Founded at the beginning of 2020, GovRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments.

As a 501(c)6 nonprofit, our mission is to promote cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve. GovRAMP is composed of service providers offering IaaS, PaaS, and/or SaaS solutions, third-party assessment organizations, and government officials. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.

Currently, the State of Minnesota only requires a GovRAMP assessment for contracts for cloud products/services that will process, transmit, and/or store high risk data directly or via third party. GovRAMP Authorized at the moderate impact level must be achieved for applicable contracts and continuous monitoring access provided to Minnesota IT Services (MNIT).

GovRAMP Authorized Control Package

If a GovRAMP status is not currently held by the product, at the time of contract execution, the provider must submit a GovRAMP Snapshot score for the product in the form of a GovRAMP letter, no later than 60 days from the contract execution date. If the Snapshot score is below 100%, the product must be enrolled in the GovRAMP Progressing Snapshot Program and remain in the program until a 100% Snapshot score is achieved. The product must continue progressing toward Authorized status, which must be obtained no later than April 1, 2027. The provider must also grant the State of Minnesota access to all progress reports and updated Snapshot scores until a 100% score is achieved.

GovRAMP Core, Ready, and Authorized at the low- impact level will be accepted in lieu of GovRAMP Progressing Snapshot, ; however, continuous monitoring access must be granted to MNIT and maintained until product obtains GovRAMP Authorized at moderate impact level.

As defined in Minnesota IT Services Data Protection Categorization Standard, high data is considered to be:

Data that is highly sensitive and/or protected by law or regulation. This includes, but is not limited to:

• Protected Health Information (PHI) data as defined in the Health Insurance Portability and Accountability Act (HIPAA) Regulation (45 C.F.R., Sec. 160.103).
• Social Security Administration (SSA) data.
• Criminal Justice Information (CJI) data as defined in the FBI Criminal Justice Information Services (CJIS) Security Policy.
• Government-issued ID numbers (e.g., Social Security numbers, driver’s license numbers / State ID card numbers, passport numbers).
• Federal Tax Information (FTI) data as defined in IRS Publication 1075.
• Payment Card Industry (PCI) Account Data as defined by the Payment Card Industry Data Security Standards (PCI DSS).
• Bank account numbers excluding state-owned bank account numbers.

If you are unsure about the data classification, please contact the requesting agency or Minnesota’s Vendor Security and Risk Management team at vsrm@state.mn.us.

Minnesota only will accept GovRAMP or FedRAMP Rev 5.

While GovRAMP provides reciprocity with TX-RAMP, compliance with TX-RAMP does not afford you a GovRAMP security status. The following will not be accepted:

• TXRAMP
• SOC 2
• ISO 27001
• HITRUST

Reason for Non-Acceptance
The 2018 National Cyber Strategy of the USA identifies NIST as the only Cybersecurity Framework (CSF) for assessing SaaS, PaaS, or IaaS vendor environments.

The State of Minnesota is not authorized to accept any other form of CSF for this assessment to include; self-attestations, trust documents, third-party assessments to include COBIT, ISO/IEC 27000 series, PCI, SOC 2, or SOC 3 reports. Therefore, we will require a copy of your organization’s Systems Security Plan (SSP) or Written Information Security Program (WISP) for our evaluation process.

Cloud products that currently hold or are seeking a FedRAMP Rev. 5 status must enroll the product in the GovRAMP Fast Track program. No need to re-engage a 3PAO, just submit the same security package to the GovRAMP PMO following membership enrollment. This will allow Minnesota to uphold its requirement for continuous monitoring.

To participate:

1. Become a GovRAMP member.
2. Submit a Progressing Security Snapshot Request.
3. Pay the applicable fee.
4. Receive onboarding instructions from the GovRAMP PMO.

You’ll receive:

• A Snapshot score within about three weeks of payment.
• Quarterly updated Snapshots.
• Monthly one-hour consultative calls with GovRAMP’s security team.

To participate in the GovRAMP Security Snapshot or Progressing Snapshot Program, providers must first hold an active GovRAMP membership. Membership fees range from $1,500 to $10,000, depending on the tier selected.

GovRAMP Security Snapshot
For products that have not yet achieved a GovRAMP Verified Status

• $1,000 – Providers with less than $1M in annual revenue
• $1,500 – Providers with $1M–$5M in annual revenue
• $2,500 – Providers with more than $5M in annual revenue

GovRAMP Progressing Security Snapshot (Subscription Option)
Includes quarterly updated Snapshots and monthly advisory calls

• $750/month – Providers with less than $1M in annual revenue
• $1,000/month – Providers with $1M–$5M in annual revenue
• $1,600/month – Providers with more than $5M in annual revenue

View the full GovRAMP Fee Schedule.

GovRAMP requires monthly continuous monitoring once a product reaches Core, Ready, Provisionally Authorized, or Authorized. This includes:

• Security status checks
• Vulnerability tracking and closure
• Ongoing alignment with NIST control requirements

Download GovRAMP’s Continuous Monitoring Guide.

If high-risk data is being processed, transferred, or stored within your professional services offering, the State of Minnesota will require that the cloud solutions used to deliver services be assessed by GovRAMP or FedRAMP. Specific requirements can be found within the solicitation for the services.

For GovRAMP-related inquiries, please reach out to: info@GovRAMP.org or Stacey@govramp.org

For Minnesota-related procurement inquiries, please reach out to: it.procurement@state.mn.us

For Minnesota-related vendor security inquiries, please reach out to: vsrm@state.mn.us