GovRAMP Authorized/Provisionally Authorized Status

Attain the Highest Level of Security in GovRAMP

Gain a Competitive Edge With Higher Authorization

To achieve GovRAMP Authorized status, providers must complete all necessary documentation, including a 3PAO security assessment report. Government sponsorship is required to obtain Authorized status, with both the GovRAMP Project Management Office and the sponsoring government in agreement that the product in question meets all requirements.

Learn more in “Getting Started with GovRAMP: A Guide for Service Providers Pursuing Authorization.”

Download the Guide

The GovRAMP Authorized Process

Step 1:

Become a GovRAMP Member

All service providers must be an active GovRAMP member before their cloud products and services can be validated by the Program Management Office, obtain a GovRAMP security status, or be listed on the GovRAMP Authorized Product List (APL).

Step 2:

Optional: Submit a GovRAMP Service Request Form / Security Snapshot

As a first step toward achieving GovRAMP Authorized status, providers may submit a GovRAMP Service Request Form to initiate a Security Snapshot. This “pre-Ready” measurement provides a gap analysis to validate your product’s current maturity relative to the Minimum Mandatory Requirements for GovRAMP Ready.

Step 3:

Determine Your Appropriate Security Category

Before engaging a third-party assessment organization (3PAO) or submitting documentation, determine the required GovRAMP Impact Level—Low, Low+, or Moderate—based on your prospective state or local government partners. Use the data classification tool if you are unsure.

Step 4:

Engage a Third-Party Assessment Organization (3PAO)

Review the list of GovRAMP-approved assessors and engage a 3PAO to complete a Security Assessment Report (SAR).

Step 5:

Complete Authorized Review Documentation & Security Review Request

Work with your 3PAO to complete 100% of your documentation. Then submit the GovRAMP Security Review Request Form along with completed documentation and payment of the GovRAMP Authorized review fee. Once received, your product’s status on the APL will be updated to Pending.

Step 6:

Obtain Government Sponsorship or Committee Approval

To achieve Authorized status, an authorizing government official must approve your security package. You may secure government sponsorship directly or leverage the GovRAMP Approvals Committee, composed of active state and local government representatives, to serve as your appointed sponsor and confirm your package meets all requirements.

Step 7:

Obtain GovRAMP Authorized Verified Status

If the 3PAO attests to your readiness, and all critical controls and outstanding inquiries are resolved, the PMO will verify your product meets all mandatory requirements. Your status on the APL will be updated to Authorized.

Step 8:

Begin Continuous Monitoring Activities

Upon achieving Authorized status, begin monthly and annual Continuous Monitoring submissions as outlined in the GovRAMP Continuous Monitoring Guide.

Frequently Asked Questions

Pricing is tiered as follows:

  • $1,500 for Providers with less than $1 M Annual Revenue
  • $5,000 for Providers with Annual Revenue between $1 M – $5 M
  • $7,500 for Providers with Annual Revenue greater than $5 M

The level of effort to participate in the GovRAMP Authorized process varies based on the complexity of the system being assessed and the maturity of the organizational information security program. Organizations that have a current FedRAMP Authorized status may leverage their existing documentation to obtain GovRAMP Ready status with minimal additional effort. Organizations that have conducted other framework assessments, such as a SOC2 or HITRUST will be familiar with providing evidence to demonstrate control compliance. Organizations that are not familiar with framework assessments will have a sharper learning curve.

GovRAMP provides many resources to help participating organizations. These include:

Fast Track Option*

If a provider has a product, service, or offering with a federal authorization or is pursuing a federal authorization, that offering is eligible for the GovRAMP Fast Track process. Providers will partner with the GovRAMP Project Management Office (PMO) to provide and authenticate the necessary security documentation they’ve already completed for federal authorization. The Fast Track process is detailed below.

Step 1:

Become a GovRAMP Member

All service providers must become an active GovRAMP member before their cloud products and services can be validated by the program management office, obtain a GovRAMP security status, or become listed on the GovRAMP Authorized Product List (APL).

Step 2:

Engage the GovRAMP PMO

After joining as a GovRAMP member, service providers must complete a Security Review Request Form to engage the GovRAMP PMO. Prior to their first intake call, they can use this form to provide more information about their company and product.

Step 3:

Complete Required Documentation

Service providers should work with their third-party assessment organization (3PAO) to gather and submit the required security documentation, including the provider’s federal-approved security package, 90 days of continuous monitoring, and any necessary GovRAMP templates.

The security team at the GovRAMP PMO accepts documents in FedRAMP formatting.

Step 4:

PMO Review

The PMO will review the service provider’s complete security package and conduct a call with the provider and 3PAO to make any final adjustments to the submitted documentation.

Step 5:

Begin Continuous Monitoring Activities

Once you have obtained GovRAMP Authorized status, you must begin submitting the required documentation monthly and annual reporting as detailed in the GovRAMP Continuous Monitoring Guide.

*Attention Texas Vendors:

In 2021, Texas passed a law requiring all vendors who use a cloud solution to serve Texas to become TX-RAMP authorized. By administrative rule, TX-RAMP recognizes GovRAMP with reciprocity. GovRAMP provides an efficient, reusable certification that applies in Texas and across our rapidly expanding list of participating governments. For information on how to share your GovRAMP status with Texas, please visit the TX Program Page.