State of Indiana & GovRAMP

Last Published: October 27, 2025

Why GovRAMP?

The transition to utilizing GovRAMP allows for the State of Indiana to harden its security posture through:

  • Increased Security Standards: National level security hardening.
  • Standardization and Consistency: Uniform assessment process.
  • Improved Interoperability: Easier collaboration with public sector agencies.
  • Cost Efficiency: Leveraging a shared assessment framework.
  • Alignment with National Cybersecurity Strategy.

Indiana RAMP Scope & Applicability:

  • The Indiana RAMP policy applies to all executive branch state agencies, departments, institutions, and the like that are responsible to the Governor of the State of Indiana.
  • It also applies to any other entities that utilize, integrate with, or are otherwise connected to the State’s systems, network, or other IT infrastructure.
  • i.e. For the purposes of Indiana’s RAMP policy, “cloud offering” is defined as all computing services provided outside of IOT data centers and environments.
  • All such entities are covered by the scope of this policy, and all such “covered entities” must abide by its requirements because of our collective need to protect data as well as the technology resources that are used to store, process, and transmit it.

RAMP Policy:

The State of Indiana, via the Indiana Office of Technology (IOT), has issued its final Risk and Authorization Management Program (RAMP) Policy, effective October 14, 2025.

The full policy document is available here or on IOT’s public website.

If you have questions about Indiana’s RAMP policy or its implementation, please contact IOT at IndianaRAMP@iot.in.gov.

Timeline:

New Contracts: Effective on or after October 14, 2025.

Renewal Contracts: Targeting January 1, 2026 to begin enforcement.

Existing Contracts (not up for renewal): At point of new solicitation, or at any adjustment, change order, extension, or action requiring approval by IOT.

Providers will be allowed a period not to exceed 18 months from date of contract execution to achieve the minimum verified status outlined in the RAMP policy matrices. For those providers that do not currently hold a GovRAMP status, enrollment in the Progressing Snapshot program will be required until the minimum verified status requirement is met.

FAQs:

What is GovRAMP?

Founded at the beginning of 2020, GovRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments.

As a 501(c)6 nonprofit, our mission is to promote cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve. GovRAMP is comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third-party assessment organizations, and government officials. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.

Please review the Indiana RAMP Policy on Indiana Office of Technology’s public website or you may contact IndianaRAMP@iot.in.gov to request a copy.

You can find the requirements for each assessment here: Templates for GovRAMP Statuses.

Providers will be allowed a period not to exceed 18 months from date of contract execution to achieve the minimum verified status outlined in the RAMP policy matrices. For those products that do not currently hold a GovRAMP status at the time of contract award, enrollment in the Progressing Snapshot program will be required for the cloud product until the minimum verified status requirement is met.

If you are unsure of the data type or critical infrastructure applicability, please contact the requesting agency or the Indiana Office of Technology at IndianaRAMP@iot.in.gov.

Indiana IOT will only be accepting GovRAMP or FedRAMP Rev 5.

While GovRAMP provides reciprocity with TX-RAMP, compliance with TX-RAMP does not afford you a GovRAMP security status. The following will not be accepted:

  • TXRAMP
  • SOC 2
  • ISO 27001
  • HITRUST

 

Reason for Non-Acceptance

The 2018 National Cyber Strategy of the USA identifies NIST as the only Cybersecurity Framework (CSF) for assessing SaaS, PaaS, or IaaS vendor environments.

The State of Indiana is not authorized to accept any other form of CSF for this assessment to include; self-attestations, trust documents, third-party assessments to include COBIT, ISO/IEC 27000 series, PCI, SOC 2 or SOC 3 reports. Therefore, we will require a copy of your organization’s Systems Security Plan (SSP) or Written Information Security Program (WISP) for our evaluation process.

Cloud products that currently hold or are seeking a FedRAMP Rev. 5 status must enroll the product in the GovRAMP Fast Track program. No need to re-engage a 3PAO, just submit the same security package to the GovRAMP PMO following membership enrollment. This will allow Indiana to uphold their requirement for continuous monitoring as outlined in Executive Order 25-19.

To participate:

  1. Become a GovRAMP Member
  2. Submit a Progressing Security Snapshot Request
  3. Pay the applicable fee
  4. Receive onboarding instructions from the GovRAMP PMO

You’ll receive:

  • A Snapshot score within ~3 weeks of payment
  • Quarterly updated Snapshots
  • Monthly one-hour consultative calls with GovRAMP’s security team

If you’re responding to a solicitation, note your time constraints on the request form so we can prioritize accordingly.

Our assessment fees are tiered based on the annual revenue for the company.

View the full GovRAMP Fee Schedule.

GovRAMP requires monthly continuous monitoring once a product reaches Core, Ready, Provisionally Authorized, or Authorized. This includes:

  • Security status checks
  • Vulnerability tracking and closure
  • Ongoing alignment with NIST control requirements

Download GovRAMP’s Continuous Monitoring Guide.

Providers must maintain and provide continuous monitoring access to the State of Indiana for the lifecycle of their contract.

Based on the data processed, transferred, or stored, the State of Indiana may require that the cloud solutions used to deliver services be assessed by GovRAMP or FedRAMP under the NIST 800-53 Rev. 5 framework. Specific requirements can be found within the solicitation.

For GovRAMP-related inquiries, please reach out to: info@govramp.org and stacey@govramp.org

For Indiana RAMP-related inquiries, please reach out to: IndianaRAMP@iot.in.gov

Announcements & Educational Opportunities:

Explore announcements, updates, and educational resources to support vendors participating in Indiana’s new RAMP security program. This curated playlist provides on-demand training and guidance for technology providers doing business with the State of Indiana and the Indiana Office of Technology (IOT).

Each video is designed to help vendors understand how to get started in the program, meet GovRAMP-aligned security requirements, and navigate the steps outlined in the Indiana RAMP Policy.

Watch the full training series: GovRAMP Training for Indiana Vendors

IDOA Bidding Opportunities

Click below to see the list of current solicitations for the State of Indiana.

View List

Indiana Office of Technology

Click below to learn more about how to do business with the State.

Learn More

Templates & Resources

Click below for additional guidance on the validation process and requirements.

Learn More

GovRAMP Participating Governments

GovRAMP is accepted by the State of Indiana, as well as other cities and states. Click below to see a list of GovRAMP ‘s participating governments.

View Participating Government Organizations
GovRAMP Icon-Black

Contact Us

For additional information on how to get started with the GovRAMP process, please contact info@govramp.org. For Indiana-related inquiries, please contact IndianaRAMP@iot.in.gov.

Scroll to Top