How the GovRAMP Approvals Committee Streamlines Sponsorship

Announcing the GovRAMP Approvals Committee

The newly formed GovRAMP Approvals Committee is making the path to cybersecurity validation simple and straightforward.

Formed by the GovRAMP Board and Nominating Committee, the Approvals Committee includes five members, uniting experience in state and local government and higher education. Their work will help service providers who offer or use IaaS, PaaS, or SaaS solutions that process, store, or transmit government data be sure their products meet stringent government industry verification standards and receive an Authorized status for their product.

Learn more about the GovRAMP Approvals Committee, including the specific ways it’s helping service providers verify their cybersecurity posture, the expertise each member brings to the organization, and how to engage the Approvals Committee to begin cybersecurity validation.

Quick Links

What is the GovRAMP Approvals Committee?
Who is on the GovRAMP Approvals Committee?
How to Engage the Approvals Committee
Get Involved with GovRAMP
Register for Upcoming GovRAMP Events

What Is the GovRAMP Approvals Committee?

Over the past decade, state and local governments have taken steps to secure their systems and databases from cyberthreats but have struggled to validate security compliance or oversee third-party service providers who offer or use PaaS, IaaS, or SaaS. Often, these providers handle sensitive government data alongside PII, PCI, or PHI. This gap creates an enormous opportunity for cyber criminals to target governments, disrupting vital services and impacting entire communities.

GovRAMP was formed to help establish a standardized approach to cybersecurity thresholds for service providers who offer solutions to state and local governments. GovRAMP's Board of Directors and its Nominating Committee recently formed the GovRAMP Approvals Committee, which is charged with serving as the body for Government Sponsorship for GovRAMP Authorized and GovRAMP Provisionally Authorized Statuses.

The GovRAMP Approvals Committee possesses the necessary technical and government policy knowledge and the capabilities to provide States and Local Governments with industry verification standards and guidance related to cybersecurity and third-party solutions. The committee is comprised of leaders in government, education, and cybersecurity to bring proven experience and clear insight to the committee.

Committee members serve as authorizing officials on behalf of government if a provider is unable to secure a government sponsor. In some cases, GovRAMP's Board of Directors may appoint a subject matter expert to the committee to aid in claims assessments as necessary.

Members of the GovRAMP Approvals Committee must:

1. Actively serve in state or local government
2. Be a technical security subject matter expert
3. Be knowledgeable and support the GovRAMP PMO process and objective in achieving sponsorship for service providers
4. Be able to provide regular reviews and recommendation
5. Conduct review of the GovRAMP PMO Executive Summary documentation for each service provider requesting GovRAMP Authorization
6. Render a vote to accept or reject the PMO’s recommendation
7. Evaluate each system and provide feedback to obtain clarification
8. Not be a member of the GovRAMP Appeals Committee

The Approvals Committee will approve the processes and preferred timing for monthly reviews. The process for approvals may include:

1. The Approvals Committee will review security packages for the standard baseline controls of an impact level, including: GovRAMP Low, GovRAMP Moderate and GovRAMP High. Low+ and other deviations from the standard baseline controls will not be eligible for review by the SAC.
2. Members receive notification of a product awaiting committee review.
3. The PMO will provide an executive summary which will be available via the secure GovRAMP PMO Repository.
4. The Committee will review the PMO’s executive summary, recommendation, and associated artifacts as needed within an agreed upon time frame.
5. Members will provide a vote within a secure system to accept or reject the PMO’s recommendations.

The committee will begin processing security packages in March. Providers who are interested in submitting their product to the Approvals Committee for review should reach out to info@stateramp.org.

Who Serves on the GovRAMP Approvals Committee?

GovRAMP thanks the following individuals for serving on the inaugural GovRAMP Approvals Committee:

Antoine Charles
Third Party Risk Analyst
Oklahoma Office of Management and Enterprise Services

Ken Weeks
Chief Information Security Officer
New Hampshire Department of Information Technology

Todd Ryan
Chief Technology Officer
Fulton County

Adam Mikeal
Director of IT Policy, Risk, Identity, & Data Management
Texas A&M University Division of IT

Josh Kadrmas
Governance, Risk, & Compliance Team Lead
North Dakota Information Technology

How to Engage the Approvals Committee

If you’re a provider whose product has completed a GovRAMP PMO Authorization Review and awarded a temporary Ready status, you are eligible to submit your product(s) to the Approvals Committee for review. Please contact pmo@stateramp.org to schedule your product in the approvals queue.

If you’re a provider who has not yet engaged the GovRAMP PMO for an Authorization Review, but you do intend to leverage the Approvals Committee instead of an individual government sponsor, please indicate your preference for Approvals Committee review on your PMO Security Review Application at the time of your submission.

Get Involved with GovRAMP

Whether you’re a service provider looking for clear ways to validate your product’s security posture, a government official researching how to protect citizen data, or a cybersecurity assessor researching the current ecosystem, GovRAMP has tools and resources to help.

GovRAMP offers membership options for government officials and members of private industry.

Read about the benefits of GovRAMP membership and register to become a member today by visiting the Registration page on the GovRAMP website. GovRAMP's membership applications are quick and easy, and you can join GovRAMP to get access to the Member Portal, list your product on the Authorized Vendor List, and engage the GovRAMP PMO today!

Register Now for Upcoming GovRAMP Events

The GovRAMP staff and PMO team host regular webinars to provide education and resources about GovRAMP, the mission of the nonprofit, how providers and governments can get involved, what the review process looks like, and how providers can assess their product to prepare for a PMO Security Review. Webinars are free and open to all. View all events at govramp.org/events. 

If you would like to learn more about GovRAMP and how you can get involved, email info@stateramp.org.