Advancing Cybersecurity: The Evolution and Future of GovRAMP

Jason Oksenhendler, Director, Cybersecurity Consulting Services
Leah McGrath, Executive Director, GovRAMP

December 1, 2025
LinkedIn Share Button Twitter Share Button Other Share Button Other Share Button
Clouds reflected in the glass windows of a skyscraper

In an era where cybersecurity is paramount, it’s critical for government providers to establish robust frameworks to validate cloud security. But state and local governments, schools and universities, federal agencies, and the vendors who support them face a lack of alignment in security practices and frameworks that means they must comply with multiple overlapping requirements.

What is GovRAMP?

GovRAMP is a 501(c)(6) non-profit organization that emerged from a collaboration among state leaders and industry experts to address shared cybersecurity challenges. Partnering with government and industry, GovRAMP promotes standardized approaches to cloud security. Through education, advocacy, and independent verification, GovRAMP helps governments and providers establish consistent cybersecurity baselines that enable trust, transparency, and innovation.

Originally launched as StateRAMP, GovRAMP was created to address a critical challenge: inconsistent cybersecurity practices across state, local, and educational institutions (SLED). At that time, third-party risk management varied widely, with some organizations maintaining strong security measures while others struggled to meet basic requirements. To bridge this gap, GovRAMP established a standardized framework aimed at minimizing redundant efforts, streamlining procurement, and ensuring cloud service providers meet rigorous cybersecurity standards. This initiative enables government agencies to confidently adopt cloud solutions, assured that security risks are consistently managed.

The concept of Risk Authorization Management Programs gained traction after FedRAMP’s introduction in 2011, which set a federal benchmark for cloud security. Building on that momentum, StateRAMP was developed through collaboration among cybersecurity professionals, state CIOs, CISOs, and procurement officials. Despite facing initial doubts and challenges, the program refined its standards and gained widespread acceptance.

Since its founding, StateRAMP has evolved into GovRAMP, reflecting its expanded role in serving a broader range of government entities.

Enhanced Cybersecurity for Government Operations

GovRAMP has undergone significant transformation to better serve diverse government entities. Over the past year, GovRAMP has witnessed remarkable growth, with a 35% increase in participating governments and a 23% rise in provider members. As of October 2025, participation spans 32 states, including several state agencies, 17 local governments, one tribal government, nine higher education institutions, nine K-12 schools, and the United States Coast Guard. These numbers are expected to continue rising, positioning GovRAMP as a leader in enhancing cybersecurity measures.

Over time, GovRAMP has expanded. What began as a set of different committees evolved into vertical groups for procurement, third-party assessment organizations (3PAOs), and service providers (SPs). Today, GovRAMP has extended collaboration across frameworks and has created control overlays with federal subagencies such as the Criminal Justice Information Services (CJIS) and the Artificial Intelligence (AI) Security Task Force, launched in April 2025. GovRAMP aims to meet SLED entities where they are and lower barriers to entry, ensuring every government entity that wants to participate can do so. This is facilitated through the Snapshot and Progressing Snapshot statuses, which allow some SPs to start small with incremental assessments to gauge their security posture before investing in full assessments.

Introducing Core Status: Bridging the Gap

Recognizing the need for a foundational starting point, GovRAMP introduced the Core status in 2025. Core helps governments assess a provider’s foundational cybersecurity readiness before pursuing full authorization. It bridges the gap between a provider’s initial Snapshot and Progressing Snapshot designations, supporting more informed, risk-based procurement decisions.

GovRAMP Security Program Updated Risk Acceptance Model
GovRAMP Security Program Updated Risk Acceptance Model

 

The Push for Framework Harmonization

A central focus for GovRAMP is achieving harmonization across different cybersecurity frameworks, including FedRAMP, Criminal Justice Information Services (CJIS), and Cybersecurity Maturity Model Certification (CMMC).

GovRAMP aims to streamline compliance processes and reduce redundancy for providers serving state, local, and federal governments by advocating for a unified, risk-based approach to meeting cybersecurity requirements across jurisdictions.

To support this effort, GovRAMP implemented its GovRAMP Fast-Track process, allowing providers with completed FedRAMP assessments to submit their security packages to the GovRAMP Program Management Office (PMO) to expedite review, reduce redundancy, and avoid duplicative assessments.

This audit once, serve many approach reduces duplication, lowers costs, and expedites procurement timelines. GovRAMP leadership continues to explore potential reciprocity pathways with federal stakeholders that could, in the future, enable recognition of GovRAMP authorizations.

Additionally, for SPs supporting CJIS, GovRAMP provides an overlay of enhanced security controls tailored to align with CJIS Security Policy at the GovRAMP Moderate impact level. This overlay maintains NIST 800-53 alignment while addressing specific CJIS security needs.

Here’s where the harmonization comes in:

chart describing the benefits of GovRAMP (Streamlines the Assessment Process, Provides Clear Direction, & Informs Decision Making)

 

To further reduce audit burdens and simplify compliance, GovRAMP is exploring reciprocity with the Health Information Trust Alliance (HITRUST) and CMMC following the CMMC 2.0 update, which recognizes FedRAMP equivalency at certain levels.

Addressing Emerging Challenges: The AI Security Task Force

As the use of AI grows, increasing challenges to government security, GovRAMP formed the AI Security Task Force. The task force explores emerging risks in AI-integrated cloud environments and develops guidance to promote responsible innovation, trust, and security alignment across existing frameworks.

By integrating AI security considerations within existing frameworks rather than creating separate standards, this initiative promotes cohesive AI security without redundant or conflicting requirements.

The goal is to develop a unified framework offering flexible compliance options based on varying risk profiles, supported by automated continuous monitoring and streamlined operations. This framework aims to facilitate innovation while maintaining strong security controls.

We’re Here to Help

For more information on how you can take advantage of GovRAMP advisory or assessment services, contact your firm professional.

Additional Resources

Ask a Question

The material appearing in this communication is for informational purposes only and should not be construed as advice of any kind, including legal, accounting, tax, or investment advice. This information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials have been prepared by professionals, the user should not substitute these materials for professional services, and should seek advice from an independent advisor before acting on any information presented. Changes in tax laws or other factors could affect the information provided in this communication.

Related Topics

Webcast
Cybersecurity Updates for the Public Sector
Explore GovRAMP developments and their impact with GovRAMP program executive director Leah McGrath.
Webcast
Article
Answers to FAQs About FedRAMP Authorization
Cloud service providers must undergo Federal Risk and Authorization Management Program authorization (FedRAMP) for agencies.
Article
View More

Contact Us with Questions

Baker Tilly US, LLP, Baker Tilly Advisory Group, LP and Moss Adams LLP and their affiliated entities operate under an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations and professional standards. Baker Tilly Advisory Group, LP and its subsidiaries, and Baker Tilly US, LLP and its affiliated entities, trading as Baker Tilly, are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP and Moss Adams LLP are licensed CPA firms that provide assurance services to their clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. ISO certification services offered through Moss Adams Certifications LLC. Investment advisory offered through either Moss Adams Wealth Advisors LLC or Baker Tilly Wealth Management, LLC.