GovRAMP Single Security Snapshot

Start Your Cybersecurity Journey Here

The First Step Toward Verifying Cloud Products for Government

A helpful moment-in-time representation of a product and provider’s cybersecurity maturity, the GovRAMP Security Snapshot helps providers
begin their cybersecurity journey. Service providers are given a detailed gap analysis that validates their product’s security maturity beyond self-attestation and in relation to meeting the minimum mandatory requirements for GovRAMP Ready status.

MITRE ATT&CK Framework and Scoring

Effective, January 1, 2024, the Security Snapshot criteria and scoring are updated to align with baselines based on NIST 800-53 Rev. 5 and the MITRE ATT&CK framework control protection values. The weighted scoring based on MITRE ATT&CK’s framework was selected to ensure the Security Snapshot criteria emphasizes best practices that have the greatest impact on improved security defense.

Learn More

The Single Security Snapshot Process

Step 1:

Become a GovRAMP Member

All service providers must become an active GovRAMP member before their cloud products and services can be validated by the Program Management Office, obtain a GovRAMP security status, or be listed on the GovRAMP Authorized Product List (APL).

Step 2:

Submit a GovRAMP Service Request Form

Complete the GovRAMP Service Request Form to initiate your Security Snapshot. This form collects key information about your organization and product to help the PMO team determine next steps.

After submission, you will receive instructions from the GovRAMP PMO security team, including details regarding payment, scheduling your intake meeting, and other process steps.

Step 3:

Attend Intake Meeting and Answer Any Follow-Up Questions

Prior to your one-hour intake meeting, review the Security Snapshot scoring criteria and prepare the necessary artifacts for each criterion met.

Step 4:

Upload Documentation Within 28 Days

After your intake meeting, you have 28 days to upload all required documentation. This ensures the PMO team can complete the assessment efficiently.

Step 5:

Receive Product Security Maturity Score in Approximately Three Weeks

Service providers will receive a formal letter from the GovRAMP PMO containing their product’s security maturity score. Scores are not publicly disclosed, and sharing is at the discretion of the service provider.

Frequently Asked Questions

Effective, January 1, 2024, the Security Snapshot criteria and scoring are updated to align with baselines based on NIST 800-53 Rev. 5 and the MITRE ATT&CK framework control protection values. The updated criteria include the highest scoring MITRE ATT&CK control protection values from GovRAMP’s Minimum Mandates for Ready (Rev. 5). Scoring is weighted depending on the control protection value assigned in the NIST/MITRE ATT&CK Framework study and is based on a percentage out of 100. The weighted scoring based on MITRE ATT&CK’s framework was selected to ensure the Security Snapshot criteria emphasizes best practices that have the greatest impact on improved security defense. Review the GovRAMP Security Snapshot Criteria and Scoring policy for more information.

A letter will be issued to the Provider from the GovRAMP PMO with a product’s security maturity score. Scores are not publicly posted and any sharing of score is at the discretion of the provider.  

We will give our best effort to deliver Snapshot score within 3 weeks of payment. If you have any time constraints due to solicitations, please note them on the GovRAMP Security Snapshot request form and our security team at the Program Management Office will do their best to honor them.  

The updated GovRAMP fee schedule outlines the costs for the GovRAMP Security Snapshot. 

Providers can begin the Security Snapshot process by becoming a member of GovRAMP and submitting a Security Snapshot Request. After submission, providers will receive more information from the security team at the Program Management Office regarding payment and how to schedule a meeting to begin the intake process.

Prior to the 1-hour intake meeting, we encourage you to have read and understood the scoring criteria so you are prepared to provide artifacts for each criterion you meet. The required team members should be available on the Snapshot call to answer any follow-up questions.

Fill out the Snapshot request form to get started.

Request Your Snapshot