3 min read
New updates are coming soon to the GovRAMP Authorized Product List (APL). These changes will increase the value of information included on the APL by providing an updated user interface which allows users to easily get information about a product’s position in the GovRAMP pipeline. The most notable changes relate to the introduction of a new Federal JAB status and separate lists for verified and progressing products. Our leadership teams have also approved a 90-day engagement policy to ensure the information on the APL is an accurate representation of products’ path to achieving a Ready or Authorized status.
To allow users to quickly and easily decipher where products are in the GovRAMP verification process, products will now be displayed in three distinct lists: Verified Products, Progressing Products, and Federal JAB products.
As products achieve certain milestones in the GovRAMP verification process, they will move from the Progressing Products list to the Verified Products list.
In an effort to provide recognition to those providers whose products have achieved a FedRAMP Authorization through Joint Authorization Board (JAB) approval, a new Federal JAB status has been created for providers who wish to list their product on the GovRAMP website.
Products with a FedRAMP ATO from the JAB have undergone a rigorous audit and review from both a Third Party Assessment Organization and the FedRAMP JAB. Our team wishes to highlight their efforts and provide an avenue for these products to be included on the GovRAMP website. Those providers with only a FedRAMP JAB award can receive the JAB Attestation badge and can request to include their products on the Federal JAB Attestations list. Providers interested in obtaining a Federal JAB status must still become a member of GovRAMP.
Products that have been awarded both a GovRAMP Authorized and Federal JAB status will be included on the Verified Products list as Authorized, Federal JAB. It is important to recognize the hard work of providers who went through both audits, and we are grateful for their commitment to continuous improvement.
If your product currently has a FedRAMP Authorization issued by the JAB, and you would like to list your product on the GovRAMP website, the application is now open.
When developed the bylaws, charters, and policies to govern GovRAMP in 2020, one of the main objectives was to create an infrastructure that was transparent, standardized, and business friendly. As a result, GovRAMP adopted the use of six different security statuses to indicate the current security posture and ongoing assessments being completed by providers whose products are pursuing verification through GovRAMP. These statuses include Active, In Process, Pending, Ready, Provisionally Authorized, and Authorized and now also include the Federal JAB status.
When the first iteration of the Authorized Product List was published in 2021, products could be listed with an Active or In Process status for an unlimited amount of time. As soon as a provider had engaged a Third Party Assessment Organization (3PAO) to complete an audit and a Readiness Assessment Report (RAR) or full Security Assessment Report (SAR) for one of their products, that product could be listed on the Authorized Product List as Active or In Process.
To ensure GovRAMP is providing state and local governments, tribal agencies, and public higher education institutions with the resources needed to make informed, risk-based decisions, and to fairly and accurately represent a product’s path to achieve a verified security status, our leadership team has adopted a new, 90-day engagement policy.
Under this new standard, products can only be listed as Active or In Process on the APL for 90 days before the provider needs to have engaged the GovRAMP PMO for a security review. If you have not engaged the PMO for a Ready Review or an Authorization Review within 90 days of listing your product as Active or In Process, your security status will lapse, and your product will be removed from the APL.
Our team understands that there are extenuating circumstances that may cause delays in the process and that completing a 3PAO audit can take some time. If you’re making a good faith effort, and can verify your 3PAO audit is currently underway, you can apply for an extension. These instances will be evaluated on a case-by-case basis.
The changes to the Authorized Product List will go live on Monday June 20, 2022. For questions, contact info@stateramp.org.
Become a member and add your product to the Authorized Product List today!
In cybersecurity, especially in the public sector, clarity matters. Terms like “threat” and “vulnerability” are often used interchangeably, but they...
Risk isn’t just a technical concern. For both public and private sector organizations, it's a strategic consideration tied directly to trust,...
HRTec has long supported public sector organizations through its secure, scalable FedHIVE platform and Compliance as a Service model. As a GovRAMP...
At GovRAMP, our mission is centered around empowering the public and private sectors to work together to defend against evolving cyber threats...
In today's growing landscape of cybersecurity and cloud services, staying ahead of the curve is not just advantageous—it's essential. At GovRAMP we...
GovRAMP had the pleasure to host our strategic partner and newest member benefit, RAMPxchange for an informative webinar, Breaking Barriers:...
