State of North Carolina and GovRAMP

Frequently Asked Questions

• What is GovRAMP?

  Founded at the beginning of 2020, GovRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments.

  As a 501(c)6 nonprofit, our mission is to promote cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve. GovRAMP is comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third-party assessment organizations, and government officials. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.

• How do I get a GovRAMP status?

   To learn more about how to obtain any of our GovRAMP statuses, visit our GovRAMP for Service Providers page. This page provides an overview of the GovRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the GovRAMP verification process. 

• What are the continuous monitoring requirements?

  Continuous monitoring involves regular security status checks of a cloud solution, conducted monthly or quarterly. This process starts once the product reaches a GovRAMP milestone status such as Core, Ready, Provisionally Authorized, or Authorized. The purpose of continuous monitoring is to ensure that the service provider’s solution is meeting security requirements and maintaining a secure system state. It provides insights into vulnerabilities, allowing service providers to address issues and comply with GovRAMP standards. By identifying areas of risk, continuous monitoring enables service providers to take prompt action to protect the system.

  Download GovRAMP’s Continuous Monitoring Guide

  Continuous monitoring must be maintained for the lifecycle of your contract with the State of North Carolina, and upon request, access to the product’s security package and continuous monitoring artifacts must be granted to the State.

• Will North Carolina accept any other frameworks?

   GovRAMP provides a standardized, comprehensive security verification process that includes Continuous Monitoring under the NIST framework. The 2018 National Cyber Strategy of the USA identifies NIST as the only Cybersecurity Framework (CSF) for assessing SaaS, PaaS, or IaaS vendor environments. This allows North Carolina to maintain its commitment to upholding the NIST 800-53 standard and streamline the oversight process. 

• How do I enroll in the GovRAMP Progressing Security Snapshot Program?

  To participate:

  1. Become a GovRAMP Member
  2. Submit a Progressing Security Snapshot Request
  3. Pay the applicable fee
  4. Receive onboarding instructions from the GovRAMP PMO

  You’ll receive:

  • A Snapshot score within ~3 weeks of payment
  • Quarterly updated Snapshots
  • Monthly one-hour consultative calls with GovRAMP’s security team

  If you’re responding to a solicitation, note your time constraints on the request form so we can prioritize accordingly.

• How much does a GovRAMP assessment cost?

  To continue supporting North Carolina small- and medium- sized businesses including veteran and minority owned businesses, the GovRAMP assessment fees are tiered based on the annual revenue for the company.

  View the full GovRAMP Fee Schedule

• What if I don't own the solution but use cloud products to deliver services to the State of North Carolina?

   Based on the data processed, transferred, or stored, the State of North Carolina may require that the cloud solutions used to deliver services be assessed by GovRAMP or FedRAMP. Specific requirements can be found within the solicitation for the services. 

• What are the guidelines for determining if my product is a cloud computing service?

  North Carolina identifies three distinct service models for the cloud environment:

  Infrastructure as a Service (IaaS) is a cloud environment with computing resource such as virtual servers, storage, and network. The consumer uses their own software, including operating systems, middleware and applications. The underlying physical infrastructure is managed by the Cloud Service Provider (CSP).

  Platform as a Service (PaaS) is a cloud environment for development and management of consumer applications. It includes the infrastructure layer – virtual servers, storage and network – while tying in middleware and development tools to allow the consumer to deploy their applications. It is designed to support the complete development lifecycle while leaving the management of the physical infrastructure to the CSP.

  Software as a Service (SaaS) is a cloud computing solution that provides the consumer with access to a complete software product. The application resides on a cloud platform and is accessed by the consumer through a web interface or application program interface (API). The physical and virtual infrastructure, operating system, middleware and application are all managed by the CSP.

• Who can I contact GovRAMP to get started?

  For questions or more information about GovRAMP, please contact: info@govramp.org.

  If you have any questions for the State of North Carolina, please contact: ESRMO@nc.gov.