GovRAMP compliance checklist

Cloud solutions have become indispensable for nearly every organization,  including government agencies. Yet with the widespread adoption of cloud service providers comes the challenge of ensuring those providers meet robust cybersecurity standards.

GovRAMP, formerly known as StateRAMP, helps state and local governments, public education institutions, and tribal entities securely adopt cloud technologies. Built on the NIST 800-53 framework, GovRAMP ensures that cloud service providers (CSPs) meet rigorous cybersecurity and data privacy requirements.

Below, we’ll explain GovRAMP’s core components, how it compares to FedRAMP, and the GovRAMP verification process. You’ll also find a GovRAMP compliance checklist and answers to frequently asked questions.

What is GovRAMP?

GovRAMP is a nonprofit membership organization that standardizes cloud security requirements across state, local, tribal, and educational (SLTT) government entities. It provides a unified framework to assess, authorize, and continuously monitor cloud service providers through third-party audits based on NIST 800-53 controls.

While not affiliated with the federal government, GovRAMP mirrors the FedRAMP model and uses NIST 800-53 as the foundation for evaluating vendors and their cybersecurity practices.

In February 2025, StateRAMP changed its name to GovRAMP to better reflect the organization's expanded role in unifying cloud security standards across all levels of government. The name StateRAMP no longer fit the full scope of its work, especially as more cloud providers support not just state and local agencies, but also tribal, educational, and even some federal entities.

The new name, GovRAMP, better captures the organization's mission: to bring public and private sectors together around a shared, trusted approach to cloud security. It’s still the same organization, with the same leadership and goals, just operating under a name that’s more inclusive of the broader government community it serves. 

In April 2025, GovRAMP also launched the AI Security Task Force, recognizing the growing importance of artificial intelligence in cloud service offerings. The task force is charged with developing guidance to evaluate, secure, and monitor AI use cases and implementations in the public sector. It is the first formal initiative within GovRAMP to address cybersecurity risks unique to AI-enabled cloud products.

What is NIST 800-53?

GovRAMP’s Board of Directors approved transitioning to NIST 800-53 Revision 5 in May 2023.

The National Institute of Standards and Technology (NIST) Special Publication 800-53 is a security compliance standard created by the US government. It helps organizations of all types properly architect and manage their information security systems and comply with the Federal Information Security Modernization Act (FISMA) of 2014.

NIST 800-53 is mandatory for federal information systems, organizations, and government agencies. Any organization that works with the federal government or carries federal data is required to comply with NIST 800-53 to maintain the relationship.

NIST 800-53 is considered the gold standard for federal data security and is designed to be general and applicable to federal agencies, including the Department of Labor. Both the Federal Risk and Authorization Management Program (FedRAMP) and GovRAMP are derivatives of the NIST 800-53 framework.

NIST 800-53 provides a comprehensive catalog of security and privacy controls designed to help organizations protect information systems. Originally developed for federal agencies under FISMA, it is now widely adopted across sectors, including SLTT governments via programs like GovRAMP.

Which governments use GovRAMP?

Any state, local, education, or tribal/territorial government official or IT/information security professional can become a member of the GovRAMP ecosystem by registering online. Many State, Local, and Education (SLED) organizations have adopted GovRAMP, including over two dozen state governments and public education institutions.

As of April 2025, the State of Arizona officially transitioned from AZ-RAMP to GovRAMP, further aligning with national cloud security standards.

Participating governments and institutions include:

• Alabama
• Arizona
• City of Chandler (Arizona)
• Arkansas
• Arkansas - Administrative Office of the Courts (Judicial Branch)
• California
• Sacramento County (California)
• Colorado
• Florida
• Hillsborough County Sheriff’s Office (Florida)
• Georgia
• City of Fishers (Indiana)
• Maine
• Massachusetts
• Michigan
• Minnesota
• Missouri
• Nebraska
• Nevada
• New Hampshire
• New York State Local Government Information Technology Directors’ Association
• North Carolina
• Fayetteville State University (North Carolina)
• University of North Carolina System
• North Dakota
• Oklahoma
• Texas
• Clarendon College (Texas)
• Vermont
• West Virginia

Find the full, up-to-date list of participating governments and institutions here. 

