State of Nevada and GovRAMP
Why GovRAMP?
Protecting Nevada’s most sensitive and critical information is crucial to operational resiliency. While cybersecurity teams work non-stop to protect and defend networks and systems from bad actors, threats are always changing. Firms must be proactive by strengthening those networks and systems. One way to accomplish this is by ensuring providers and products with any critical data are meeting minimum cybersecurity standards. This is where GovRAMP comes in.
The State of Nevada is working towards a standardized approach to the security assessment of cloud computing services. GovRAMP has partnered with the State of Nevada to assist providers with ensuring that their products are meeting those minimum-security controls as indicated by GovRAMP in accordance with the NIST 800-53 security controls, while also affording them the benefit of transferable credentials through standardized cybersecurity verification. GovRAMP allows providers to verify once to serve many while also simplifying the procurement process and expediting the time to contract. Product cybersecurity validation can be used with any of our participating government members.
New Cloud Product Requirements
The State of Nevada’s Government Technology Office (GTO) ensures that all executive branch offices utilizing cloud services meet strict security standards. In an effort to create a standardized process and provide resources to its agencies, the GTO has leveraged the GovRAMP framework for authorization and continuous monitoring to protect the confidentiality, integrity and availability of state information.
As of July 1, 2026, all new contracts containing a cloud component will include risk assessment requirements that align with the GovRAMP program which is based on National Institute of Technology and Standards (NIST) 800-53 (Rev 5). At minimum, products must achieve a GovRAMP Core status. In some cases, based on data type, a GovRAMP Authorized/Provisionally Authorized status may be required. Nevada will provide an “on ramp” that allows vendors time to achieve the required status under the contract. Exact details on the requirements for each contract will be outlined in the purchasing mechanism or associated contract.
Please note as of July 1, 2028, contracts will contain the requirements outlined above without an “on ramp.”
Additional details on Nevada’s information security policies will be available soon.
Announcements & Educational Opportunities
Explore announcements, updates, and educational resources to support vendors participating in Nevada’s new RAMP security program. This curated content provides on-demand training and guidance for technology providers doing business with the State of Nevada.
These resources are designed to help vendors understand how to get started in the program, meet GovRAMP-aligned security requirements, and navigate the steps in Nevada’s Policy.
Frequently Asked Questions
-
If I am awarded a contract, how long will we have to get the product assessed? What if the product doesn't currently hold a GovRAMP status?
For data stored, transmitted, and processed in protected systems, a verified status of GovRAMP Core will be required to satisfy Nevada’s minimum requirements. If applicable, this status must be achieved no later than 12 months from contract execution. Should Nevada require a higher-level terminal status of Authorized/Provisionally Authorized, this requirement shall be included in the purchasing mechanism and resulting contract, and the product must meet this status within 24 months of contract execution.
Any additional assessment requirements, such as regulatory compliance including, but not limited to CJIS, HIPAA, et al., shall also be determined by Nevada and incorporated into the contract terms.
Upon award of contract, if the product does not currently hold a GovRAMP verified status, the provider will be required to enroll in the GovRAMP Progressing Snapshot program prior to any data being transferred, stored or processed with the expectation that progress will be made on a quarterly basis. The provider must complete their first Progressing Snapshot within forty-five (45) days of award, with the expectation that progress will be made on a quarterly basis. Products must maintain their participation in the Progressing Snapshot program until such time that they have achieved the minimum status outlined above.
If the Vendor’s cloud product currently holds a FedRAMP Authorized (rev 5) designation at the time of award, the Vendor shall, within thirty (30) days of award, initiate and actively pursue the GovRAMP Fast Track Process to achieve a GovRAMP Authorized or Provisionally Authorized status to satisfy NV GTO’s continuous monitoring requirements.
-
Will Nevada accept any other frameworks?
The 2018 National Cyber Strategy of the USA identifies NIST as the only Cybersecurity Framework (CSF) for assessing SaaS, PaaS, or IaaS vendor environments. This allows for Nevada to maintain their commitment to upholding the NIST 800-53 standard and streamline the oversight process.
