Government Risk and Authorization Management Program

GovRAMP is a nonprofit organization that provides a standardized approach to cloud cybersecurity authorization for state and local governments and educational institutions. GovRAMP is essentially a framework for ensuring that cloud services offered to these entities meet minimum security requirements. Previously known as StateRAMP, GovRAMP was rebranded in fiscal year Q1 2025 to reflect its expanded mission of unifying cybersecurity standards across all levels of government.

GovRAMP is a framework for state and local governments because it simplifies cybersecurity compliance for cloud service providers (CSPs). It standardizes security assessment processes, reduces redundancy, and provides a "verify once, serve many" approach, simplifying the process for both service providers and public sector entities. By offering a trusted and efficient method for verifying cloud security, GovRAMP helps build trust, enhances security, and supports the adoption of cloud services by the public sector.

State and local agencies using GovRAMP as a standardized compliance framework authority can leverage GovRAMP Federal JAB Attestation, which recognizes our existing FedRAMP Authorizations. Similarly, the status of those authorizations is listed on the FedRAMP Marketplace. State agencies and customers operating workloads on AWS for state agencies can access approved evidence that is published in AWS Artifact: Customer Implementation Summary (CIS) / Customer Responsibility Matrix (CRM) and Customer Compliance Guides (CCGs), and other resources are available to assist customers in making risk-based decisions and granting their own Agency Authority to Operate (ATO). This involves evaluating the AWS cloud service offerings (CSOs) as foundational elements for their cloud-based solutions, along with the supporting documentation and shared responsibility details. Access to the FedRAMP SSP and other related federally sensitive artifacts is limited to authorized US federal agencies by policy of the FedRAMP Program Management Office (PMO).

GovRAMP and FedRAMP are similar cloud security frameworks, but GovRAMP is specifically designed for state, local, and tribal governments (SLED), while FedRAMP is for the federal government.

Both AWS East/West (Moderate) and GovCloud (High) FedRAMP Authorizations are recognized by GovRAMP under the GovRAMP Federal JAB Attestation program.

No, GovRAMP compliance with AWS will not inherently increase your AWS service costs. AWS, as a compliant cloud provider, has already factored in the necessary security and compliance measures into our pricing structures. However, your own compliance activities, such as using specific services or consulting with partners to meet GovRAMP requirements, may incur additional costs.

Both AWS East/West (Moderate) and GovCloud (High) FedRAMP Authorizations are recognized by GovRAMP under the GovRAMP Federal JAB Attestation program.

AWS achieved GovRAMP compliance for our AWS East/West and GovCloud regions via recognition by GovRAMP of our FedRAMP authorizations. Visit the AWS Services In Scope FedRAMP page for a list of all AWS services in scope of FedRAMP compliance.

Yes, high-impact level systems can be placed on AWS, specifically through the AWS GovCloud (US) region. This region is designed to meet the compliance and security requirements of US government agencies, including those with high-impact workloads.

State agencies and customers operating workloads on AWS for state agencies can access approved evidence that is published in AWS Artifact: Customer Implementation Summary (CIS) / Customer Responsibility Matrix (CRM), and Customer Compliance Guides (CCGs) are available to assist customers in making risk-based decisions and granting their own Agency Authority to Operate (ATO). This involves evaluating the AWS cloud service offerings (CSOs) as foundational elements for their cloud-based solutions, along with the supporting documentation and shared responsibility details. Access to the FedRAMP SSP and other related federally sensitive artifacts is limited to authorized US federal agencies by policy of the FedRAMP Program Management Office (PMO).

AWS is using the GovRAMP Federal JAB Attestation program, GovRAMP recognizes and accepts that AWS conducts its continuous monitoring processes with our federal agency sponsor.

To discuss GovRAMP-specific AWS workloads or architectures with AWS, a state agency should first contact their AWS account manager or use the AWS Compliance Contact Us Form. AWS also provides resources like AWS Artifact, a self-service portal for accessing Customer Implementation Summary (CIS) / Customer Responsibility Matrix (CRM) and Customer Compliance Guides (CCGs). For more specific questions about workloads or architectures, contacting the assigned account manager or using the contact form is recommended.

Visit the AWS Compliance page.

AWS provides the foundational infrastructure and services, as well as the resources and guidance, to enable customers to achieve GovRAMP and/or FedRAMP compliance, including moderate and high impact levels. Customers are responsible for the specific configuration and security controls within their environment to meet the compliance requirements.

GovRAMP can assist cloud service providers (CSPs) in becoming GovCloud authorized by providing a range of services, including acting as the GovRAMP PMO, ensuring products meet security requirements, and helping verify cybersecurity compliance. They also help CSPs navigate the FedRAMP process and provide training, guidance, and advisory support.