
A Guide to GovRAMP: Benefits, Requirements, and How to Get Authorized
Emily Bonnie
Senior Content Marketing Manager
Rob Gutierrez
Senior Cybersecurity and Compliance Manager, CISA, CCSK, CMMC RP
Cloud solutions have become indispensable for nearly every organization, including government agencies. Yet with the widespread adoption of cloud service providers comes the challenge of ensuring those providers meet robust cybersecurity standards.
GovRAMP, formerly known as StateRAMP, helps state and local governments, public education institutions, and tribal entities securely adopt cloud technologies. Built on the NIST 800-53 framework, GovRAMP ensures that cloud service providers (CSPs) meet rigorous cybersecurity and data privacy requirements.
Below, we’ll explain GovRAMP’s core components, how it compares to FedRAMP, and the GovRAMP verification process. You’ll also find a GovRAMP compliance checklist and answers to frequently asked questions.
What is GovRAMP?
GovRAMP is a nonprofit membership organization that standardizes cloud security requirements across state, local, tribal, and educational (SLTT) government entities. It provides a unified framework to assess, authorize, and continuously monitor cloud service providers through third-party audits based on NIST 800-53 controls.
While not affiliated with the federal government, GovRAMP mirrors the FedRAMP model and uses NIST 800-53 as the foundation for evaluating vendors and their cybersecurity practices.
In February 2025, StateRAMP changed its name to GovRAMP to better reflect the organization's expanded role in unifying cloud security standards across all levels of government. The name StateRAMP no longer fit the full scope of its work, especially as more cloud providers support not just state and local agencies, but also tribal, educational, and even some federal entities.
The new name, GovRAMP, better captures the organization's mission: to bring public and private sectors together around a shared, trusted approach to cloud security. It’s still the same organization, with the same leadership and goals, just operating under a name that’s more inclusive of the broader government community it serves.
In April 2025, GovRAMP also launched the AI Security Task Force, recognizing the growing importance of artificial intelligence in cloud service offerings. The task force is charged with developing guidance to evaluate, secure, and monitor AI use cases and implementations in the public sector. It is the first formal initiative within GovRAMP to address cybersecurity risks unique to AI-enabled cloud products.
What is NIST 800-53?
GovRAMP’s Board of Directors approved transitioning to NIST 800-53 Revision 5 in May 2023.
The National Institute of Standards and Technology (NIST) Special Publication 800-53 is a security compliance standard created by the US government. It helps organizations of all types properly architect and manage their information security systems and comply with the Federal Information Security Modernization Act (FISMA) of 2014.
NIST 800-53 is mandatory for federal information systems, organizations, and government agencies. Any organization that works with the federal government or carries federal data is required to comply with NIST 800-53 to maintain the relationship.
NIST 800-53 is considered the gold standard for federal data security and is designed to be general and applicable to federal agencies, including the Department of Labor. Both the Federal Risk and Authorization Management Program (FedRAMP) and GovRAMP are derivatives of the NIST 800-53 framework.
NIST 800-53 provides a comprehensive catalog of security and privacy controls designed to help organizations protect information systems. Originally developed for federal agencies under FISMA, it is now widely adopted across sectors, including SLTT governments via programs like GovRAMP.

The Ultimate Guide to Federal Frameworks
Get an overview of the most common federal frameworks, who they apply to, and what their requirements are.
GovRAMP vs FedRAMP
GovRAMP and FedRAMP are similar in many respects. Both are designed to help governments establish baseline cybersecurity standards for cloud service providers. Both use NIST 800-53 requirements as their evaluation criteria, along with a foundation in NIST impact levels (Low and Moderate) to assess controls. And both require continuous monitoring for continued compliance.
However, GovRAMP and FedRAMP differ in a few important ways.
GovRAMP is designed for state agencies, local governments, and higher education institutions. GovRAMP requirements can vary between different state and local governments due to the unique needs of each jurisdiction. FedRAMP was specifically designed by the General Services Administration (GSA) for federal programs and contractors using Cloud Service Providers (CSPs), and the requirements are the same regardless of state or agency.
Another important distinction is that GovRAMP is a non-profit organization. Unlike FedRAMP, it is not directly associated with the US federal government.
Organizations that already have federal authorization can apply for GovRAMP Fast Track to expedite the verification process.
Which governments use GovRAMP?
Any state, local, education, or tribal/territorial government official or IT/information security professional can become a member of the GovRAMP ecosystem by registering online. Many State, Local, and Education (SLED) organizations have adopted GovRAMP, including over two dozen state governments and public education institutions.
As of April 2025, the State of Arizona officially transitioned from AZ-RAMP to GovRAMP, further aligning with national cloud security standards.
