Upcoming Webinar | Navigating Global Privacy Trends in 2026 on December 3rd @ 1:00 PM ET

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

GovRAMP FAQs: Simplifying Federal Cloud Compliance Blog Feature
Jon Coffelt

By: Jon Coffelt

Print/Save as PDF

GovRAMP FAQs: Simplifying Federal Cloud Compliance

Federal Assessments | StateRAMP

Published: Jul 9, 2024

Last Updated: Dec 4, 2025

For those wanting to learn more about GovRAMP, formally known as StateRAMP, we’ve put together answers to some of the most frequently asked questions we receive as an experienced Third-Party Assessment Organization (3PAO). 

These important points of interest around this framework are divided into the following sections: 

GovRAMP Basics

 

What is GovRAMP?

GovRAMP is a required program for cloud service providers (CSP) who want to offer cloud services to state, local, tribal, and educational governments and its many departments, bureaus, non-profits, agencies, and organizations. The program was formally known as StateRAMP, but officially rebranded its public-facing name to GovRAMP in February 2025 to better represent its mission and scope.

Though GovRAMP does share some similarities with the FedRAMP program supporting federal cloud security compliance efforts, it features distinct requirements that should be noted by any organization considering the program. 

What does SLED Mean?

SLED stands for State, Local, and Education, referring to government entities and public sector organizations at the state and municipal levels, as well as educational institutions. 

In the context of GovRAMP, SLED organizations represent a major segment of the public sector seeking guidance on secure cloud adoption. They often face different compliance and procurement requirements than federal agencies. 

How Will State Agencies Know My Organization Is GovRAMP Authorized?

GovRAMP, like FedRAMP, has a marketplace that lists CSP organizations who have received an Authorization to Operate (ATO) from a partnering state institution. The GovRAMP marketplace also lists CSPs that are considered GovRAMP authorized through reciprocity with the FedRAMP program. 

The marketplace also lists authorized GovRAMP 3PAOs, like Schellman, who can perform assessments supporting those authorizations. The good news is that designated FedRAMP 3PAOs are likely also GovRAMP 3PAOs. CSPs can use FedRAMP 3PAOs for GovRAMP if the 3PAO is registered with GovRAMP. 

What are the Different GovRAMP Security Statuses?

Organizations can be listed on the GovRAMP Marketplace with a variety of statuses that can all be classified into two categories: 

  • In Progress
  • Verified

In Progress Statuses

To be listed as in progress, you’ll be listed specifically according to the path you’ve chosen to take: 

For those who first pursue a Security Snapshot, you can be listed as:
  • Enrolled: Your product(s) are engaged in the Progressing Snapshot Program, and you’re working toward their initial Snapshot score.

  • Progressing: Your products are enrolled in the Progressing Snapshot Program, and you’ve submitted artifacts to receive their Snapshot scores.

For those pursuing Authorization:
  • Active: You’re engaged with a 3PAO for an independent audit and are actively working toward Ready.

  • In Process: You’re engaged with a 3PAO for an independent audit and actively working toward Authorized status.

  • Pending: You’ve submitted a security package to the Program Management Office (PMO) and are awaiting a determination for a verified status.

 

Verified Offerings

 

To be listed as one of the verified statuses, you must meet different thresholds of security requirements and provide the results of an independent audit conducted by a 3PAO that confirms your status: 

Verified Status

Details

Ready
  • What it Means: Your cloud service offering (CSO) meets or exceeds minimum requirements, i.e., Readiness Assessment Report (RAR) approved.

  • Next Steps: You must still undergo additional security and system validation. 
    Note: When you become GovRAMP Ready, unlike with FedRAMP Ready, your RAR doesn’t expire after one year.

Provisional
  • What It Means: Your CSO exceeds minimum requirements—more specifically, you’ve submitted a security package for consideration, and your CSO has been found to meet most but not all security requirements.
    Note: To achieve a Provisional status, any interconnected technology or external services must have a current GovRAMP Security Snapshot, per the GovRAMP Authorization Boundary Guidance.

  • Next Steps: If you achieve Provisional status, you must comply with continuous monitoring requirements and submit further documentation to obtain Authorized status.

Authorized
  • What it means: Your organization has completed all security and system validation, the government has accepted your completed security package, your CSO satisfies all requirements, and it has a government sponsor.

  • Next Steps: You can move forward with providing your CSO to agency sponsors, though you must also maintain compliance with continuous monitoring requirements.

GovRAMP Requirements

How Do I Determine My GovRAMP Requirements?

 

Like FedRAMP requirements, GovRAMP requirements are taken from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5 

In determining which requirements your organizations must meet, you must first determine your baseline, and that’s based on the data you handle: 

  • Low: The ground level that any CSP must meet—requires 153 controls for compliance and generally maps to data or systems that involve publicly available data. 
  • Moderate: This baseline requires 319 security controls for compliance and generally maps to data or systems that involve confidential data or of high criticality to the continuity of government. 

If you’re familiar with FedRAMP, you may have noticed the conspicuous absence of a High impact baseline. That’s because, at this time, GovRAMP does not authorize these, as most state agencies fall into the Low or Moderate impact areas. That being said, some CSOs are listed as High impact and those were granted authorization via FedRAMP reciprocity. 

Is Penetration Testing Required for GovRAMP?

Yes, penetration testing is a requirement. And while StateRAMP did release its own penetration testing guidance, it follows the same methodology as that for FedRAMP. 

GovRAMP Authorization Boundary Guidance

 

When obtaining GovRAMP authorization, many of the headaches occur around the Authorization Boundary and diagrams. 

