The State of Maine & GovRAMP
Why GovRAMP?
Maine has partnered with GovRAMP. The decision to utilize GovRAMP allows for the state to strengthen its security posture through:
- Increased security standards: National level security hardening
- Standardization and consistency: Uniform assessment process
- Improved interoperability: Easier collaboration with public sector agencies
- Cost efficiency: Leveraging a shared assessment framework
- Alignment with national cybersecurity strategy
New Cloud Product Requirements
The State of Maine Office of Information Technology (OIT) ensures that all executive branch offices utilizing cloud services meet applicable security standards. To create a standardized process and provide resources to its agencies, OIT has leveraged the GovRAMP framework for authorization and continuous monitoring to protect the confidentiality, integrity and availability of state information.
The GovRAMP requirements for new contracts with cloud components are in effect, as of January 1, 202X. You can review the State of Maine’s System and Services Acquisition Policy and Procedures here.
For more information on Maine’s information security policies, please visit maine.gov/oit.
Maine & GovRAMP: Educational Webinars
Join us for a live training designed to educate vendors working with the State of Maine on GovRAMP and the upcoming policy changes.
The session will include an overview of GovRAMP, Maine’s new cybersecurity policies, and a Q&A with the GovRAMP team.
Upcoming Sessions:
- Month XX | Register Here
- Month XX | Slide Deck | Recording
The State of Maine & GovRAMP News
Bidding Opportunities & Solicitations
Click below to log in or create an account to view current State of Maine solicitations
State of Maine Office of Information Technology
Click below to learn more about the State’s Security Policies, Standards, and Procedures.
GovRAMP Provider Templates & Resources
Click below for additional guidance on the validation process and requirements.
Frequently Asked Questions
What is GovRAMP?
Founded at the beginning of 2020, GovRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments.
As a 501(c)6 nonprofit, our mission is to promote cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve. GovRAMP is comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third-party assessment organizations, and government officials. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.
How do I get a GovRAMP status?
To learn more about how to obtain any of our GovRAMP statuses, visit our GovRAMP for Service Providers page. This page provides an overview of the GovRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the GovRAMP verification process.
What are the continuous monitoring requirements?
Continuous monitoring involves regular security status checks of a cloud solution, conducted monthly or quarterly. This process starts once the product reaches a GovRAMP milestone status such as Core, Ready, Provisionally Authorized, or Authorized. The purpose of continuous monitoring is to ensure that the service provider’s solution is meeting security requirements and maintaining a secure system state. It provides insights into vulnerabilities, allowing service providers to address issues and comply with GovRAMP standards. By identifying areas of risk, continuous monitoring enables service providers to take prompt action to protect the system.
Download GovRAMP’s Continuous Monitoring Guide
Continuous monitoring must be maintained for the lifecycle of your contract with the State of Maine, and upon request, access to the product’s security package and continuous monitoring artifacts must be granted to the State.
Will Maine accept any other frameworks?
GovRAMP provides a standardized, comprehensive security verification process that includes Continuous Monitoring under the NIST framework. The 2018 National Cyber Strategy of the USA identifies NIST as the only Cybersecurity Framework (CSF) for assessing SaaS, PaaS, or IaaS vendor environments. This allows Maine to maintain its commitment to upholding the NIST 800-53 standard and streamline the oversight process.
How do I enroll in the GovRAMP Progressing Security Snapshot Program?
To participate:
- Become a GovRAMP Member
- Submit a Progressing Security Snapshot Request
- Pay the applicable fee
- Receive onboarding instructions from the GovRAMP PMO
You’ll receive:
- A Snapshot score within ~3 weeks of payment
- Quarterly updated Snapshots
- Monthly one-hour consultative calls with GovRAMP’s security team
If you’re responding to a solicitation, note your time constraints on the request form so we can prioritize accordingly.
How much does a GovRAMP assessment cost?
To continue supporting Maine small- and medium- sized businesses including veteran and minority owned businesses, the GovRAMP assessment fees are tiered based on the annual revenue for the company.
What if I don't own the solution but use cloud products to deliver services to the State of Maine?
Based on the data processed, transferred, or stored, the State of Maine may require that the cloud solutions used to deliver services be assessed by GovRAMP or FedRAMP. Specific requirements can be found within the solicitation for the services.
What are the guidelines for determining if my product is a cloud computing service?
Maine identifies three distinct service models for the cloud environment:
Infrastructure as a Service (IaaS) is a cloud environment with computing resource such as virtual servers, storage, and network. The consumer uses their own software, including operating systems, middleware and applications. The underlying physical infrastructure is managed by the Cloud Service Provider (CSP).
Platform as a Service (PaaS) is a cloud environment for development and management of consumer applications. It includes the infrastructure layer – virtual servers, storage and network – while tying in middleware and development tools to allow the consumer to deploy their applications. It is designed to support the complete development lifecycle while leaving the management of the physical infrastructure to the CSP.
Software as a Service (SaaS) is a cloud computing solution that provides the consumer with access to a complete software product. The application resides on a cloud platform and is accessed by the consumer through a web interface or application program interface (API). The physical and virtual infrastructure, operating system, middleware and application are all managed by the CSP.
How can I contact GovRAMP to get started?
For questions or more information about GovRAMP, please contact: info@govramp.org.
If you have any questions for the State of Maine, please contact: [Insert contact].
GovRAMP Participating Governments
GovRAMP is accepted by the State of Maine, as well as governments across the countrys. Click below to see a list of GovRAMP ‘s participating governments.
Contact Us
For additional information on how to get started with the GovRAMP process, please contact info@govramp.org. For Maine-related inquiries, please contact [INSERT STATE CONTACT]