GovRAMP Security Program
A flexible, step-by-step path to cloud security validation
The GovRAMP Security Program gives service providers a clear way to show their security posture and helps government organizations confidently evaluate vendor risk.
Built on NIST SP 800-53 Rev. 5, the program offers a simple, step-by-step path from initial maturity to full verification—reducing duplication and improving consistency across the public sector.
How the GovRAMP Security Program Works
The GovRAMP Security Program is a progressive model that allows service providers to start where they are and advance toward higher levels of security validation over time.
Each step builds on the last, increasing assurance for government buyers while helping providers strengthen their security posture. Organizations can progress based on their needs—whether stopping their full verification at Core or continuing to Authorized
.png?width=1400&height=934&name=GovRAMP%20Stair%20Step%20Model%20(3).png)
How GovRAMP and the GovRAMP PMO Work Together
Working with Participating Governments?
If you are pursuing GovRAMP because a government organization has required it, you can explore their specific program guidance and requirements.
Visit the Participating Government Organizations page to find your government partner and access additional details on their adoption approach.
Understand the GovRAMP Pathway
The GovRAMP Security Program is a step-by-step pathway that helps organizations assess, improve, and validate their security over time. Select a step to learn more.
-
Membership
Private sector membership is the foundation for participating in the GovRAMP Security Program. It provides access to official templates, resources, and Program Management Office (PMO) guidance, helping organizations determine their starting point and navigate requirements with clarity.
-
Single Security Snapshot
An initial, PMO-validated assessment of 40 foundational NIST controls. It establishes a baseline understanding of security posture and helps providers identify gaps while giving governments early visibility into vendor maturity.
-
Progressing Security Snapshot Program
An ongoing program that builds on the initial snapshot through quarterly assessments and monthly guidance. It helps providers demonstrate measurable improvement over time while preparing for higher levels of validation.
-
Core Verification
A foundational verified status based on 60 prioritized NIST controls. It demonstrates baseline security maturity through PMO validation, required documentation, and quarterly continuous monitoring, and does not require a 3PAO assessment.
-
Ready Verification
An independently assessed status based on 80 NIST controls, validated by both a 3PAO and the PMO. It confirms a strong level of security readiness and supports broader procurement opportunities.
-
Authorized / Provisional Verification
The highest level of GovRAMP validation, based on a comprehensive assessment of 300+ NIST controls. It confirms full alignment with rigorous security requirements and supports government-wide trust and reuse.
Provisionally Authorized status may be assigned when a product meets Authorized verification requirements but has limited outstanding conditions that do not materially impact its overall security posture.
Aligning to Additional Security Requirements
GovRAMP overlays provide guidance to help service providers align with specialized requirements and evolving cybersecurity priorities while reducing duplication across standards.
Resources to Support Your Journey
GovRAMP provides a set of standardized resources to guide service providers, assessors, and government stakeholders through each phase of the security program.
Stay Connected
Join the GovRAMP Community
Stay informed as GovRAMP continues to advance secure cloud adoption nationwide. Subscribe for program updates, new resource releases, and opportunities to engage with our community of providers, 3PAOs, and government partners.