GovRAMP Core Status

Designed for Progress. Built for Trust.

What Is GovRAMP Core?

GovRAMP Core is a verified security status that bridges the gap between visibility and validation—offering governments and providers a faster, more accessible path to formal assurance.

While the GovRAMP Security Snapshot provides early insight into a provider’s progress toward meeting requirements, GovRAMP Core validates satisfactory achievement of those core security requirements. It confirms implementation of 60 foundational NIST controls selected based on the MITRE ATT&CK Framework and aligned with the Moderate Impact Level baseline.

Core is assessed directly by the GovRAMP PMO and provides a structured, standards-based milestone that strengthens provider visibility and public sector confidence—without requiring an immediate leap to full authorization.

And because Core does not require a 3PAO assessment, it reduces the burden for providers where a full audit may not yet be practical—supporting faster adoption of secure solutions across the public sector.

Why Core Matters

For Public Sector

  • Fill the gap between Progressing Snapshot and full authorization

  • Make faster, risk-aligned procurement decisions

  • Increase visibility into vendor maturity with independent validation

For Providers

For 3PAOs

  • Work with more assessment-ready clients

  • Save time on remediation and documentation gaps

  • Reinforce your value as part of a maturing provider ecosystem

Read the Press Release

GovRAMP Core Process

Step 1:

Become a GovRAMP Member

All service providers must become an active GovRAMP member before their cloud products and services can be validated by the program management office, obtain a GovRAMP security status, or become listed on the GovRAMP Authorized Product List (APL).

Join Now

Step 2:

(Optional) Join the Progressing Snapshot Program

While not required, many providers begin their journey by enrolling in the Progressing Snapshot Program. This step allows providers to receive early validation of progress against key security controls and engage with the GovRAMP PMO for feedback and guidance—often accelerating readiness for Core.

Step 3:

Download and Complete Required Templates

Before submitting your request for GovRAMP Core Status, you’ll need to complete a set of standardized documentation templates aligned to the Moderate Impact Level baseline. These templates help you demonstrate implementation of the 60 required security controls and include everything needed for PMO review—such as the System Security Plan (SSP), Incident Response Plan, Contingency Plan, and scan documentation guidance.

Download Core Template Package

This ZIP file includes all documentation templates required to apply for GovRAMP Core Status.

Step 4:

Submit Security Review Request

Once your documentation is complete, you’ll submit a formal request to the GovRAMP Program Management Office (PMO) to begin the Core Status review. The PMO will assess your submission for alignment with the 60 required controls mapped to the MITRE ATT&CK Framework and GovRAMP’s Moderate Impact Level.

Submit Your Review Request

Step 5:

Obtain Core Status

Following successful validation by the PMO, your product will be awarded Core Status and listed on the GovRAMP Authorized Product List (APL). Core signals your organization’s formal progression toward Ready and Authorized statuses—and gives public sector buyers confidence in your security posture.

Get Listed on the APL

Step 6:

Participate in Quarterly Continuous Monitoring with GovRAMP

Core Status includes enrollment in quarterly Continuous Monitoring (ConMon). This allows the PMO and government stakeholders to monitor ongoing security performance, identify risk trends, and ensure continued alignment with the Core baseline over time.

Download Continuous Monitoring Guide

Frequently Asked Questions

GovRAMP Core includes a one-time annual PMO assessment fee, which covers review of submitted documentation, validation of the required security controls, and product listing on the Authorized Product List (APL). No 3PAO audit is required for Core Status.

Annual PMO Assessment Fee for Core Status:

  • $9,000 – Providers with less than $1M in annual revenue

  • $11,000 – Providers with $1M to $5M in annual revenue

  • $17,000 – Providers with over $5M in annual revenue

Once Core Status is awarded, providers are enrolled in Quarterly Continuous Monitoring (ConMon). This is a recurring fee billed each quarter, based on provider revenue.

Quarterly Continuous Monitoring Fee for Core Status:

  • $250 per quarter – Providers with less than $1M in annual revenue

  • $500 per quarter – Providers with $1M to $5M in annual revenue

  • $1,000 per quarter – Providers with over $5M in annual revenue

GovRAMP Core includes enrollment in quarterly Continuous Monitoring (ConMon), which is reviewed by the GovRAMP Program Management Office (PMO). While full ConMon data is not public, Participating Governments may request access to your ConMon profile through GovRAMP, ensuring transparency for procurement officials while protecting sensitive provider information. Providers must approve the requested access to enable Participating Governments viewing privileges.

Yes. Once you are approved for GovRAMP Core, your cloud product will be listed on the GovRAMP Authorized Product List (APL) as a Core-verified offering. This visibility signals to government buyers that you’ve achieved formal validation and are progressing toward Ready or Authorized status.

Core assessments are conducted directly by the GovRAMP PMO. The review focuses on validating implementation of 60 foundational controls selected based on the MITRE ATT&CK Framework and aligned with the Moderate Impact Level. The review includes documentation analysis, scan result validation, and overall program posture evaluation—no 3PAO assessment is required.