Thankfully, much of StateRAMP’s Authorization Boundary guidance is the same or seeks the same goals as FedRAMP. Moreover, GovRAMP has defined what’s necessary to depict within the Authorization Boundary Diagrams, Network Diagram, and Data Flow Diagrams, and by and large, it’s the same as FedRAMP—meaning, the same scrutiny used at the FedRAMP level should be used for GovRAMP. 

What Data Types Must Be Included in My GovRAMP Authorization Boundary? 

First and foremost, you must account for—and include within the authorization boundary—any data that is created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for a SLED customer, in any medium or form that passes within your cloud service offering. Some examples include: 

  • Mission-based information 
  • Financial management information 
  • Human Resources data 
  • IT management data 
  • Citizen/taxpayer information 
  • Third-party supplier information 

That being said, SLED data can also be broken down into different categories that may make it easier for you to identify it when preparing for GovRAMP: 

Data Type

Details

SLED Metadata

Data that, if compromised, could impact the confidentiality, availability, or integrity of the systems supporting the processing, storage, or transmission of SLED data. 

Examples include: 

  • Mission-based information types 
  • Services Delivery Support information types 
  • Government/State Resource Management information types 
  • Any other information types as defined in NIST 800-60 Volumes I & II 

SLED Metadata Subcategories

SLED Metadata with a Direct Potential Impact on the Mission of Organizations or Individuals

 

This type of SLED customer metadata must reside within your authorization boundary or the boundary of another GovRAMP-authorized information system at the same or greater Impact Level.

Examples include: 

  • Security metadata revealing the current security posture of the system 
  • Vulnerability information 
  • Active incident response information and communications 
  • Active threat assessment, penetration test, or security investigation information and communications. 

SLED Metadata with an Indirect Potential Impact on the Mission of Organizations or Individuals

 

This type of SLED customer metadata may be authorized to reside in a system that is fully owned, maintained, and operated by you with approval from the GovRAMP PMO.

Examples include: 

  • Data revealing system infrastructure, facilities, and design 
  • Application names, versions, and releases 
  • Application, system, and network configuration information 
  • Interconnections and access methods 
  • Systems inventories 
  • Architecture models, diagrams, and details 
  • System security plans, contingency plans, risk management plans, security impact analysis, plans, and roadmaps 
  • Personnel security information: information that could be sold for profit 
  • Historical SLED entity metadata that previously was considered to have a direct potential impact 

What about Corporate Services and Metadata? 

Though SLED and SLED Metadata in their different subcategories must be included in your Authorization Boundary, data about processes within the authorization boundary or SLED customers that do not contain security-sensitive information and/or information that if compromised could be a threat to the systems supporting the processing and storage of SLED data, SLED metadata or SLED personnel data. 

For example: 

  • IT utilization and performance data 
  • Project planning information 
  • Marketing materials 
  • Pricing data 

External systems processing or storing corporate metadata may have active connections to the authorization boundary, but all connections must be examined and the 3PAO must validate the type of information transmitted in the connection during initial authorization and during the annual assessment to ensure the data types do not reflect more sensitive data. 

Again, only those corporate systems and services that do not contain SLED data or metadata may exist outside of the authorization boundary—any that do contain that information must meet the same security requirements that your CSO must meet and be brought into the scope of your assessment. 

How Do I Account for External Services/Interconnections within My GovRAMP Authorization Boundary? 

 

An interconnection is the use of another information system or cloud system to share data and other resources—that includes external services used to support the system. While GovRAMP encourages CSPs to leverage other GovRAMP service providers—as well as FedRAMP-authorized services—you aren’t required to do so. 

That being said, if you do choose to leverage an external service without a GovRAMP status of Authorized or a FedRAMP authorization, you should know that: 

  • You will be limited to obtaining a Provisional GovRAMP authorization. Moreover: 
    • Your leveraged service must undergo the GovRAMP Snapshot process, and you’d be limited to a Provisional status until all external systems and services are GovRAMP authorized. 

Your letter awarding the Provisional status will include a list of controls and/or third-party systems that must be remediated before you can be awarded full authorization. 

  • For you to achieve full Authorization, your external services must: 
    • Achieve GovRAMP or FedRAMP authorization; or 
    • You must move the product or service into the authorization boundary; or 
    • You must discontinue the use of the unauthorized service and move to a product with a current GovRAMP or FedRAMP authorization. 

How Do I Depict All This in My Diagrams? 

Luckily, GovRAMP adopted a very similar set of guidelines for Authorization Boundary, Network, and Data Flow. 

How Schellman Can Help

Does Schellman Perform StateRAMP Assessments?

We do, and we’ve gained a lot of experience in these assessments since we performed our first one in 2022. 

If you’ve previously worked with us on your FedRAMP assessment, you can expect essentially the same project scope, engagement length, fees, and type of deliverables—Security Assessment Plan (SAP), Security Assessment Report (SAR), Risk Exposure Table (RET), Penetration Test Report—though GovRAMP does have specific templates for those that we use. 

Does Schellman Perform StateRAMP Consultancy Services?

At this time, we do not offer any consultant services for any compliance initiative. That said, to learn more about our federal assessment services, contact us today.  

About Jon Coffelt

Jon Coffelt is a Manager with Schellman. Prior to joining Schellman in 2017, Jon worked as a Program Manager, specializing in Information Security. As a Manager with Schellman, Jon is focused primarily on client engagement, project management, assessment, and assurance for commercial organizations across various industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.