Skip to main content
> GovRAMP (formerly StateRAMP)

State Risk and Authorization Management Program

Standardized cybersecurity verification for cloud services used by state and local government

Established: 2021 Last Updated: February 2025 (rebranded to GovRAMP) Scope: U.S. State and Local Government
4
Impact Levels

What is GovRAMP (formerly StateRAMP)?

StateRAMP rebranded to GovRAMP on February 14, 2025 (govramp.org), though the legal entity remains StateRAMP dba GovRAMP. The program provides standardized cybersecurity verification for cloud service providers serving state, local, tribal, and territorial governments, modeled after federal FedRAMP. Security baselines are aligned to NIST SP 800-53 Rev 5 and, for the new Core Status tier (launched May 2025), mapped to the MITRE ATT&CK framework across 60 foundational controls. Authorization levels run from Core and Low through Moderate and High. Vendors searching under either name will find the same program. The Federal JAB Attestations pathway is closing: no new applications after January 1, 2026, with the list retiring June 1, 2026 ([GovRAMP 2026 modernization](https://govramp.org/blog/2026-program-modernization-and-adoption/)).

// What is GovRAMP (formerly StateRAMP)?

GovRAMP (formerly StateRAMP) is a nonprofit organization that provides a standardized approach to cybersecurity verification for cloud service providers (CSPs) serving state and local government. On February 14, 2025, the organization rebranded from StateRAMP to GovRAMP (operating as a dba; the legal entity remains StateRAMP). Modeled after the federal FedRAMP program, GovRAMP bridges a critical gap by giving state, local, tribal, and territorial (SLTT) governments a reliable way to evaluate the security of cloud solutions.

CSPs undergo third-party assessment against NIST SP 800-53 Rev 5 controls, with authorization levels corresponding to data sensitivity: Low, Low+, Moderate, and High. In May 2025, GovRAMP introduced a new Core Status tier covering 60 foundational controls selected based on NIST SP 800-53 Rev 5 and the MITRE ATT&CK framework, giving smaller and emerging vendors an accessible entry point. GovRAMP maintains an Authorized Product List that government entities can reference during procurement.

Note: The Federal JAB Attestations list (which recognized FedRAMP JAB-authorized products) is being retired. No new applications are accepted after January 1, 2026, and the list retires on June 1, 2026.

// Inside the Regulation

GovRAMP defines security verification levels based on NIST SP 800-53 Rev 5 controls, allowing state and local governments to match vendor security to data sensitivity requirements. A Core Status tier (introduced May 2025) covers 60 foundational MITRE ATT&CK-aligned controls for vendors earlier in the authorization journey.

1

GovRAMP Core Status

Introduced May 2025. A verified security designation for cloud providers not yet ready for full authorization. Covers 60 foundational NIST SP 800-53 Rev 5 controls selected based on MITRE ATT&CK framework alignment.

Control Baseline

60 moderate-impact controls across 11 control families, chosen for alignment with the most critical attack vectors in MITRE ATT&CK.

Use Cases

Smaller and emerging cloud vendors seeking an accessible entry point into government procurement before pursuing full GovRAMP authorization.

2

GovRAMP Low

Baseline security verification for cloud systems processing non-sensitive government data.

Control Baseline

Subset of NIST SP 800-53 Low controls addressing fundamental security practices.

Use Cases

Public-facing websites, non-sensitive collaboration tools, open data platforms.

3

GovRAMP Low+

Enhanced baseline for systems processing data requiring additional protection beyond standard low-impact classification.

Additional Controls

Low baseline plus additional controls for enhanced access management, logging, and vulnerability management.

Use Cases

Internal agency tools, non-PII systems requiring moderate operational security.

4

GovRAMP Moderate

Full security verification for systems processing sensitive government data including PII.

Control Requirements

Full NIST SP 800-53 Rev 5 Moderate baseline with GovRAMP-specific parameters for state and local government context.

Use Cases

Systems processing PII, financial data, health information, law enforcement records.

Continuous Monitoring

Monthly vulnerability scanning, annual penetration testing, and ongoing Plan of Action and Milestones (POA&M) management.

5

GovRAMP High

Most rigorous verification level for systems processing the most sensitive state and local government data.

Enhanced Controls

Full control set including advanced encryption, stringent access controls, and enhanced incident response.

Use Cases

Criminal justice systems, critical infrastructure, emergency services, highly sensitive PII.

Note: GovRAMP uses FedRAMP reciprocity. CSPs with an existing FedRAMP authorization can achieve GovRAMP verification through a streamlined process. GovRAMP publishes an Authorized Product List that government procurement teams reference during vendor evaluation. Note: the Federal JAB Attestations pathway is closing (no new applications after Jan 1, 2026; list retires Jun 1, 2026) following FedRAMP's retirement of the JAB in 2024.

// Who Must Comply

  • 1 Cloud service providers selling to state government agencies
  • 2 SaaS vendors serving local government and municipalities
  • 3 Cloud providers serving K-12 school districts
  • 4 Technology vendors in states that have adopted GovRAMP (formerly StateRAMP) requirements
  • 5 Government IT departments evaluating cloud procurement
  • 6 Managed service providers hosting government workloads

// Key Requirements

Access Control

Role-based access, multi-factor authentication, and least privilege enforcement

Continuous Monitoring

Ongoing vulnerability management, configuration monitoring, and security event detection

Data Protection

Encryption at rest and in transit with key management procedures

Incident Response

Incident response plan, notification procedures, and breach reporting capabilities

Third-Party Assessment

Independent assessment by a GovRAMP-approved 3PAO against applicable control baseline

POA&M Management

Plan of Action and Milestones tracking for identified control gaps with defined remediation timelines

// Enforcement & Penalties

GovRAMP itself does not impose fines, but failure to achieve or maintain verification can disqualify cloud providers from state and local government contracts. In states that have formally adopted GovRAMP, non-compliance effectively blocks market access.

Maximum Penalty

Disqualification from state and local government contracts

Examples:

  • Removal from GovRAMP Authorized Product List
  • Loss of eligibility for government contracts in adopting states
  • Contract termination for lapsed verification status
  • Reputational impact in government procurement evaluations

// Cyber Insurance Impact

GovRAMP verification demonstrates security maturity based on NIST SP 800-53 Rev 5 standards, which can positively influence cyber insurance underwriting. Cloud providers with GovRAMP authorization may benefit from lower premiums due to validated security controls and continuous monitoring practices.

// How Breach Craft Helps

We help organizations achieve GovRAMP (formerly StateRAMP) compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of GovRAMP (formerly StateRAMP).

// Related Frameworks

// Industries That Need GovRAMP (formerly StateRAMP)

These industries commonly require GovRAMP (formerly StateRAMP) compliance as part of their regulatory obligations.

Guide last reviewed: June 15, 2026

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Or call us directly at (445) 273-2873