GovRAMP security statuses

GovRAMP maintains an Authorized Product List (APL) which is updated daily to reflect service providers who satisfy GovRAMP requirements. There are now seven security statuses included in the APL, following the introduction of GovRAMP Core in May 2025:

Verified Offerings

• Core: Meets 60 moderate-level NIST 800-53 controls mapped to MITRE ATT&CK. Serves as a formal intermediate milestone on the path to full authorization.
• Ready: Meets minimum security requirements
• Provisional: Exceeds minimum requirements and includes a government sponsor
• Authorized: Satisfies all requirements and includes a government sponsor

Progressing Offerings

• Active: Working towards a Ready verified status
• In Process: Working towards an Authorized verified status
• Pending: Has submitted a security package to the GovRAMP Program Management Office (PMO) and is awaiting their determined verified status

As noted above, a government sponsor is required to achieve GovRAMP Authorized or Provisional status. Government sponsors can be any SLED government official or employee who:

• Serves in the role of Chief Information Security Officer, or their designee
• Is a GovRAMP Individual Government Member

CSPs that don’t have a government sponsor may also use a member of the GovRAMP Approvals Committee to serve as an authorizing official on behalf of the government.

Benefits of GovRAMP for cybersecurity

Since it uses NIST 800-53 as a foundation, GovRAMP compliance involves a comprehensive set of security controls for protecting information systems. Compliance with the standard offers an array of business benefits:

• Fuel Growth: Cloud solutions courting state and local governments, educational institutions, and other customers in the public sector will benefit from the enhanced credibility that comes with GovRAMP compliance and inclusion on the Authorized Products List. Stakeholders, including clients, partners, and investors, can have full confidence in the organization's commitment to cloud security.
• Stronger Security Posture: Implementing NIST 800-53 controls helps organizations protect their information systems from a range of threats, including cyberattacks, insider threats, and physical threats. The rigorous guidelines help reduce the risk of security breaches, data loss, and unauthorized data disclosure. NIST 800-53 is the gold standard among frameworks and comprehensive control sets. 
• Enhanced Data Privacy: The integration of privacy controls ensures that personally identifiable information (PII) is also protected, reducing the risks associated with privacy breaches.
• Improved Incident Response: With a well-defined set of controls and processes, organizations can respond to and recover from incidents more efficiently and effectively.
• Standardized Risk Management: GovRAMP provides an organized, consistent framework for assessing the risks to information systems and for implementing appropriate security controls.
• Informed Decision Making: The guidelines aid in making informed decisions regarding security investments and resource allocations, helping prioritize security needs based on actual risks.
• Cost Savings: While achieving compliance may require an initial investment, it can result in long-term savings by preventing costly breaches and improving operational efficiency.
• Continuous Monitoring and Improvement: GovRAMP requires continuous monitoring, ensuring that security measures evolve with changing threats.
• Compliance Across Frameworks: GovRAMP requirements overlap with several other frameworks, making it an efficient way to achieve compliance with other in-demand standards such as FedRAMP, NIST, SOC 2, ISO 27001, and others. Organizations that use compliance automation software can easily map policies and controls for GovRAMP across multiple frameworks, eliminating duplicate efforts. 

GovRAMP and NIST 800-53 compliance offer a thorough and well-structured approach to information security and data privacy, which has led many government and private-sector organizations to use it as a guide for their own security practices.

The GovRAMP authorization process

GovRAMP’s approach to authorization reflects a broader shift happening across government that prioritizes modernization, automation, and smarter cloud security. As initiatives like FedRAMP 20x aim to reduce complexity and speed up secure cloud adoption at the federal level, GovRAMP is helping bring those same benefits to state, local, tribal, and educational institutions. The authorization process is designed to be transparent, repeatable, and grounded in continuous improvement, so agencies can move faster without compromising security.

