GovRAMP Security Program Risk Acceptance Model
GovRAMP Standards
GovRAMP has selected the NIST 800-53, Rev. 5 framework as the foundation for all applicable standards. This is in part due to the best practice demonstrated by FedRAMP and given that many security frameworks used by state and local governments are generally tied to the NIST 800-53 framework. This framework is applied in the assessment of service provider’s specific products that serve state and local governments and additional public sector organizations.
The following outlines GovRAMP policies that establish GovRAMP security standards and requirements. These policies are adopted and reviewed annually by the GovRAMP Standards and Technical Committee and Board of Directors.
Rev. 5 Document | Description |
Outlines the process and steps required for Cloud Service Providers (CSPs) to undergo a security assessment to meet GovRAMP Rev. 5 standards. This framework guides both CSPs and Third-Party Assessment Organizations (3PAOs) through the assessment and authorization process. | |
Defines the criteria used to generate a security snapshot of a provider’s system, offering a quick overview of its security posture. This document also explains how scoring is determined based on the implemented controls and potential risks. | |
Developed by the NASPO/GovRAMP Procurement Task Force, this tool is designed to help government procurement professionals, risk, and IT experts collaborate effectively, ensuring that cybersecurity is prioritized throughout the procurement process. | |
Low Impact Service Provider Package for GovRAMP Ready & Authorized | This resource package supports cloud service providers seeking or maintaining GovRAMP Ready or Authorized status at the Low Impact level. It includes standardized templates, documentation requirements, and process guidance to facilitate streamlined submissions and consistent alignment with GovRAMP’s Low baseline. |
Moderate Impact Service Provider Package for GovRAMP Core, Ready & Authorized | This resource package is designed for cloud service providers pursuing or maintaining GovRAMP Moderate Impact statuses—Core, Ready, or Authorized. It includes required documentation, templates, and guidance aligned to the GovRAMP Moderate baseline, enabling consistent preparation, submission, and maintenance throughout the security authorization lifecycle. |
This package is tailored for cloud service providers that have achieved GovRAMP Authorization at the Moderate Impact level with Criminal Justice Information Services (CJIS) alignment. It includes finalized templates, documentation requirements, and post-authorization resources to support ongoing compliance and continuous monitoring for systems handling CJIS-regulated data. | |
This document outlines the 60 prioritized security controls required for GovRAMP Core Status. These controls are selected from the NIST SP 800-53, Rev. 5 framework and aligned with the Moderate Impact Baseline. Service providers pursuing Core should use this resource to understand the control expectations and begin preparing evidence for PMO-led review. | |
This document package provides accredited Third Party Assessment Organizations (3PAOs) with the required templates and resources for conducting assessments of Low Impact cloud offerings under the GovRAMP program. | |
This document package provides accredited Third Party Assessment Organizations (3PAOs) with the required templates and resources for conducting assessments of Moderate Impact cloud offerings under the GovRAMP program. | |
This assessment package provides accredited Third Party Assessment Organizations (3PAOs) with templates and guidance for evaluating Moderate Impact cloud systems with Criminal Justice Information Services (CJIS) alignment requirements. It supports consistent application of GovRAMP’s control baselines and assessment standards for providers working with justice and law enforcement data. | |
Specifies the minimum security requirements that CSPs must meet to achieve GovRAMP “Ready” status for systems categorized as low impact under Rev. 5. This document outlines the initial security baseline for these systems. | |
Ready Minimum Mandatory Requirements for Moderate and High Impact Levels | Details the minimum security requirements for CSPs to reach “Ready” status for systems categorized as moderate and high impact under GovRAMP. These systems face stricter security controls under Rev. 5 to ensure data protection. |
Provides a breakdown of the baseline security controls required for GovRAMP authorization, organized by impact level (low, moderate, high). This ensures that CSPs can easily identify the relevant controls for their specific system. | |
Offers guidance on defining the boundaries of a CSP’s system as it relates to GovRAMP authorization. It helps service providers and assessors determine which parts of a system are in scope for security assessment under Rev. 5. | |
Explains the requirements and best practices for conducting penetration testing as part of the GovRAMP security assessment. This document ensures that tests align with Rev. 5 controls and effectively identify vulnerabilities. | |
Provides instructions on how CSPs should continuously monitor their systems after authorization to maintain compliance with GovRAMP’s Rev. 5 standards. It outlines monitoring activities and reporting requirements to ensure ongoing security. | |
A detailed guide on the specific requirements for conducting regular vulnerability scans of CSP systems. This document aligns with Rev. 5 standards to ensure that CSPs proactively identify and address security weaknesses. | |
Outlines the procedures that CSPs should follow when communicating with GovRAMP and relevant stakeholders in the event of a security incident. This ensures timely and effective responses in alignment with Rev. 5 standards. | |
Provides a detailed process for escalating issues identified during continuous monitoring, ensuring that CSPs and assessors address serious risks promptly. It aligns with Rev. 5 to maintain system security and compliance over time. |
We are here to support.
Our team is here to support you through the transition from Rev 4 to Rev 5. If you have any questions or need assistance, please contact us at pmo@stateramp.org.