GovRAMP Ready Status

Pursue A Higher Level of Security

Get Into Position to Meet Full Authorization Requirements

GovRAMP Ready is a verified security status attained by meeting the GovRAMP minimum mandatory requirements, demonstrated through a readiness assessment report conducted by a third-party assessment organization. Interested service providers should read through “Getting Started with GovRAMP: A Guide for Service Providers Pursuing Ready Status.”

Download the Guide

The GovRAMP Ready Process

Step 1:

Become a GovRAMP Member

All service providers must become an active GovRAMP member before their cloud products and services can be validated by the program management office, obtain a GovRAMP security status, or become listed on the GovRAMP Authorized Product List (APL).

Step 2:

Optional: Submit a Security Snapshot Request Form

As a first step toward achieving a verified GovRAMP Security Status, you may complete a GovRAMP Security Snapshot. The snapshot serves as a “pre-Ready” measurement and the criteria are designed to provide a gap analysis to validate a product’s current maturity in relation to meeting the Minimum Mandatory Requirements for GovRAMP Ready.

Step 3:

Determine Your Appropriate Security Category

Before engaging a third-party assessment organization (3PAO) or submitting documentation for review, providers must determine the appropriate GovRAMP Impact Level—Low, Low+, or Moderate—required by their prospective state or local government partners. If you are unsure, you may use our data classification tool.

Step 4:

Engage a Third-Party Assessment Organization (3PAO)

Review the list of GovRAMP-Approved Assessors and engage with a 3PAO to complete a Readiness Assessment Report (RAR) or Security Assessment Report (SAR).

Step 5:

Complete Ready Review Documentation & Security Review Request

Once engaged with a 3PAO, you must complete at least 50 percent of your documentation before the assessor can submit a GovRAMP Readiness Assessment Report to the GovRAMP Project Management Office.

Before you can submit completed documentation to the GovRAMP PMO security team, you must complete the GovRAMP Security Review Request Form. Upon receiving completed documentation and payment of a GovRAMP Ready review fee, GovRAMP will update a your status on the Authorized Product List (APL) to Pending.

Step 6:

Obtain GovRAMP Ready Verified Status

If the 3PAO attests to the your readiness, the GovRAMP PMO has verified that the your product meets the minimum mandatory requirements and most critical controls, and all outstanding issues or inquiries have been resolved, the provider’s security status on the APL will be updated to Ready.

Step 7:

Begin Continuous Monitoring Activities

Once you have obtained GovRAMP Ready status, you must begin submitting the required documentation monthly and annual reporting as detailed in the GovRAMP Continuous Monitoring Guide.

Frequently Asked Questions

Pricing is tiered as follows:

  • $500 for providers with less than $1 million annual revenue.
  • $2,500 for providers with annual revenue between $1-5 million.
  • $3,750 for providers with annual revenue greater than $5 million.

The level of effort to participate in the GovRAMP Ready process varies based on the complexity of the system being assessed and the maturity of the organizational information security program. Organizations that have a current FedRAMP Ready status may leverage their existing documentation to obtain GovRAMP Ready status with minimal additional effort. Organizations that have conducted other framework assessments, such as a SOC2 or HITRUST will be familiar with providing evidence to demonstrate control compliance. Organizations that are not familiar with framework assessments will have a sharper learning curve.

GovRAMP provides many resources to help participating organizations. These include:

Fast Track Option*

If a provider has a product, service, or offering with a federal authorization or is pursuing a federal authorization, that offering is eligible for the GovRAMP Fast Track process. Providers will partner with the GovRAMP Project Management Office (PMO) to provide and authenticate the necessary security documentation they’ve already completed for federal authorization. The Fast Track process is detailed below.

Step 1:

Become a GovRAMP Member

All service providers must become an active GovRAMP member before their cloud products and services can be validated by the program management office, obtain a GovRAMP security status, or become listed on the GovRAMP Authorized Product List (APL).

Step 2:

Engage the GovRAMP PMO

After joining as a GovRAMP member, service providers must complete a Security Review Request Form to engage the GovRAMP PMO. Prior to their first intake call, they can use this form to provide more information about their company and product.

Step 3:

Complete Required Documentation

Service providers should work with their third-party assessment organization (3PAO) to gather and submit the required security documentation, including the provider’s federal-approved security package, 90 days of continuous monitoring, and any necessary GovRAMP templates.

The security team at the GovRAMP PMO accepts documents in FedRAMP formatting.

Step 4:

PMO Review

The PMO will review the service provider’s complete security package and conduct a call with the provider and 3PAO to make any final adjustments to the submitted documentation.

Step 5:

Begin Continuous Monitoring Activities

Once you have obtained GovRAMP Ready status, you must begin submitting the required documentation monthly and annual reporting as detailed in the GovRAMP Continuous Monitoring Guide.

*Attention Texas Vendors:

In 2021, Texas passed a law requiring all vendors who use a cloud solution to serve Texas to become TX-RAMP authorized. By administrative rule, TX-RAMP recognizes GovRAMP with automatic reciprocity. GovRAMP provides an efficient, reusable certification that applies in Texas and across our rapidly expanding list of participating governments.

GovRAMP provides a weekly sync with TX-RAMP, so GovRAMP Authorized Products appear on the TX-RAMP list with ease.