Federal agencies use FedRAMP. But federal agencies represent only a fraction of government technology spending. Schools, municipalities, state agencies, and county governments collectively spend far more — and they’ve increasingly started demanding the same kind of independent cloud security assurance. If you’re selling software to state or local government and you’re not familiar with GovRAMP and GovRAMP, this guide is where to start.
What Is GovRAMP?
GovRAMP is a nonprofit organisation that operates a security assessment and authorisation programme for cloud service providers (CSPs) selling to state and local government. Established in 2021, GovRAMP provides a standardised framework — modelled closely on FedRAMP — that allows CSPs to undergo a single security assessment and use the resulting authorisation across multiple state and local government customers.
Before GovRAMP, the state and local government market was a patchwork of conflicting requirements. One state might require its own security assessment. Another might accept a SOC 2 report. A third might have no formal requirements. For CSPs, this meant duplicating assessments, navigating inconsistent standards, and spending enormous time on individual customer due diligence. GovRAMP consolidates that into a single, recognised programme.
GovRAMP vs. FedRAMP: Key Similarities and Differences
GovRAMP was deliberately designed to parallel FedRAMP, and the similarities are significant. Both programmes use NIST SP 800-53 as their security control baseline. Both require independent third-party assessments. Both have impact levels (Low, Moderate, High) that determine the stringency of controls required. And both result in an authorisation that can be reused across multiple customers rather than requiring a separate assessment for each.
The key differences lie in scope, governance, and acceptance. FedRAMP is a federal government programme administered by the General Services Administration (GSA). It’s mandatory for cloud services used by federal agencies. GovRAMP is a nonprofit programme with no federal mandate — states and localities choose whether to accept or require GovRAMP status in their procurement processes.
FedRAMP is also generally considered more rigorous and expensive. The control baselines overlap substantially, but FedRAMP’s continuous monitoring requirements, documentation standards, and agency oversight add significant ongoing burden. GovRAMP’s process is designed to be achievable for the mid-market CSPs that dominate the state and local government space, without the multi-year timelines and million-dollar costs that FedRAMP Moderate or High often require.
For CSPs that hold FedRAMP authorisation, the path to GovRAMP status is significantly easier. GovRAMP will recognise existing FedRAMP packages and process a GovRAMP authorisation based on the FedRAMP documentation, avoiding a full duplicate assessment.
Who Does GovRAMP Apply To?
GovRAMP applies to cloud service providers — SaaS, PaaS, and IaaS vendors — that sell or want to sell to state and local government customers. This includes a wide range of products: case management software, permitting systems, education technology, healthcare IT, public safety platforms, financial management systems, and virtually any cloud-based product used by government agencies.
The impetus to pursue GovRAMP typically comes from one of three directions: a state or local government customer requires it as a condition of contract award; a procurement officer raises it during a vendor evaluation; or a CSP proactively pursues it to differentiate itself in the SLED (state, local, education) market and reduce the per-customer security due diligence burden.
Adoption is growing steadily. As of 2025, a significant number of states either formally accept GovRAMP or are in the process of developing policies to recognise it. The trend is clearly toward broader adoption, particularly as high-profile state government data breaches increase pressure on procurement teams to verify cloud vendor security.
GovRAMP Authorization Levels
GovRAMP uses three impact levels, aligned with the Federal Information Processing Standard (FIPS) 199 definitions used by FedRAMP.
Low impact covers systems where a breach, loss, or disruption would have limited adverse effects on government operations, assets, or individuals. Low-impact systems typically handle non-sensitive public information. The control baseline for GovRAMP Low is derived from NIST SP 800-53 and requires a smaller set of controls than Moderate or High.
Moderate impact — by far the most common authorisation level in the state and local government market — covers systems where a breach or disruption would have a serious adverse effect. Most government administrative systems, citizen-facing platforms, and systems handling routine government data fall into this category. GovRAMP Moderate requires a comprehensive set of controls across all NIST 800-53 control families.
High impact covers systems where a breach or disruption could have severe or catastrophic effects — systems handling highly sensitive citizen data, critical infrastructure controls, or systems whose failure could endanger public safety. High impact requires the most stringent control set and is relatively uncommon in the state and local government cloud market, though it applies to certain public safety and healthcare systems.
The GovRAMP Authorisation Process
The GovRAMP authorisation process follows a structured path that parallels the FedRAMP process, though with adaptations suited to the state and local government context.
The process begins with a readiness assessment. The CSP prepares a System Security Plan (SSP) documenting its cloud environment, system boundaries, data flows, and existing security controls. A readiness assessment — conducted either internally or with advisory support — identifies gaps between the current control implementation and the GovRAMP baseline requirements.
Once the CSP has addressed identified gaps, it engages an approved Third Party Assessment Organisation (3PAO) — an independent security assessor accredited by GovRAMP — to conduct the formal assessment. The 3PAO reviews documentation, tests controls, and produces a Security Assessment Report (SAR).
