State of Indiana & GovRAMP
About the Program
The transition to utilizing GovRAMP allows for the State of Indiana to harden its security posture through:
- Increased Security Standards: National level security hardening.
- Standardization and Consistency: Uniform assessment process.
- Improved Interoperability: Easier collaboration with public sector agencies.
- Cost Efficiency: Leveraging a shared assessment framework.
- Alignment with National Cybersecurity Strategy.
- The Indiana RAMP policy applies to all executive branch state agencies, departments, institutions, and the like that are responsible to the Governor of the State of Indiana.
- It also applies to any other entities that utilize, integrate with, or are otherwise connected to the State’s systems, network, or other IT infrastructure.
- i.e. For the purposes of Indiana’s RAMP policy, “cloud offering” is defined as all computing services provided outside of IOT data centers and environments.
- All such entities are covered by the scope of this policy, and all such “covered entities” must abide by its requirements because of our collective need to protect data as well as the technology resources that are used to store, process, and transmit it.
The State of Indiana, via the Indiana Office of Technology (IOT), has issued its final Risk and Authorization Management Program (RAMP) Policy, effective October 14, 2025.
The full policy document is available here or on IOT’s public website.
If you have questions about Indiana’s RAMP policy or its implementation, please contact IOT at IndianaRAMP@iot.in.gov.
New Contracts: Effective on or after October 14, 2025.
Renewal Contracts: Targeting January 1, 2026 to begin enforcement.
Existing Contracts (not up for renewal): At point of new solicitation, or at any adjustment, change order, extension, or action requiring approval by IOT.
Providers will be allowed a period not to exceed 18 months from date of contract execution to achieve the minimum verified status outlined in the RAMP policy matrices. For those providers that do not currently hold a GovRAMP status, enrollment in the Progressing Snapshot program will be required until the minimum verified status requirement is met.
Announcements & Educational Opportunities
Explore announcements, updates, and educational resources to support vendors participating in Indiana’s new RAMP security program. This curated playlist provides on-demand training and guidance for technology providers doing business with the State of Indiana and the Indiana Office of Technology (IOT).
Each video is designed to help vendors understand how to get started in the program, meet GovRAMP-aligned security requirements, and navigate the steps outlined in the Indiana RAMP Policy.
Watch the full training series: GovRAMP Training for Indiana Vendors
GovRAMP Office Hours
Please join the GovRAMP staff on the first Wednesday of every month from 2:30 – 3:00 PM ET for Office Hours. This is an open forum for Service Providers, 3PAOs, State and local governments, and higher education institutions to ask questions to GovRAMP staff.
For more information on office hours, please visit the GovRAMP Event Page.
Frequently Asked Questions
-
What is GovRAMP?
Founded at the beginning of 2020, GovRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments.
As a 501(c)6 nonprofit, our mission is to promote cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve. GovRAMP is composed of service providers offering IaaS, PaaS, and/or SaaS solutions, third-party assessment organizations, and government officials. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.
-
How do I know if our product requires GovRAMP Assessment? If so, which assessment will we need and by when?
Please review the Indiana RAMP Policy on Indiana Office of Technology’s public website or you may contact IndianaRAMP@iot.in.gov to request a copy.
Providers will be allowed a period not to exceed 18 months from date of contract execution to achieve the minimum verified status outlined in the RAMP policy matrices. For those providers that do not currently hold a GovRAMP status, enrollment in the Progressing Snapshot program will be required until the minimum verified status requirement is met.
If you are unsure of the data type or critical infrastructure applicability, please contact the requesting agency or the Indiana Office of Technology at IndianaRAMP@iot.in.gov.
-
Is there reciprocity between GovRAMP and any other frameworks?
Indiana IOT will only accept GovRAMP or FedRAMP Rev 5.
While GovRAMP provides reciprocity with TX-RAMP, compliance with TX-RAMP does not afford you a GovRAMP security status. The following will not be accepted:
-
TXRAMP
-
SOC 2
-
ISO 27001
-
HITRUST
Reason for Non-Acceptance
The 2018 National Cyber Strategy of the USA identifies NIST as the only Cybersecurity Framework (CSF) for assessing SaaS, PaaS, or IaaS vendor environments.
The State of Indiana is not authorized to accept any other form of CSF for this assessment to include; self-attestations, trust documents, third-party assessments to include COBIT, ISO/IEC 27000 series, PCI, SOC 2 or SOC 3 reports. Therefore, we will require a copy of your organization’s Systems Security Plan (SSP) or Written Information Security Program (WISP) for our evaluation process. -
-
Our product currently holds or is seeking a FedRAMP status. Does the product require a GovRAMP assessment?
Cloud products that currently hold or are seeking a FedRAMP Rev. 5 status must enroll the product in the GovRAMP Fast Track program. No need to re-engage a 3PAO, just submit the same security package to the GovRAMP PMO following membership enrollment. This will allow Indiana to uphold their requirement for continuous monitoring as outlined in Executive Order 25-19.
-
How do I enroll in the GovRAMP Progressing Security Snapshot Program?
To participate:
-
Pay the applicable fee.
-
Receive onboarding instructions from the GovRAMP PMO.
You’ll receive:
-
A Snapshot score within about three weeks of payment.
-
Quarterly updated Snapshots.
-
Monthly one-hour consultative calls with GovRAMP’s security team.
If you’re responding to a solicitation, note your time constraints on the request form so we can prioritize accordingly.
-
How much does a GovRAMP assessment cost?
Our assessment fees are tiered based on the annual revenue for the company.
-
What are the continuous monitoring requirements?
GovRAMP requires monthly continuous monitoring once a product reaches Core, Ready, Provisionally Authorized, or Authorized. This includes:
- Security status checks
- Vulnerability tracking and closure
- Ongoing alignment with NIST control requirements
Download GovRAMP’s Continuous Monitoring Guide.
Providers must maintain and provide continuous monitoring access to the State of Indiana for the lifecycle of their contract.
-
What if I don't own the solution but use cloud products to deliver services to the State of Minnesota?
Based on the data processed, transferred, or stored, the State of Indiana may require that the cloud solutions used to deliver services be assessed by GovRAMP or FedRAMP under the NIST 800-53 Rev. 5 framework. Specific requirements can be found within the solicitation.
-
Who do I contact?
For GovRAMP-related inquiries, please reach out to: info@govramp.org and stacey@govramp.org
For Indiana RAMP-related inquiries, please reach out to: IndianaRAMP@iot.in.gov
State & Local Government
Contact us and schedule a conversation to get started.
For more information about how GovRAMP works with governments, visit our Governments page.
Service Providers
For many service providers, meeting security standards and supplying documentation to governments can be time consuming and costly. GovRAMP allows service providers to leverage their verified IaaS, PaaS, and SaaS solutions across multiple government contracts.
Learn more about the benefits and process for service providers, or contact our team to get started.
Other Participating Governments
GovRAMP is accepted by the State of Indiana, as well as other cities and states. See a list of GovRAMP’s participating governments here.
STAY INFORMED
Receive Updates and Resources
Subscribe to receive program updates, educational briefings, and public sector implementation insights.