| Title | Summary | Categories | Link | hf:doc_categories |
|---|---|---|---|---|
| 3PAO Accreditation Process | GovRAMP recognized FedRAMP authorized third party assessment organizations (3PAOs) to conduct independent audits. | Governance | governance | |
| 3PAO Package for Moderate Impact with CJIS Overlay | This package includes required templates and sample policies for every NIST 800-53 control family, along with templates for Rules of Behavior, Incident Response Plan, Configuration Management Plan, Information System Contingency Plan, and Supply Chain Risk Management. | |||
| Appeals Committee Charter | The Appeals Committee serves as the adjudication board for the Program Management Office determinations. | Governance | governance | |
| Baseline Controls | This document provides the security control baselines. All of the security controls listed in the table are outlined in NIST 800-53 Rev. 4. (Retired October 1, 2024) | Baseline Requirements | baseline-requirements | |
| Center for Digital Government Best Practice Guide for Cloud and As-a-Service Procurements | The Best Practice Guide was created to provide government and industry with consensus-based advice and terms and conditions for cloud solution procurement models. | Government Document | government-document | |
| Continuous Monitoring Escalation Process | This document explains the actions taken when a service provider fails to maintain an adequate continuous monitoring program. | Continuous Monitoring | continuous-monitoring | |
| Continuous Monitoring Guide | Continuous monitoring review procedures outline the process to examine each monthly package. | Continuous Monitoring | continuous-monitoring | |
| Data Classification Tool | This document helps service providers and governments determine what GovRAMP security category requirements to use to ensure their data is protected. | Baseline Requirements | baseline-requirements | |
| Get Started With GovRAMP – Government Guide | This guide explains the GovRAMP implementation process for governments. | Government Document | government-document | |
| GovRAMP Adopted Bylaws | This framework for bylaws was developed by the GovRAMP Steering Committee. As the Board of Directors is formed in late 2020, one of their first actions will be to adopt the bylaws for the organization. | Governance | governance | |
| GovRAMP Approvals Committee Charter | This charter outlines the duties and responsibilities of the GovRAMP Approvals Committee and their role in providing approvals for product security packages seeking an Authorized status. | Governance | governance | |
| GovRAMP Authorization Annual Assessment Controls Selection Workbook | This comprehensive workbook is designed to support 3PAOs and service providers with Provisional or Authorization in tracking audits and maintaining compliance with GovRAMP requirements. | Assessor Templates | assessor-templates | |
| GovRAMP CJIS-Aligned Overlay Control and Parameters | Download the GovRAMP CJIS-Aligned Overlay to access a unified framework aligning CJIS Policy 5.9.5 with GovRAMP controls, offering tailored guidance for secure cloud procurement decisions. | |||
| GovRAMP Core Controls | This document outlines the 60 prioritized security controls required for GovRAMP Core Status. These controls are selected from the NIST SP 800-53, Rev. 5 framework and aligned with the Moderate Impact Baseline. Service providers pursuing Core should use this resource to understand the control expectations and begin preparing evidence for PMO-led review. | |||
| GovRAMP Individual Government & Education Memberships 1-Pager | Overview of the GovRAMP Individual Government & Education Memberships, highlighting free access to tools, training, and engagement opportunities for public-sector professionals supporting secure cloud adoption. | Government Document | government-document | |
| GovRAMP Participating Government & Education Memberships 1-Pager | Overview of the GovRAMP Participating Government & Education Memberships, including key benefits, engagement opportunities, and support available to public-sector organizations adopting secure cloud services. | Government Document | government-document | |
| GovRAMP PMO Charter | The PMO Charter defines the objectives, roles, and responsibilities associated with the GovRAMP Program Management Office (PMO). | Governance | governance | |
| GovRAMP PMO Fee Schedule | This document provides an updated GovRAMP Program Management Fee Schedule, effective January 1, 2025. | Program Document | stateramp-program-document | |
| GovRAMP Provider Sponsor Requirements | This document outlines the process (including government sponsorship requirements) for a vendor’s offering to be listed as GovRAMP Authorized on GovRAMP’s Authorized Product List (APL). | Provider Document | provider-document | |
| GovRAMP Steering Committee Charter | The purpose of this charter is to define the objectives, membership, decision making, meeting schedule, and roles and responsibilities associated with the GovRAMP Steering Committee. | Governance | governance | |
| Incident Communications Procedures | This document describes the process for GovRAMP stakeholders to use when reporting information concerning information system security incidents or suspected information system security incidents. | Continuous Monitoring | continuous-monitoring | |
| Low Impact Service Provider Package for GovRAMP Ready & Authorized | This package provides service providers with the documentation, policies, procedures and guidelines required to meet GovRAMP security requirements for systems handling low-impact government data. | |||
| Moderate Impact Service Provider Package for GovRAMP Core, Ready & Authorized | This package provides service providers with the comprehensive documentation, policies, procedures, and tools needed to meet GovRAMP security requirements for systems processing, storing, or transmitting moderate-impact government data. | |||
| Moderate Impact Service Provider Package with CJIS Overlay | This package offers service providers the documentation, policies, procedures, and resources required to meet GovRAMP security requirements for systems processing, storing, or transmitting moderate-impact government data with additional compliance considerations aligned to the FBI’s Criminal Justice Information Services (CJIS) Security Policy. | |||
| Procurement Committee Charter | The purpose of this charter is to define the objectives, membership, decision making, meeting schedule, and roles and responsibilities associated with the GovRAMP Procurement Committee. | Governance | governance | |
| Provider Leadership Council Charter | This charter outlines the duties and responsibilities of the GovRAMP Provider Leadership Council. | Governance | governance | |
| Ready Minimum Mandatory Requirements for Moderate and High Impact Levels | To achieve Ready Status for Moderate/High Impact levels, a service provider must meet the minimum mandatory requirements outlined in this document. (Rev. 5) | Ready Requirements | ready-requirements | |
| Security Assessment Framework | This document describes a general governance and security framework for GovRAMP. | Baseline Requirements | baseline-requirements | |
| Significant Change Request Template | … | Provider Templates | provider-templates | |
| Standards & Technical Committee Charter | The Standards & Technical Committee makes recommendations for best practices and policies that guide cloud security requirements and verification. | Governance | governance | |
| Templates for GovRAMP Statuses | … | |||
| Vulnerability Deviation Request Form | When a service provider identifies a vulnerability that potentially warrants different handling than normally required by GovRAMP, they may submit a deviation request to GovRAMP using this form. | Provider Templates | provider-templates | |
| Vulnerability Scan Requirements Guide | This guide describes the requirements for all vulnerability scans provided by service providers to GovRAMP for products with a Ready, Provisionally Authorized, or Authorized status. | Continuous Monitoring | continuous-monitoring |