The SAR, along with the SSP, Plan of Action and Milestones (POA&M), and other supporting documentation, is submitted to the GovRAMP Program Management Office (PMO) for review. The PMO conducts its own review to verify that the assessment was conducted properly and that the documentation meets GovRAMP standards.
If the PMO review is satisfactory, the CSP achieves GovRAMP Authorized status and is listed in the GovRAMP Product Marketplace. Authorisation is not a one-time event — CSPs must maintain their authorisation through annual reassessments and continuous monitoring, including regular vulnerability scans and timely remediation of identified weaknesses.
GovRAMP Provisional Status vs. Authorized Status
GovRAMP offers two active statuses in addition to the Authorized designation.
Progressing status indicates that a CSP has begun the GovRAMP process, has submitted documentation to the PMO, and is actively working toward authorisation. Some state procurement processes allow agencies to contract with vendors in Progressing status, provided the vendor commits to achieving Authorized status within a defined timeframe.
Provisional Authorized status can be granted to CSPs that hold a current FedRAMP authorisation. Because GovRAMP and FedRAMP share the same NIST 800-53 control baseline, a CSP with a valid FedRAMP ATO (Authority to Operate) can submit its FedRAMP package to the GovRAMP PMO for expedited review. If the PMO determines the package meets GovRAMP requirements, Provisional Authorized status is granted — giving the CSP access to the GovRAMP Marketplace without a full separate GovRAMP assessment.
Which States Accept GovRAMP?
GovRAMP adoption varies by state, and the policy landscape continues to evolve. As of early 2025, a number of states have formally adopted GovRAMP in their procurement policies or have pending legislation or executive orders addressing it. Texas, Utah, Arizona, and several others have been among the earlier adopters.
Because the landscape changes frequently, the most reliable source for current state acceptance information is the GovRAMP website itself and the GovRAMP Product Marketplace. When pursuing a specific state or local government opportunity, it’s worth confirming directly with the procuring agency whether GovRAMP status is required, accepted, or simply preferred — requirements vary not just by state but sometimes by agency within a state.
Can FedRAMP Authorization Cover GovRAMP?
Yes, with important caveats. A CSP that holds a current FedRAMP ATO — whether a Provisional ATO (P-ATO) from the Joint Authorization Board or an Agency ATO — can apply for GovRAMP Provisional Authorized status by submitting its FedRAMP package to the GovRAMP PMO. This is the fastest path to GovRAMP status for CSPs that have already made the significant investment in FedRAMP authorisation.
The caveats are worth understanding. First, the FedRAMP authorisation must be current and in good standing — a lapsed or revoked FedRAMP ATO won’t support a GovRAMP application. Second, FedRAMP packages are typically classified as controlled, unclassified information, which creates some administrative complexity in sharing them with the GovRAMP PMO. Third, some state procurement requirements specify “GovRAMP Authorized” specifically and may not accept FedRAMP as a direct substitute — the Provisional Authorized pathway addresses this.
How Long and How Much Does GovRAMP Take?
For a CSP starting from scratch with no existing FedRAMP package, a GovRAMP Moderate authorisation typically takes 9–18 months from initial gap assessment to Authorized status. This timeline varies considerably based on the maturity of the CSP’s existing security programme, the complexity of the cloud environment, and the responsiveness of the 3PAO and PMO review process.
Cost varies similarly. The primary cost components are the 3PAO assessment (typically $75,000–$200,000+ for Moderate, depending on system complexity), internal staff time for documentation preparation and remediation work, and any advisory or consulting support. Annual continuous monitoring costs add to the ongoing investment.
Compared to FedRAMP Moderate — which can run $1–3 million or more in total first-year costs — GovRAMP is a more accessible investment for mid-market CSPs. It still represents a significant commitment, but one that’s proportionate to the SLED market opportunity.
GovRAMP Compliance Checklist
The first step is determining which impact level applies to your cloud service and the data it handles. This determines the control baseline you’ll need to implement.
The second step is a gap assessment against the relevant GovRAMP control baseline — identifying what you already have, what needs to be built, and how long implementation is likely to take.
The third step is selecting a GovRAMP-approved 3PAO. Choose early: 3PAOs have capacity constraints, and the best ones book out months in advance.
The fourth step is preparing your System Security Plan, documenting your system boundaries, data flows, and control implementations. This is the foundational document that everything else builds on.
The fifth step is remediating identified gaps — implementing missing controls, tightening existing ones, and building the evidence collection processes that will support both the assessment and ongoing continuous monitoring.
The sixth step is the formal 3PAO assessment, PMO review, and achieving Authorized status.
The seventh step is establishing your continuous monitoring programme, including regular vulnerability scanning, annual reassessment, and timely remediation of findings.
Need help pursuing GovRAMP authorisation? Soter Advisory works with cloud service providers at every stage — from initial gap assessment through to authorisation and ongoing continuous monitoring support. Book a free consultation →