State of Oregon and GovRAMP
Why GovRAMP?
Oregon’s participation in GovRAMP is expected to save agencies and vendors significant time and effort. GovRAMP is consistent with FedRAMP, and the information security standards of many other state and local governments. GovRAMP allows vendors who offer cloud-based products (goods and services) to show the products meet Oregon information security standards, and the standards of any other participating government, through GovRAMP, rather than through a process specific to each government.
GovRAMP is also a standard way for agency staff to verify a product’s compliance with cybersecurity standards that many state and local governments, including Oregon, require. It is based on the same security standards EIS previously adopted, NIST SP 800-53 (moderate). GovRAMP is funded by fees paid by vendors. Because GovRAMP continuously monitors its participating vendors’ compliance with cybersecurity standards, agency staff can also easily verify cloud products’ continued compliance.
State of Oregon Requirements
The State of Oregon may require that a cloud service offering obtain a GovRAMP Authorized status within a defined time frame following contract execution. GovRAMP Progressing Snapshot, GovRAMP Core, or GovRAMP Ready may be accepted as an interim way to satisfy security requirements until GovRAMP Authorized is achieved.
Please visit Oregon DAS’ Cloud and Hosted Systems Statewide Policy and Oregon Statewide Information Security Plan for more information.
GovRAMP Vendor Overview
Interested in learning more about the GovRAMP process? Download this overview for service providers exploring how to get started.
GovRAMP for Local Governments
Download this presentation for Oregon local governments interested in learning more about GovRAMP and its role in supporting cloud security.
Frequently Asked Questions
-
Is GovRAMP applicable to all cloud contracts in the State of Oregon?
No. GovRAMP is only applicable to contracting activities for cloud products (goods and services) covered by DAS’ Cloud and Hosted Systems Statewide Policy: https://www.oregon.gov/das/policies/107-004-150.pdf. Contracting activities are those such as open market RFPs, sole source contracts, special procurements, and RFQ’s under price agreements for cloud products (goods and services).
GovRAMP is not for use in interagency agreements, intergovernmental agreements, or agreements with public or private educational institutions.
-
How can I contact GovRAMP to get started?
For questions or more information about GovRAMP, please contact: info@govramp.org
If you have any questions about Oregon’s requirements, please contact: eso.info.@das.oregon.gov.
-
What is GovRAMP?
Founded at the beginning of 2020, GovRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments.
As a 501(c)6 nonprofit, our mission is to promote cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve. GovRAMP is comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third-party assessment organizations, and government officials. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.
-
How do I get a GovRAMP status?
To learn more about how to obtain any of our GovRAMP statuses, visit our GovRAMP for Service Providers page. This page provides an overview of the GovRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the GovRAMP verification process.
-
What are the continuous monitoring requirements?
Continuous monitoring involves regular security status checks of a cloud solution, conducted monthly or quarterly. This process starts once the product reaches a GovRAMP milestone status such as Core, Ready, Provisionally Authorized, or Authorized. The purpose of continuous monitoring is to ensure that the service provider’s solution is meeting security requirements and maintaining a secure system state. It provides insights into vulnerabilities, allowing service providers to address issues and comply with GovRAMP standards. By identifying areas of risk, continuous monitoring enables service providers to take prompt action to protect the system.
Download GovRAMP’s Continuous Monitoring Guide
Continuous monitoring must be maintained for the lifecycle of your contract with the State of Oregon, and upon request, access to the product’s security package and continuous monitoring artifacts must be granted to Oregon.
State & Local Government
Are you interested in learning more about how GovRAMP supports the cybersecurity of public sector organizations? We are available to answer your questions.
Service Providers
GovRAMP simplifies compliance for service providers by offering a standardized security verification process that can be leveraged across multiple government contracts.
STAY INFORMED
Receive Updates and Resources
Subscribe to receive program updates, educational briefings, and public sector implementation insights.