In the interest of clarity, the following will not be accepted:
- TXRAMP
- SOC 2
- ISO 27001
- HITRUST
-
How do I enroll in the GovRAMP Progressing Security Snapshot Program?
To participate:
- Become a GovRAMP Member
- Submit a Progressing Security Snapshot Request
- Pay the applicable fee
- Receive onboarding instructions from the GovRAMP PMO
You’ll receive:
- A Snapshot score within ~3 weeks of payment
- Quarterly updated Snapshots
- Monthly one-hour consultative calls with GovRAMP’s security team
If you’re responding to a solicitation, note your time constraints on the request form so we can prioritize accordingly.
-
How do I get a GovRAMP status?
To learn more about how to obtain any of our GovRAMP statuses, visit our GovRAMP for Service Providers page. This page provides an overview of the GovRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the GovRAMP verification process.
-
Our product currently holds or is seeking a FedRAMP status. Does the product require a GovRAMP assessment?
Cloud products that currently hold or are seeking a FedRAMP Rev. 5 status must enroll the product in the GovRAMP Fast Track program. No need to re-engage a 3PAO, just submit the same security package to the GovRAMP PMO following membership enrollment. This will allow Nevada to uphold their requirement for continuous monitoring as outlined in the policy.
-
How much does a GovRAMP assessment cost?
In an effort to continue to support Nevada small and medium sized businesses including veteran and minority owned businesses, the GovRAMP assessment fees are tiered based on the annual revenue for the company.
-
What are the continuous monitoring requirements?
Continuous monitoring involves regular security status checks of a cloud solution, conducted monthly or quarterly. This process starts once the product reaches a GovRAMP milestone status such as Core, Ready, Provisionally Authorized, or Authorized. The purpose of continuous monitoring is to ensure that the service provider’s solution is meeting security requirements and maintaining a secure system state. It provides insights into vulnerabilities, allowing service providers to address issues and comply with GovRAMP standards. By identifying areas of risk, continuous monitoring enables service providers to take prompt action to protect the system.
Download GovRAMP’s Continuous Monitoring Guide
Continuous monitoring must be maintained for the lifecycle of your contract with the State of Nevada, and upon request, access to the product’s security package and continuous monitoring artifacts must be granted to the State.
-
What if I don't own the solution but use cloud products to deliver services to the State of Nevada?
Based on the data processed, transferred, or stored, the State of Nevada may require that the cloud solutions used to deliver services be assessed by GovRAMP or FedRAMP. Specific requirements can be found within the solicitation for the services.
-
What are the guidelines for determining if my product is a cloud computing service?
Nevada identifies three distinct service models for the cloud environment:
Infrastructure as a Service (IaaS) is a cloud environment with computing resource such as virtual servers, storage, and network. The consumer uses their own software, including operating systems, middleware and applications. The underlying physical infrastructure is managed by the Cloud Service Provider (CSP).
Platform as a Service (PaaS) is a cloud environment for development and management of consumer applications. It includes the infrastructure layer – virtual servers, storage and network – while tying in middleware and development tools to allow the consumer to deploy their applications. It is designed to support the complete development lifecycle while leaving the management of the physical infrastructure to the CSP.
Software as a Service (SaaS) is a cloud computing solution that provides the consumer with access to a complete software product. The application resides on a cloud platform and is accessed by the consumer through a web interface or application program interface (API). The physical and virtual infrastructure, operating system, middleware and application are all managed by the CSP.
-
How can I get started?
For additional information on Nevada Procurement including bulletins, open bids, contracts and registration, please refer to the NEVADAePro site.
For additional information on how to get started with the GovRAMP process, please contact info@govramp.org.
GovRAMP Participating Governments
GovRAMP is accepted by Nevada and other states. See a list of GovRAMP’s participating governments here.
STAY INFORMED
Receive Updates and Resources
Subscribe to receive program updates, educational briefings, and public sector implementation insights.