Participating governments and institutions include:
- Alabama
- Arizona
- City of Chandler (Arizona)
- Arkansas
- Arkansas - Administrative Office of the Courts (Judicial Branch)
- California
- Sacramento County (California)
- Colorado
- Florida
- Hillsborough County Sheriff’s Office (Florida)
- Georgia
- City of Fishers (Indiana)
- Maine
- Massachusetts
- Michigan
- Minnesota
- Missouri
- Nebraska
- Nevada
- New Hampshire
- New York State Local Government Information Technology Directors’ Association
- North Carolina
- Fayetteville State University (North Carolina)
- University of North Carolina System
- North Dakota
- Oklahoma
- Texas
- Clarendon College (Texas)
- Vermont
- West Virginia
Find the full, up-to-date list of participating governments and institutions here.

GovRAMP security statuses
GovRAMP maintains an Authorized Product List (APL) which is updated daily to reflect service providers who satisfy GovRAMP requirements. There are now seven security statuses included in the APL, following the introduction of GovRAMP Core in May 2025:
Verified Offerings
- Core: Meets 60 moderate-level NIST 800-53 controls mapped to MITRE ATT&CK. Serves as a formal intermediate milestone on the path to full authorization.
- Ready: Meets minimum security requirements
- Provisional: Exceeds minimum requirements and includes a government sponsor
- Authorized: Satisfies all requirements and includes a government sponsor
Progressing Offerings
- Active: Working towards a Ready verified status
- In Process: Working towards an Authorized verified status
- Pending: Has submitted a security package to the GovRAMP Program Management Office (PMO) and is awaiting their determined verified status
As noted above, a government sponsor is required to achieve GovRAMP Authorized or Provisional status. Government sponsors can be any SLED government official or employee who:
- Serves in the role of Chief Information Security Officer, or their designee
- Is a GovRAMP Individual Government Member
CSPs that don’t have a government sponsor may also use a member of the GovRAMP Approvals Committee to serve as an authorizing official on behalf of the government.
Benefits of GovRAMP for cybersecurity
Since it uses NIST 800-53 as a foundation, GovRAMP compliance involves a comprehensive set of security controls for protecting information systems. Compliance with the standard offers an array of business benefits:
- Fuel Growth: Cloud solutions courting state and local governments, educational institutions, and other customers in the public sector will benefit from the enhanced credibility that comes with GovRAMP compliance and inclusion on the Authorized Products List. Stakeholders, including clients, partners, and investors, can have full confidence in the organization's commitment to cloud security.
- Stronger Security Posture: Implementing NIST 800-53 controls helps organizations protect their information systems from a range of threats, including cyberattacks, insider threats, and physical threats. The rigorous guidelines help reduce the risk of security breaches, data loss, and unauthorized data disclosure. NIST 800-53 is the gold standard among frameworks and comprehensive control sets.
- Enhanced Data Privacy: The integration of privacy controls ensures that personally identifiable information (PII) is also protected, reducing the risks associated with privacy breaches.
- Improved Incident Response: With a well-defined set of controls and processes, organizations can respond to and recover from incidents more efficiently and effectively.
- Standardized Risk Management: GovRAMP provides an organized, consistent framework for assessing the risks to information systems and for implementing appropriate security controls.
- Informed Decision Making: The guidelines aid in making informed decisions regarding security investments and resource allocations, helping prioritize security needs based on actual risks.
- Cost Savings: While achieving compliance may require an initial investment, it can result in long-term savings by preventing costly breaches and improving operational efficiency.
- Continuous Monitoring and Improvement: GovRAMP requires continuous monitoring, ensuring that security measures evolve with changing threats.
- Compliance Across Frameworks: GovRAMP requirements overlap with several other frameworks, making it an efficient way to achieve compliance with other in-demand standards such as FedRAMP, NIST, SOC 2, ISO 27001, and others. Organizations that use compliance automation software can easily map policies and controls for GovRAMP across multiple frameworks, eliminating duplicate efforts.
GovRAMP and NIST 800-53 compliance offer a thorough and well-structured approach to information security and data privacy, which has led many government and private-sector organizations to use it as a guide for their own security practices.
Recommended reading

7 Benefits of Continuous Monitoring & How Automation Can Maximize Impact
GovRAMP Compliance Checklist
1. Define Scope
2. Perform a Risk Assessment
3. Document Existing Policies & Controls
4. Verify or Implement NIST 800-53 Security Controls
5. Evaluate Controls
6. Authorize the System
7. Establish a Continuous Monitoring Program
8. Create an Incident Response Plan
9. Complete Security Awareness Training
10. Maintain Controls and Documentation
Streamline GovRAMP compliance with automation
Because it’s a rigorous standard, achieving GovRAMP compliance requires a significant amount of time and resources. You’ll need to complete a risk assessment and gap analysis, select and implement controls, write policies, train staff, and collect documentation and evidence for your 3PAO. And once that’s done, you’ll have to implement ongoing assessments and continuous monitoring to maintain compliance.
