State of Oregon & GovRAMP
Updated: May 15, 2026
Why GovRAMP?
Oregon’s participation in GovRAMP is expected to save agencies and vendors significant time and effort. GovRAMP is consistent with FedRAMP, and the information security standards of many other state and local governments. GovRAMP allows vendors who offer cloud-based products (goods and services) to show the products meet Oregon information security standards, and the standards of any other participating government, through GovRAMP, rather than through a process specific to each government.
GovRAMP is also a standard way for agency staff to verify a product’s compliance with cybersecurity standards that many state and local governments, including Oregon, require. It is based on the same security standards EIS previously adopted, NIST SP 800-53 (moderate). GovRAMP is funded by fees paid by vendors. Because GovRAMP continuously monitors its participating vendors’ compliance with cybersecurity standards, agency staff can also easily verify cloud products’ continued compliance.
State of Oregon Requirements
The State of Oregon may require that a cloud service offering obtain a GovRAMP Authorized status within a defined time frame following contract execution. GovRAMP Progressing Snapshot, GovRAMP Core, or GovRAMP Ready may be accepted as an interim way to satisfy security requirements until GovRAMP Authorized is achieved.
Please visit Oregon DAS’ Cloud and Hosted Systems Statewide Policy and Oregon Statewide Information Security Plan for more information.
GovRAMP Vendor Overview
Interested in learning more about the GovRAMP process? Download this overview for service providers exploring how to get started.
GovRAMP for Local Governments
Download this presentation for Oregon local governments interested in learning more about GovRAMP and its role in supporting cloud security.
State of Oregon Enterprise Information Services – Cyber Security Services
Cyber Security Services (CSS) brings together enterprise security capabilities into a single organization.
State of Oregon Procurement Services
State of Oregon website for state agencies, local government entities, and suppliers meet to buy and sell products and services for the benefit of Oregonians.
GovRAMP Requirements Guide
Download a quick guide on the State of Oregon and GovRAMP requirements.
GovRAMP Provider Templates & Resources
Click below for additional guidance on the validation process and requirements.
Frequently Asked Questions
Contact Us
For additional information on how to get started with the GovRAMP process, please contact info@govramp.org.
For Oregon-related inquiries, please contact eso.info.@das.oregon.gov.
Is GovRAMP applicable to all cloud contracts in the State of Oregon?
No. GovRAMP is only applicable to contracting activities for cloud products (goods and services) covered by DAS’ Cloud and Hosted Systems Statewide Policy: https://www.oregon.gov/das/policies/107-004-150.pdf. Contracting activities are those such as open market RFPs, sole source contracts, special procurements, and RFQ’s under price agreements for cloud products (goods and services).
GovRAMP is not for use in interagency agreements, intergovernmental agreements, or agreements with public or private educational institutions.
How can I contact GovRAMP to get started?
For questions or more information about GovRAMP, please contact: info@govramp.org
If you have any questions about Oregon’s requirements, please contact: eso.info.@das.oregon.gov.
What is GovRAMP?
Founded at the beginning of 2020, GovRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments.
As a 501(c)6 nonprofit, our mission is to promote cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve. GovRAMP is comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third-party assessment organizations, and government officials. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.
How do I get a GovRAMP status?
To learn more about how to obtain any of our GovRAMP statuses, visit our GovRAMP for Service Providers page. This page provides an overview of the GovRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the GovRAMP verification process.
What are the continuous monitoring requirements?
Continuous monitoring involves regular security status checks of a cloud solution, conducted monthly or quarterly. This process starts once the product reaches a GovRAMP milestone status such as Core, Ready, Provisionally Authorized, or Authorized. The purpose of continuous monitoring is to ensure that the service provider’s solution is meeting security requirements and maintaining a secure system state. It provides insights into vulnerabilities, allowing service providers to address issues and comply with GovRAMP standards. By identifying areas of risk, continuous monitoring enables service providers to take prompt action to protect the system.
Download GovRAMP’s Continuous Monitoring Guide
Continuous monitoring must be maintained for the lifecycle of your contract with the State of Oregon, and upon request, access to the product’s security package and continuous monitoring artifacts must be granted to Oregon.
GovRAMP Participating Governments
GovRAMP is accepted by the State of Oregon, as well as other cities and states. Click below to see a list of GovRAMP ‘s participating governments.