Here’s what the GovRAMP authorization journey looks like for cloud service providers:

1. Become a GovRAMP member: Service providers must become a GovRAMP member before their IaaS, PaaS, or SaaS solutions can be validated by the Program Management Office (PMO), obtain a GovRAMP security status, or be listed on the Authorized Product List (APL).
2. Complete a GovRAMP Security Snapshot (Optional): This pre-assessment evaluates your organization to identify any gaps in your cybersecurity posture and ensure you’re fully compliant with GovRAMP requirements.
3. Select the appropriate GovRAMP authorization path: Use GovRAMP’s Data Classification Tool to determine the appropriate security category and the corresponding requirements. This will help you decide whether to become GovRAMP Ready or GovRAMP Authorized. 
4. Partner with a Third-Party Assessment Organization (3PAO). First, choose from the list of GovRAMP Approved Assessors. Then work with the 3PAO to complete a Readiness Assessment Report (RAR) or Security Assessment Report (SAR) and evaluate your compliance posture.
5. Compile Documentation: Documentation requirements differ based on the relevant verification status. If you’re pursuing Ready status, you must have 50% of your documentation completed before the 3PAO can complete the Readiness Assessment Report (RAR). If you’re preparing for your GovRAMP Authorization Review, you’ll need the following completed documentation: System Security Plan (SR-SSP), Security Controls Matrix (SR-SCM), Plan of Actions and Milestones (POA&M), and any other documents requested by the 3PAO to complete the SR-SAP and SR-SAR.
6. Submit a Security Review Request: Once you submit all of your security documentation to the GovRAMP PMO, the average time to complete a review is a few weeks. 
7. Find a Government Sponsor or Approvals Committee: This step is only required for organizations pursuing GovRAMP Authorized status.
8. Obtain GovRAMP Verified Status: After evaluation, your organization will receive its Verified status and be added to the Approved Vendor List.
9. Establish Continuous Monitoring Practices. Work with your 3PAO to define the appropriate continuous monitoring approach. Each month you’ll need to update your (POA&M), update your vulnerability scans and inventory worksheet, and submit a monthly report to the GovRAMP PMO for review.

Streamline GovRAMP compliance with automation

Because it’s a rigorous standard, achieving GovRAMP compliance requires a significant amount of time and resources. You’ll need to complete a risk assessment and gap analysis, select and implement controls, write policies, train staff, and collect documentation and evidence for your 3PAO. And once that’s done, you’ll have to implement ongoing assessments and continuous monitoring to maintain compliance. 

Secureframe supports GovRAMP as an out-of-the-box compliance framework and can significantly cut down on the amount of time and effort it takes to complete manual compliance tasks, freeing up your team to focus on strategic objectives.

Here are a few reasons organizations choose Secureframe as their partner for achieving and maintaining compliance with government and federal frameworks: 

• Government and federal compliance expertise: Our dedicated, world-class compliance team includes former FISMA, FedRAMP, and CMMC auditors who have the expertise and experience to support you at every step. 
• Integrations with federal cloud products: Secureframe integrates with your existing tech stack, including AWS GovCloud, Azure Government, and Microsoft GCC High, to automate infrastructure monitoring and evidence collection.
• SSP and POA&M generation: Automate your SSP and POA&M generation to simplify control documentation and remediation tracking. Our platform also includes a full library of policy and procedure templates created by federal auditors you can customize to your organization. 
• Trusted 3PAO partner network: Secureframe has strong relationships with respected Certified Third Party Assessment Organizations (C3PAOs) that can support GovRAMP and other federal audits such as FedRAMP, CMMC, and CJIS. 
• Cross-mapping across frameworks: GovRAMP has many overlapping requirements with other government frameworks such as NIST 800-171, CMMC 2.0, TX-RAMP 3.0, and FedRAMP. Instead of starting from scratch, our platform can help map what you’ve already done for GovRAMP to other frameworks so you’re never duplicating efforts. 
• Continuous monitoring: Secureframe integrates with your tech stack to continuously monitor for failing controls, compliance gaps, and nonconformities. Specify test intervals and get notifications for required regular tasks to maintain GovRAMP compliance. 

To learn more about how Secureframe can help you comply with GovRAMP, FedRAMP, TX-RAMP, CMMC 2.0, CJIS, and other federal frameworks, schedule a demo with a product expert.