Secureframe supports GovRAMP as an out-of-the-box compliance framework and can significantly cut down on the amount of time and effort it takes to complete manual compliance tasks, freeing up your team to focus on strategic objectives.
Here are a few reasons organizations choose Secureframe as their partner for achieving and maintaining compliance with government and federal frameworks:
- Government and federal compliance expertise: Our dedicated, world-class compliance team includes former FISMA, FedRAMP, and CMMC auditors who have the expertise and experience to support you at every step.
- Integrations with federal cloud products: Secureframe integrates with your existing tech stack, including AWS GovCloud, Azure Government, and Microsoft GCC High, to automate infrastructure monitoring and evidence collection.
- SSP and POA&M generation: Automate your SSP and POA&M generation to simplify control documentation and remediation tracking. Our platform also includes a full library of policy and procedure templates created by federal auditors you can customize to your organization.
- Trusted 3PAO partner network: Secureframe has strong relationships with respected Certified Third Party Assessment Organizations (C3PAOs) that can support GovRAMP and other federal audits such as FedRAMP, CMMC, and CJIS.
- Cross-mapping across frameworks: GovRAMP has many overlapping requirements with other government frameworks such as NIST 800-171, CMMC 2.0, TX-RAMP 3.0, and FedRAMP. Instead of starting from scratch, our platform can help map what you’ve already done for GovRAMP to other frameworks so you’re never duplicating efforts.
- Continuous monitoring: Secureframe integrates with your tech stack to continuously monitor for failing controls, compliance gaps, and nonconformities. Specify test intervals and get notifications for required regular tasks to maintain GovRAMP compliance.
To learn more about how Secureframe can help you comply with GovRAMP, FedRAMP, TX-RAMP, CMMC 2.0, CJIS, and other federal frameworks, schedule a demo with a product expert.
Use trust to accelerate growth
FAQs
What is the difference between GovRAMP and FedRAMP?
GovRAMP and FedRAMP are both security standards designed to help government organizations mitigate cyber threats. However, GovRAMP is a nonprofit membership organization that works to help state and local governments find secure cloud computing providers. FedRAMP is more catered to cloud service providers working with the government.
Organizations that already have federal authorization (ATO, P-ATO, or Ready FedRAMP status) can apply for GovRAMP Fast Track to expedite the verification process.
What is GovRAMP certification?
Organizations may apply to be included on the GovRAMP Authorized Product List. There are six possible levels, or security statuses. Verified offerings are for service providers who have completed an independent audit and meet minimum security requirements for NIST 800-53:
- Ready: Meets minimum security requirements
- Provisional: Exceeds minimum requirements and includes a government sponsor
- Authorized: Satisfies all requirements and includes a government sponsor
Progressing offerings are organizations that are currently working with a 3PAO towards a verified offering:
- Active: Working towards a Ready verified status
- In Process: Working towards an Authorized verified status
- Pending: Has submitted a security package to the GovRAMP Program Management Office (PMO) and is awaiting their determined verified status
Organizations that currently have FedRAMP authorization can apply to the GovRAMP Fast Track program, which eliminates the need for an external audit.
Who does GovRAMP apply to?
GovRAMP is designed for service providers who work with local and state government agencies, and higher education institutions, including IaaS, PaaS, and SaaS solutions. Organizations can apply for GovRAMP membership at govramp.org.
Why is GovRAMP important?
In addition to helping service organizations build trust and secure customers within state and local governments and higher education institutions, GovRAMP provides organizations with clear procurement standards and guidelines for building, maintaining, and continually improving a strong cybersecurity posture.
What is the GovRAMP Security Snapshot?
GovRAMP Security Snapshot is a tool developed by GovRAMP to help service providers assess their current security posture and readiness for a 3PAO assessment. The Security Snapshot also provides a gap analysis against GovRAMP Minimum Mandatory Requirements.
Can GovRAMP compliance be used for TX-RAMP certification?
Yes, organizations can achieve TX-RAMP Level 1 certification by achieving GovRAMP Ready Status and TX-RAMP Level 2 certification by achieving GovRAMP Authorized Status.
Does GovRAMP require continuous monitoring?
Yes, GovRAMP requires continuous monitoring of CSPs to ensure ongoing compliance with security standards. CSPs must provide regular updates and undergo periodic assessments to maintain their GovRAMP status.
What is the cost of getting GovRAMP certification?
The cost of obtaining GovRAMP authorization varies depending on several factors, including the size of the CSP, the level of security certification sought, and the fees charged by the 3PAO. Costs typically cover the assessment, remediation (if necessary), and continuous monitoring.
Where can I find more information about GovRAMP?
More information about GovRAMP, including detailed guidelines, membership information, and resources, can be found on the official GovRAMP website.