A Deep Dive into GovRAMP Security Statuses

GovRAMP simplifies cloud security for Government Entities and their Third Party Cloud Suppliers and publishes an Authorized Product List (APL) at www.govramp.org, updated daily.

The APL includes cloud offerings that are working toward and have achieved a GovRAMP Authorization to verify compliance with NIST 800-53 standards.

To be listed, products must meet security requirements set forth by our Governing Committees and Board, have an independent audit and comply with monthly and annual continuous monitoring requirements.  We cover the process more fully in our monthly Getting Started Webinars, and we also share recent recordings of these sessions at www.govramp.org/video-library.

• Interested in TX-RAMP? GovRAMP Authorized Products are automatically recognized by TX-RAMP, with our weekly automated sync. That means GovRAMP Authorized Products appear on the TX-RAMP list with ease.
• For Products with a FedRAMP Authorization, GovRAMP provides a Fast Track option, so that no new audit is necessary.

Our Team is always available to answer questions at info@stateramp.org.

What is included on our Authorized Product List? 

Six security statuses are recognized on the Authorized Product List. The statuses are separated into two lists based on whether they are progressing or verified offerings. Continue reading to dive deeper into what each status means.

Verified Offerings & Continuous Monitoring

GovRAMP recognizes three verified statuses, including Ready, Provisionally Authorized, and Authorized.

Once a product has achieved a verified status, the product’s security posture is monitored according to the continuous monitoring requirements, which can be found on www.govramp.org/templates-resources.

Continuous monitoring includes monthly reporting from the provider to the Security Team at our Program Management Office (PMO) and an annual independent audit.

This Continuous Monitoring helps ensure that cloud products utilized by government maintain a strong cyber compliance. Participating GovRAMP Governments may be granted access to view continuous monitoring reporting with provider approval.

Authorized

Authorized is the highest verification level. An Authorized status shows the product has a proven and complete security package that includes a System Security Plan (SSP) and Boundary Diagram, for example, along with all required documentation and policies and procedures. The provider has also completed and submitted an independent audit called a Security Assessment Report (SAR) that is conducted by one of our GovRAMP Third Party Assessing Organizations (3PAOs). The audit evaluates compliance with the NIST 800-53 required controls, in addition to penetration testing and other reviews. A SAR Template for the Audit report can be found on our resources page.  The final step in attaining an Authorized Status is the approval by the Approvals Committee or a Government Sponsor, who affirm the security package meets the requirements for Government.

Provisionally Authorized

A Provisionally Authorized status may be assigned by a sponsoring government if the provider has submitted a security package for Authorization consideration, but is found to meet most, but not all security requirements. Providers with a Provisionally Authorized status comply with continuous monitoring requirements and an additional assessment may be required to obtain Authorization.

Ready

A Ready status indicates that the product meets GovRAMP's Minimum Mandatory Requirements and most critical controls. The Ready requirements are published here and vary by Impact Level for Low or Moderate/High.  The security package for Ready includes a Readiness Assessment Report (RAR) submitted by a GovRAMP 3PAO, attesting to the minimum mandates. The required Ready documentation, including boundary diagram, inventory worksheet, roles and permissions matrix, must be included in the security package provided to our Security Team with our GovRAMP Program Management Office (PMO).

Progressing Offerings

GovRAMP recognizes cloud service offerings in the process of working toward a verified offering. To have a product be listed as in progress, the Service Provider must be engaged with a Third-Party Assessment Organization (3PAO) to conduct an independent audit. The progressing statuses include Active, In Process, and Pending.

Active

An Active status signals that a provider is working towards Ready. To be Active, the Service Provider has engaged with a 3PAO for a Readiness Assessment Report (RAR).

In Process

An In Process status shows a service provider is working toward Authorized. This status may be assigned before a product passes the minimum requirements for Ready, if the Service Provider has engaged with a 3PAO for a Security Assessment Report (SAR).

Pending

A “Pending” status is used to describe a Service Provider who has submitted a product’s security package to the GovRAMP PMO and is awaiting a determination for a verified status. Their 3PAO audit is completed, and they have completed their initial intake call with the GovRAMP PMO team.

To begin working with our Security Team at the Program Management Office (PMO), become a member and submit a Security Review Request form today!

If you have any questions about the verification process, please contact us at info@stateramp.org.

If you have specific questions about your product’s environment, please contact our security team at the Program Management Office at pmo@stateramp.org.