has met a natural endpoint and moves into continuous monitoring. There are three GovRAMP statuses that are always considered terminal security statuses: GovRAMP Core, Ready, Provisionally Authorized, and Authorized. GovRAMP Core may be considered a terminal security status should ADOHS determine that no additional security assessments are needed to meet its requirements for that contract. ADOHS shall ensure compliance with NIST 800-53 Rev 5 (or current) based on third-party assessments provided by GovRAMP, FedRAMP, and/or by the AZRAMP ADOHS exception process.

• What are the continuous monitoring requirements?

  Continuous monitoring involves regular security status checks of a cloud solution, conducted monthly or quarterly. This process starts once the product reaches a GovRAMP milestone status such as Core, Ready, Provisionally Authorized, or Authorized. The purpose of continuous monitoring is to ensure that the service provider’s solution is meeting security requirements and maintaining a secure system state. It provides insights into vulnerabilities, allowing service providers to address issues and comply with GovRAMP standards. By identifying areas of risk, continuous monitoring enables service providers to take prompt action to protect the system.

  Download GovRAMP’s Continuous Monitoring Guide

  Continuous monitoring must be maintained for the lifecycle of your contract with the State of North Carolina, and upon request, access to the product’s security package and continuous monitoring artifacts must be granted to the State.

• What if I don't own the solution but use cloud products to deliver services to the State of Arizona?

  Based on the data processed, transferred, or stored, the State of Arizona may require that the cloud solutions used to deliver services be assessed by GovRAMP or FedRAMP.

  Specific requirements can be found within the solicitation for the services.

• How can I contact GovRAMP to get started?

  For questions or more information about GovRAMP, please contact: info@govramp.org

  If you have any questions about AZ-RAMP, please contact: grc@azdohs.gov