GovRAMP Security Program Risk Acceptance Model
We want to hear from you. Help shape GovRAMP’s educational resources by taking this short survey.
GovRAMP Standards
GovRAMP has selected the NIST 800-53, Rev. 5 framework as the foundation for all applicable standards. This is in part due to the best practice demonstrated by FedRAMP and given that many security frameworks used by state and local governments are generally tied to the NIST 800-53 framework. This framework is applied in the assessment of service provider’s specific products that serve state and local governments and additional public sector organizations.
The following outlines GovRAMP policies that establish GovRAMP security standards and requirements. These policies are adopted and reviewed annually by the GovRAMP Standards and Technical Committee and Board of Directors.
| Rev. 5 Document | Description | Last Updated |
| Security Assessment Framework | Outlines the process and steps required for Cloud Service Providers (CSPs) to undergo a security assessment to meet GovRAMP Rev. 5 standards. This framework guides both CSPs and Third-Party Assessment Organizations (3PAOs) through the assessment and authorization process. | 9/20/2025 |
| Security Snapshot Criteria and Scoring | Defines the criteria used to generate a security snapshot of a provider’s system, offering a quick overview of its security posture. This document also explains how scoring is determined based on the implemented controls and potential risks. | 9/26/2024 |
| Procurement Cloud Security Resource Tool | Developed by the NASPO/GovRAMP Procurement Task Force, this tool is designed to help government procurement professionals, risk, and IT experts collaborate effectively, ensuring that cybersecurity is prioritized throughout the procurement process. | 8/28/2025 |
| Service Provider Package for Low Impact | The Service Provider Package for Low Impact is a collection of required templates and guidance used by cloud service providers seeking a GovRAMP security status at the Low Impact level. These resources help organizations document how their systems protect government data by outlining the minimum security expectations aligned with GovRAMP’s NIST-based framework. Providers use this package to prepare their materials for review, ensure consistent documentation, and better understand what is needed to demonstrate that their solution meets baseline security requirements appropriate for lower-risk government information. | 2/16/2026 |
| Service Provider Package for Moderate Impact | The Service Provider Package for Moderate Impact is a structured set of templates, guidance, and required documentation used by cloud service providers pursuing GovRAMP security status at the Moderate Impact level. These resources help organizations clearly document how their systems safeguard more sensitive government data by aligning with GovRAMP’s NIST-based security requirements. Providers use this package to prepare for review, organize their security materials, and demonstrate that appropriate controls and processes are in place to manage risk for systems that support higher-impact government operations. | 2/16/2026 |
| Service Provider Package for Moderate Impact with CJIS Overlay | The Service Provider Package for Moderate Impact with CJIS Overlay includes the templates, guidance, and documentation requirements used by cloud service providers seeking GovRAMP security status at the Moderate Impact level while supporting criminal justice information (CJI). In addition to standard Moderate Impact security expectations, this package incorporates CJIS-aligned requirements to help providers demonstrate how their systems protect sensitive law enforcement data. Organizations use these resources to prepare consistent documentation, understand additional safeguards tied to CJIS environments, and clearly show how their security practices meet both GovRAMP and CJIS-aligned expectations. | 2/16/2026 |
| Service Provider Package for High Impact | The Service Provider Package for High Impact is a comprehensive set of templates, guidance, and required documentation used by cloud service providers pursuing GovRAMP security status at the High Impact level. These resources help organizations document how their systems protect highly sensitive government data by aligning with GovRAMP’s most rigorous NIST-based security requirements. Providers use this package to organize detailed security information, prepare for formal review, and demonstrate that strong safeguards are in place to support systems where confidentiality, integrity, and availability are critical to government operations. | 2/16/2026 |
| GovRAMP Core Controls | This document outlines the 60 prioritized security controls required for GovRAMP Core Status. These controls are selected from the NIST SP 800-53, Rev. 5 framework and aligned with the Moderate Impact Baseline. Service providers pursuing Core should use this resource to understand the control expectations and begin preparing evidence for PMO-led review. | 5/5/2025 |
| 3PAO Package for Low Impact | The 3PAO Package for Low Impact provides the templates, assessment guidance, and required materials used by accredited Third-Party Assessment Organizations (3PAOs) when evaluating cloud service providers at the Low Impact level. These resources help assessors perform consistent, structured reviews aligned with GovRAMP’s NIST-based framework, ensuring that baseline security practices for lower-risk government systems are validated clearly and efficiently. | 2/16/2026 |
| 3PAO Package for Moderate Impact | The 3PAO Package for Moderate Impact includes the standardized templates and assessment guidance used by 3PAOs to evaluate service providers supporting more sensitive government data. This package helps assessors document testing activities, validate security controls, and produce consistent deliverables aligned with GovRAMP’s Moderate Impact requirements, supporting clear and reliable review outcomes. | 2/16/2026 |
| 3PAO Package for Moderate Impact with CJIS Overlay | The 3PAO Package for Moderate Impact with CJIS Overlay provides additional assessment resources for 3PAOs evaluating environments that handle criminal justice information (CJI). Alongside standard Moderate Impact requirements, this package incorporates CJIS-aligned expectations to help assessors verify that appropriate safeguards are in place for law enforcement data, while maintaining consistent reporting and documentation practices. | 2/16/2026 |
| 3PAO Package for High Impact | The 3PAO Package for High Impact contains the comprehensive templates, testing guidance, and reporting materials used by 3PAOs when assessing systems that manage highly sensitive government information. Designed to support GovRAMP’s most rigorous security expectations, this package helps assessors conduct thorough evaluations, document detailed findings, and ensure that critical security controls are properly validated. | 2/16/2026 |
| Authorization Boundary Guidance | Offers guidance on defining the boundaries of a CSP’s system as it relates to GovRAMP authorization. It helps service providers and assessors determine which parts of a system are in scope for security assessment under Rev. 5. | 8/7/2024 |
| Penetration Test Guidance | Explains the requirements and best practices for conducting penetration testing as part of the GovRAMP security assessment. This document ensures that tests align with Rev. 5 controls and effectively identify vulnerabilities. | 6/6/2023 |
| Continuous Monitoring Guide | Provides instructions on how CSPs should continuously monitor their systems after authorization to maintain compliance with GovRAMP’s Rev. 5 standards. It outlines monitoring activities and reporting requirements to ensure ongoing security. | 9/20/2024 |
| Vulnerability Scan Requirements Guide | A detailed guide on the specific requirements for conducting regular vulnerability scans of CSP systems. This document aligns with Rev. 5 standards to ensure that CSPs proactively identify and address security weaknesses. | 8/30/2024 |
| Incident Communications Procedures | Outlines the procedures that CSPs should follow when communicating with GovRAMP and relevant stakeholders in the event of a security incident. This ensures timely and effective responses in alignment with Rev. 5 standards. | 8/30/2024 |
| Continuous Monitoring Escalation Process Guide | Provides a detailed process for escalating issues identified during continuous monitoring, ensuring that CSPs and assessors address serious risks promptly. It aligns with Rev. 5 to maintain system security and compliance over time. | 9/20/2024 |
| GovRAMP Progressing Security Snapshot Program Requirements and Progressing Improvement Guide | This guide outlines the requirements, roles, and processes for participating in the GovRAMP Progressing Snapshot Program, including quarterly snapshot assessments, progressing improvement expectations, and continuous monitoring responsibilities for service providers and government stakeholders. | 1/1/2026 |
We are here to support.
Our team is here to support you through the transition from Rev 4 to Rev 5. If you have any questions or need assistance, please contact us at pmo@govramp.org.