State Risk and Authorization Management Program
Standardized cybersecurity verification for cloud services used by state and local government
What is GovRAMP (formerly StateRAMP)?
StateRAMP rebranded to GovRAMP on February 14, 2025 (govramp.org), though the legal entity remains StateRAMP dba GovRAMP. The program provides standardized cybersecurity verification for cloud service providers serving state, local, tribal, and territorial governments, modeled after federal FedRAMP. Security baselines are aligned to NIST SP 800-53 Rev 5 and, for the new Core Status tier (launched May 2025), mapped to the MITRE ATT&CK framework across 60 foundational controls. Authorization levels run from Core and Low through Moderate and High. Vendors searching under either name will find the same program. The Federal JAB Attestations pathway is closing: no new applications after January 1, 2026, with the list retiring June 1, 2026 ([GovRAMP 2026 modernization](https://govramp.org/blog/2026-program-modernization-and-adoption/)).
// What is GovRAMP (formerly StateRAMP)?
GovRAMP (formerly StateRAMP) is a nonprofit organization that provides a standardized approach to cybersecurity verification for cloud service providers (CSPs) serving state and local government. On February 14, 2025, the organization rebranded from StateRAMP to GovRAMP (operating as a dba; the legal entity remains StateRAMP). Modeled after the federal FedRAMP program, GovRAMP bridges a critical gap by giving state, local, tribal, and territorial (SLTT) governments a reliable way to evaluate the security of cloud solutions.
CSPs undergo third-party assessment against NIST SP 800-53 Rev 5 controls, with authorization levels corresponding to data sensitivity: Low, Low+, Moderate, and High. In May 2025, GovRAMP introduced a new Core Status tier covering 60 foundational controls selected based on NIST SP 800-53 Rev 5 and the MITRE ATT&CK framework, giving smaller and emerging vendors an accessible entry point. GovRAMP maintains an Authorized Product List that government entities can reference during procurement.
Note: The Federal JAB Attestations list (which recognized FedRAMP JAB-authorized products) is being retired. No new applications are accepted after January 1, 2026, and the list retires on June 1, 2026.
// Inside the Regulation
GovRAMP defines security verification levels based on NIST SP 800-53 Rev 5 controls, allowing state and local governments to match vendor security to data sensitivity requirements. A Core Status tier (introduced May 2025) covers 60 foundational MITRE ATT&CK-aligned controls for vendors earlier in the authorization journey.
GovRAMP Core Status
Introduced May 2025. A verified security designation for cloud providers not yet ready for full authorization. Covers 60 foundational NIST SP 800-53 Rev 5 controls selected based on MITRE ATT&CK framework alignment.
Control Baseline
60 moderate-impact controls across 11 control families, chosen for alignment with the most critical attack vectors in MITRE ATT&CK.
Use Cases
Smaller and emerging cloud vendors seeking an accessible entry point into government procurement before pursuing full GovRAMP authorization.
GovRAMP Low
Baseline security verification for cloud systems processing non-sensitive government data.
Control Baseline
Subset of NIST SP 800-53 Low controls addressing fundamental security practices.
Use Cases
Public-facing websites, non-sensitive collaboration tools, open data platforms.
GovRAMP Low+
Enhanced baseline for systems processing data requiring additional protection beyond standard low-impact classification.
Additional Controls
Low baseline plus additional controls for enhanced access management, logging, and vulnerability management.
Use Cases
Internal agency tools, non-PII systems requiring moderate operational security.
GovRAMP Moderate
Full security verification for systems processing sensitive government data including PII.
Control Requirements
Full NIST SP 800-53 Rev 5 Moderate baseline with GovRAMP-specific parameters for state and local government context.
Use Cases
Systems processing PII, financial data, health information, law enforcement records.
Continuous Monitoring
Monthly vulnerability scanning, annual penetration testing, and ongoing Plan of Action and Milestones (POA&M) management.
GovRAMP High
Most rigorous verification level for systems processing the most sensitive state and local government data.
Enhanced Controls
Full control set including advanced encryption, stringent access controls, and enhanced incident response.
Use Cases
Criminal justice systems, critical infrastructure, emergency services, highly sensitive PII.
Note: GovRAMP uses FedRAMP reciprocity. CSPs with an existing FedRAMP authorization can achieve GovRAMP verification through a streamlined process. GovRAMP publishes an Authorized Product List that government procurement teams reference during vendor evaluation. Note: the Federal JAB Attestations pathway is closing (no new applications after Jan 1, 2026; list retires Jun 1, 2026) following FedRAMP's retirement of the JAB in 2024.
// Who Must Comply
- 1 Cloud service providers selling to state government agencies
- 2 SaaS vendors serving local government and municipalities
- 3 Cloud providers serving K-12 school districts
- 4 Technology vendors in states that have adopted GovRAMP (formerly StateRAMP) requirements
- 5 Government IT departments evaluating cloud procurement
- 6 Managed service providers hosting government workloads
// Key Requirements
Access Control
Role-based access, multi-factor authentication, and least privilege enforcement
Continuous Monitoring
Ongoing vulnerability management, configuration monitoring, and security event detection
Data Protection
Encryption at rest and in transit with key management procedures
Incident Response
Incident response plan, notification procedures, and breach reporting capabilities
Third-Party Assessment
Independent assessment by a GovRAMP-approved 3PAO against applicable control baseline
POA&M Management
Plan of Action and Milestones tracking for identified control gaps with defined remediation timelines
// Enforcement & Penalties
GovRAMP itself does not impose fines, but failure to achieve or maintain verification can disqualify cloud providers from state and local government contracts. In states that have formally adopted GovRAMP, non-compliance effectively blocks market access.
Disqualification from state and local government contracts
Examples:
- Removal from GovRAMP Authorized Product List
- Loss of eligibility for government contracts in adopting states
- Contract termination for lapsed verification status
- Reputational impact in government procurement evaluations
// Cyber Insurance Impact
GovRAMP verification demonstrates security maturity based on NIST SP 800-53 Rev 5 standards, which can positively influence cyber insurance underwriting. Cloud providers with GovRAMP authorization may benefit from lower premiums due to validated security controls and continuous monitoring practices.
// How Breach Craft Helps
We help organizations achieve GovRAMP (formerly StateRAMP) compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of GovRAMP (formerly StateRAMP).
// Industries That Need GovRAMP (formerly StateRAMP)
These industries commonly require GovRAMP (formerly StateRAMP) compliance as part of their regulatory obligations.
Guide last reviewed: June 15, 2026
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873