City of Arlington, TX & GovRAMP

GovRAMP is a standardized cybersecurity framework designed to enhance the security of cloud services used by state and local governments, tribal nations, and educational institutions. Modeled after FedRAMP, GovRAMP utilizes NIST 800-53 controls to ensure that cloud solutions meet stringent security requirements.

Learn more at GovRAMP.org

By participating in GovRAMP, the City of Arlington leverages third-party verification to protect sensitive data and uphold public trust. Through adherence to industry-standardized controls, Arlington streamlines cloud service procurement and accelerates vendor onboarding. Standardizing security requirements eliminates redundant audits and reduces costs and administrative effort for both the City and its technology partners.

Safeguarding critical infrastructure is a top priority for Arlington’s cybersecurity strategy. Robust GovRAMP controls help protect essential services.

Equally important is the protection of community data, ensuring privacy and maintaining the integrity of digital records strengthens trust between the City and its constituents. By embracing GovRAMP, Arlington demonstrates its commitment to operational efficiency, vendor collaboration, and the resilience of its essential services.

Enhanced Security: GovRAMP provides Arlington with a multi-level framework to secure cloud services, reducing the risk of cyber threats and data breaches.

Efficient Procurement: With GovRAMP’s standardized security requirements, Arlington can streamline the procurement process for cloud services, ensuring that vendors meet high-security standards without redundant assessments.

Cost Savings: By adopting GovRAMP, Arlington can avoid the costs associated with multiple security assessments, as the framework allows for transferable credentials across different government sectors.

Data Protection: Citizens can feel confident that their personal information is safeguarded against cyber threats, thanks to the stringent security measures implemented through GovRAMP.

Improved Services: With secure and efficient cloud solutions, Arlington can enhance the delivery of public services, making them more reliable and accessible to residents.

Trust and Transparency: Participation in GovRAMP demonstrates Arlington’s commitment to cybersecurity and transparency, fostering greater trust between the government and its citizens

The City determines a vendor’s compliance with its cloud‐security standard by evaluating each product against the following requirements and processes:

Scope and Applicability
Any “cloud service,” whether IaaS, PaaS, SaaS, hosted products, or even on-premises hardware with a cloud component, must hold either GovRAMP Core or TX-RAMP Level 2 certification.

Certification Timelines

• New Services (Initial Procurements): Certification must be in place on or before the date the starts using the cloud service.

• Renewals: For existing services, the vendor has a 180-day window to achieve the requisite certification.

Preference for GovRAMP

While TX-RAMP Level 2 also meets baseline requirements, the City will favor products that carry GovRAMP Core certification when evaluating and selecting cloud products.

Exemption Process

If a vendor believes a given product neither processes Confidential data nor is mission-critical, it may submit a written exemption request to the City’s Information Security and Privacy Office at security@arlingtontx.gov. The City’s Chief Information Security Officer, or delegate, will review and must approve or deny that request within 15 business days of receipt.

Continuous Monitoring

Products leveraging GovRAMP status must remain in good standing. Vendors must grant the City, and its auditors, visibility into their continuous monitoring artifacts via the GovRAMP portal.

Non-Compliance, Notification, and Cure

The City considers a product “Non-Compliant” if the vendor fails to:

1. Obtain the required certification; or

2. Maintain that certification thereafter.

Upon detecting Non-Compliance, the City will issue a written notice outlining the specific deficiencies and corrective steps required. The vendor then has a 30-day “Cure Period” to restore compliance. If more time is needed, the vendor may request an extension in writing before the Cure Period expires; any extension is granted solely at the City Chief Information Security Officer’s discretion.

GovRAMP enables service providers to become authorized through a sequence of steps that are streamlined and can translate across participating states and local jurisdictions to reduce redundancy and improve efficiency.  
The City of Arlington currently accepts GovRAMP Core status or above.