State of Minnesota & GovRAMP

About the GovRAMP Program

As cybersecurity threats become more sophisticated, states must continually bolster efforts to safeguard their most sensitive data. Minnesota’s partnership with GovRAMP – a collaborative initiative that enhances digital infrastructure and strengthens cybersecurity processes – is one of the many ways Minnesota fortifies its cyber resiliency. This partnership supports Minnesota’s efforts to reduce risk, improve operational efficiency, secure public data, and ensure equitable access to digital services.

An important aspect of this initiative is managing third-party risk – identifying, evaluating, and minimizing threats that arise from working with vendors that handle sensitive data or deliver critical services. Without proper oversight, third-party relationships could lead to supply chain attacks, data breaches, and operational disruptions. Minnesota upholds the integrity of its systems and the public’s trust through the enforcement of rigorous security standards, compliance protocols, and vendor accountability

GovRAMP supports this work by offering a standardized framework to assess the cybersecurity readiness of third-party vendors. Modeled after FedRAMP, it provides tools for ongoing monitoring and evaluation of cloud service providers. With GovRAMP, governments can confidently engage with vendors that meet strict security benchmarks – protecting sensitive information.

Through this partnership, Minnesota simplifies its risk-management approach, optimizes resources, and reinforces cloud security standards. This forward-looking step enhances data protection and supports the state’s broader goals for digital cybersecurity resilience.

• What is GovRAMP?

  Founded at the beginning of 2020, GovRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments.

  As a 501(c)6 nonprofit, our mission is to promote cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve. GovRAMP is composed of service providers offering IaaS, PaaS, and/or SaaS solutions, third-party assessment organizations, and government officials. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.

• How do I know if our product requires GovRAMP Assessment? If so, which assessment will we need and by when?

  Currently, the State of Minnesota only requires a GovRAMP assessment for contracts for cloud products/services that will process, transmit, and/or store high risk data directly or via third party. GovRAMP Authorized at the moderate impact level must be achieved for applicable contracts and continuous monitoring access provided to Minnesota IT Services (MNIT).

  GovRAMP Authorized Control Package

  If a GovRAMP status is not currently held by the product, at the time of contract execution, the provider must submit a GovRAMP Snapshot score for the product in the form of a GovRAMP letter, no later than 60 days from the contract execution date. If the Snapshot score is below 100%, the product must be enrolled in the GovRAMP Progressing Snapshot Program and remain in the program until a 100% Snapshot score is achieved. The product must continue progressing toward Authorized status, which must be obtained no later than April 1, 2027. The provider must also grant the State of Minnesota access to all progress reports and updated Snapshot scores until a 100% score is achieved.

  GovRAMP Core, Ready, and Authorized at the low- impact level will be accepted in lieu of GovRAMP Progressing Snapshot, ; however, continuous monitoring access must be granted to MNIT and maintained until product obtains GovRAMP Authorized at moderate impact level.

• What is considered “high risk data” for Minnesota?

  As defined in Minnesota IT Services Data Protection Categorization Standard, high data is considered to be:

  Data that is highly sensitive and/or protected by law or regulation. This includes, but is not limited to:

  • Protected Health Information (PHI) data as defined in the Health Insurance Portability and Accountability Act (HIPAA)  Regulation (45 C.F.R., Sec. 160.103).

  • Social Security Administration (SSA) data.

  • Criminal Justice Information (CJI) data as defined in the FBI Criminal Justice

  • Information Services (CJIS) Security Policy.

  • Government-issued ID numbers (e.g., Social Security numbers, driver’s license numbers / State ID card numbers, passport numbers).

  • Federal Tax Information (FTI) data as defined in IRS Publication 1075.

  • Payment Card Industry (PCI) Account Data as defined by the Payment Card Industry Data Security Standards (PCI DSS).

  • Bank account numbers excluding state-owned bank account numbers.

  If you are unsure about the data classification, please contact the requesting agency or Minnesota’s Vendor Security and Risk Management team at vsrm@state.mn.us.

• Is there reciprocity between GovRAMP and any other frameworks?

  Minnesota only will accept GovRAMP or FedRAMP Rev 5.

  While GovRAMP provides reciprocity with TX-RAMP, compliance with TX-RAMP does not afford you a GovRAMP security status. The following will not be accepted:

  • TXRAMP

  • SOC 2

  • ISO 27001

  • HITRUST

  Reason for Non-Acceptance

  The 2018 National Cyber Strategy of the USA identifies NIST as the only Cybersecurity Framework (CSF) for assessing SaaS, PaaS, or IaaS vendor environments.

  The State of Minnesota is not authorized to accept any other form of CSF for this assessment to include; self-attestations, trust documents, third-party assessments to include COBIT, ISO/IEC 27000 series, PCI, SOC 2, or SOC 3 reports. Therefore, we will require a copy of your organization’s Systems Security Plan (SSP) or Written Information Security Program (WISP) for our evaluation process.

• Our product currently holds or is seeking a FedRAMP status. Does the product require a GovRAMP assessment?

  Cloud products that currently hold or are seeking a FedRAMP Rev. 5 status must enroll the product in the GovRAMP Fast Track program. No need to re-engage a 3PAO, just submit the same security package to the GovRAMP PMO following membership enrollment. This will allow Minnesota to uphold its requirement for continuous monitoring.

• How do I enroll in the GovRAMP Progressing Security Snapshot Program?

  To participate:

  • Become a GovRAMP member.

  • Submit a Progressing Security Snapshot Request.

  • Pay the applicable fee.

  • Receive onboarding instructions from the GovRAMP PMO.

  You’ll receive:

  • A Snapshot score within about three weeks of payment.

  • Quarterly updated Snapshots.

  • Monthly one-hour consultative calls with GovRAMP’s security team.

• How much does a Snapshot cost?

  To participate in the GovRAMP Security Snapshot or Progressing Snapshot Program, providers must first hold an active GovRAMP membership. Membership fees range from $1,500 to $10,000, depending on the tier selected.

  GovRAMP Security Snapshot
  For products that have not yet achieved a GovRAMP Verified Status

  • $1,000 – Providers with less than $1M in annual revenue
  • $1,500 – Providers with $1M–$5M in annual revenue
  • $2,500 – Providers with more than $5M in annual revenue

  GovRAMP Progressing Security Snapshot (Subscription Option)
  Includes quarterly updated Snapshots and monthly advisory calls

  • $750/month – Providers with less than $1M in annual revenue
  • $1,000/month – Providers with $1M–$5M in annual revenue
  • $1,600/month – Providers with more than $5M in annual revenue

  View the full GovRAMP Fee Schedule.

• What are the continuous monitoring requirements?

  GovRAMP requires monthly continuous monitoring once a product reaches Core, Ready, Provisionally Authorized, or Authorized. This includes:

  • Security status checks
  • Vulnerability tracking and closure
  • Ongoing alignment with NIST control requirements

  Download GovRAMP’s Continuous Monitoring Guide.

• What if I don't own the solution but use cloud products to deliver services to the State of Minnesota?

  If high-risk data is being processed, transferred, or stored within your professional services offering, the State of Minnesota will require that the cloud solutions used to deliver services be assessed by GovRAMP or FedRAMP. Specific requirements can be found within the solicitation for the services.

• Who do I contact?

  For GovRAMP-related inquiries, please reach out to: info@GovRAMP.org or Stacey@govramp.org

  For Minnesota-related procurement inquiries, please reach out to: it.procurement@state.mn.us

  For Minnesota-related vendor security inquiries, please reach out to: vsrm@state.mn.us