GovRAMP has quickly become one of the most widely adopted security frameworks for cloud service providers working with state and local governments and educational institutions. With dozens of participating state agencies and educational institutions and more joining every year, it's become a go-to standard for proving trust and security in the public sector.

Now, GovRAMP is making it even easier for providers to get started. Their new GovRAMP Core designation introduces a more accessible, entry-level path to compliance that helps organizations show real progress toward authorization without having to meet the full set of requirements right away or without going through an audit.

Keep reading to learn what GovRAMP Core is, why it was created, who’s eligible, and what it takes to achieve this new designation.

What is GovRAMP Core and why was it created?

GovRAMP Core is a verified security designation that sits between early interest and full authorization within the GovRAMP program. It was announced in May 2025 to give service providers a more accessible entry point and fast track into the GovRAMP ecosystem and to better support a broader range of vendors, especially small and emerging cloud companies.

Rather than requiring full implementation of the NIST 800-53 control set, GovRAMP Core focuses on a curated subset of 60 moderate-impact controls that form the foundation of a strong security posture. These controls were selected based on their alignment with both NIST 800-53 Rev. 5 and the MITRE ATT&CK framework, ensuring they address the most critical threats and attack vectors.

By introducing this intermediate step, GovRAMP aims to lower the barrier to entry for cloud service providers serving state, local, tribal, and territorial (SLTT) governments. It also provides a clear, incremental path toward full compliance, helping vendors build their security posture over time. At the same time, it gives government buyers better visibility into which providers are actively progressing toward full authorization.

How do CSPs achieve GovRAMP Core status?

The steps to obtain GovRAMP Core are more streamlined than full authorization, but still rigorous enough to demonstrate real security maturity. Let’s walk through each one. 

1. Become a GovRAMP member

To start the process, a service provider must enroll as a GovRAMP member. This involves registering through the GovRAMP website, confirming eligibility, and gaining access to resources and support materials. Membership is required before any formal review or validation can begin.

2. Implement required controls

Next, providers must implement a set of 60 security controls across 11 control families: 

1. Access Control (AC): 9 controls 
2. Audit and Accountability (AU): 3 controls
3. Configuration Management (CM): 10 controls
4. Contingency Planning (CP): 6 controls
5. Identification and Authentication (IA): 7 controls
6. Incident Response (IR): 6 controls
7. Maintenance (MA): 1 control
8. Risk Assessment (RA): 2 controls 
9. System and Services Acquisition (SA): 2 controls
10. System and Communications Protection (SC): 7 controls 
11. System and Information Integrity (SI): 7 controls

These controls are drawn from the NIST 800-53 Rev. 5 Moderate baseline and have been selected by GovRAMP for their relevance to common threats, particularly those outlined in the MITRE ATT&CK framework. The GovRAMP PMO provides a GovRAMP Core control spreadsheet CSPs can use for reference and implementation. 

In addition to implementing security controls, CSPs may need to update internal policies, configure technical safeguards, and document procedures that align with the selected controls.

3. Submit documentation and annual PMO assessment fee 

Following control implementation, the provider compiles and submits all relevant documentation to the GovRAMP PMO. This includes evidence of control implementation, and any required templates or forms specified by GovRAMP. The PMO uses this documentation to determine whether the provider meets the requirements for Core status.

GovRAMP Core also includes a one-time annual PMO assessment fee, which covers review of submitted documentation, validation of the required security controls, and product listing on the Authorized Product List (APL).

Annual PMO assessment fee for GovRAMP Core status:

• Providers with less than $1M in annual revenue: $9,000
• Providers with $1M to $5M in annual revenue: $11,000
• Providers with over $5M in annual revenue: $17,000

5. Begin continuous monitoring

After the initial review, CSPs must participate in quarterly continuous monitoring. This involves submitting vulnerability scan results, updating the Plan of Actions and Milestones (POA&M), and maintaining current asset inventories. Continuous monitoring helps ensure security practices remain effective over time and signals an ongoing commitment to improvement.

6. Get listed on the Authorized Product List (APL)

Once all requirements are met and the PMO approves the submission, the CSP’s offering is added to the GovRAMP Authorized Product List with a Core designation. This public listing signals to SLTT government buyers that the provider has made measurable progress toward full GovRAMP authorization.

How Secureframe can make GovRAMP Core even easier

GovRAMP Core is a smart way to demonstrate early compliance without taking on the full burden of a complete GovRAMP authorization right away. It signals to government buyers that your company is serious about security, actively improving, and on a path to full authorization.

It’s also a reflection of a broader effort to modernize federal compliance through continuous monitoring and automation, streamlining procurement and making the public-sector technology marketplace more secure. 
Secureframe supports GovRAMP Low and Moderate as an out-of-the-box compliance framework, simplifying the path to GovRAMP Authorization. For GovRAMP Core, organizations can easily create a custom framework based on a subset of GovRAMP Moderate controls.

• Compliance expertise: Our team includes former FedRAMP, FISMA, and CMMC auditors who can guide you at each step of the process.
• Federal cloud integrations: Among 300+ native integrations, Secureframe integrates with AWS GovCloud, Azure Government, and Microsoft GCC High to automate evidence collection and infrastructure monitoring.
• Automated documentation: Generate your System Security Plan (SSP) and POA&M and access customizable policy templates written by federal compliance experts.
• Trusted 3PAO network: We connect you with experienced, certified Third-Party Assessment Organizations (3PAOs) to help you get independently assessed for Core status.
• Cross-mapping across frameworks: Apply controls across other government frameworks like FedRAMP, CMMC 2.0, TX-RAMP, CJIS, and NIST 800-171 to save time and avoid duplicate work.
• Continuous monitoring: Secureframe continuously monitors your tech stack for failing controls, gaps, and nonconformities. You can configure test intervals to stay on track with GovRAMP’s ongoing monitoring requirements.

With Secureframe, organizations can spend less time managing checklists and more time building a strong, scalable security posture. To learn more about how Secureframe can help you achieve GovRAMP Core status and beyond, schedule a demo with a product expert.