The State of
North Carolina & GovRAMP
Why GovRAMP?
Protecting North Carolina’s most sensitive and critical information is essential for operational resilience. As cyber threats rapidly evolve, even the most vigilant cybersecurity teams can’t defend networks from bad actors alone. Cybersecurity isn’t just about defense, it’s about taking proactive measures to safeguard data. One way to accomplish this is to ensure every cloud product handling data meets North Carolina’s strict cybersecurity standards. That’s where GovRAMP comes in.
To protect its digital assets, North Carolina has committed to partnering with GovRAMP to implement a comprehensive cybersecurity strategy, rooted in risk and vulnerability management, threat intelligence, and standardized security verification for cloud products. The State of North Carolina will assist providers with ensuring that their cloud products are meeting those minimum-security controls as indicated by GovRAMP in accordance with the NIST 800-53 security controls. GovRAMP allows providers to verify once to serve many, affording them the benefit of transferable credentials through its standardized cybersecurity verification process, while also simplifying procurement. Product cybersecurity validation can be used with any of GovRAMP’s participating government members.
Through GovRAMP’s standardized approach to security assessment, North Carolina is ensuring every cloud product handling its data meets applicable cybersecurity standards throughout the contract lifecycle. Together, GovRAMP and North Carolina are delivering cybersecurity confidence, compliance, and protection you can trust.
New Cloud Product Requirements
The State of North Carolina Department of Information Technology (NCDIT) ensures that all executive branch offices utilizing cloud services meet applicable security standards. To create a standardized process and provide resources to its agencies, NCDIT has leveraged the GovRAMP framework for authorization and continuous monitoring to protect the confidentiality, integrity and availability of state information.
The GovRAMP requirements for new contracts with cloud components will go into effect on April 1, 2026. You can review the State of North Carolina’s Third-Party Cloud Service Risk Authorization & Management Statewide Information Security Manual Supplement here. Additional details will be announced shortly.
For more information on North Carolina’s information security policies, please visit it.nc.gov.
North Carolina & GovRAMP: Educational Webinars
Join us for a live training designed to educate vendors working with the State of North Carolina on GovRAMP and the upcoming policy changes.
The session will include an overview of GovRAMP, North Carolina’s new cybersecurity policies, and a Q&A with the GovRAMP team.
Upcoming Sessions:
- Wednesday, April 22 | 3 pm – 4 pm ET | Register
Previous Sessions:
- February 26 | Slide Deck | Recording
- March 16 | Slide Deck | Recording
The State of North Carolina & GovRAMP News
Bidding Opportunities & Solicitations
Click below to see the list of current solicitations for the State of North Carolina.
State of North Carolina Department of Information Technology
Click below to learn more about the State’s Security Policies, Standards, and Procedures.
GovRAMP Provider Templates & Resources
Click below for additional guidance on the validation process and requirements.
Frequently Asked Questions
What is GovRAMP?
Founded at the beginning of 2020, GovRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments.
As a 501(c)6 nonprofit, our mission is to promote cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve. GovRAMP is comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third-party assessment organizations, and government officials. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.
How do I get a GovRAMP status?
To learn more about how to obtain any of our GovRAMP statuses, visit our GovRAMP for Service Providers page. This page provides an overview of the GovRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the GovRAMP verification process.
What are the continuous monitoring requirements?
Continuous monitoring involves regular security status checks of a cloud solution, conducted monthly or quarterly. This process starts once the product reaches a GovRAMP milestone status such as Core, Ready, Provisionally Authorized, or Authorized. The purpose of continuous monitoring is to ensure that the service provider’s solution is meeting security requirements and maintaining a secure system state. It provides insights into vulnerabilities, allowing service providers to address issues and comply with GovRAMP standards. By identifying areas of risk, continuous monitoring enables service providers to take prompt action to protect the system.
Download GovRAMP’s Continuous Monitoring Guide
Continuous monitoring must be maintained for the lifecycle of your contract with the State of North Carolina, and upon request, access to the product’s security package and continuous monitoring artifacts must be granted to the State.
Will North Carolina accept any other frameworks?
GovRAMP provides a standardized, comprehensive security verification process that includes Continuous Monitoring under the NIST framework. The 2018 National Cyber Strategy of the USA identifies NIST as the only Cybersecurity Framework (CSF) for assessing SaaS, PaaS, or IaaS vendor environments. This allows North Carolina to maintain its commitment to upholding the NIST 800-53 standard and streamline the oversight process.
How do I enroll in the GovRAMP Progressing Security Snapshot Program?
To participate:
- Become a GovRAMP Member
- Submit a Progressing Security Snapshot Request
- Pay the applicable fee
- Receive onboarding instructions from the GovRAMP PMO
You’ll receive:
- A Snapshot score within ~3 weeks of payment
- Quarterly updated Snapshots
- Monthly one-hour consultative calls with GovRAMP’s security team
If you’re responding to a solicitation, note your time constraints on the request form so we can prioritize accordingly.
How much does a GovRAMP assessment cost?
To continue supporting North Carolina small- and medium- sized businesses including veteran and minority owned businesses, the GovRAMP assessment fees are tiered based on the annual revenue for the company.
What if I don't own the solution but use cloud products to deliver services to the State of North Carolina?
Based on the data processed, transferred, or stored, the State of North Carolina may require that the cloud solutions used to deliver services be assessed by GovRAMP or FedRAMP. Specific requirements can be found within the solicitation for the services.
What are the guidelines for determining if my product is a cloud computing service?
North Carolina identifies three distinct service models for the cloud environment:
Infrastructure as a Service (IaaS) is a cloud environment with computing resource such as virtual servers, storage, and network. The consumer uses their own software, including operating systems, middleware and applications. The underlying physical infrastructure is managed by the Cloud Service Provider (CSP).
Platform as a Service (PaaS) is a cloud environment for development and management of consumer applications. It includes the infrastructure layer – virtual servers, storage and network – while tying in middleware and development tools to allow the consumer to deploy their applications. It is designed to support the complete development lifecycle while leaving the management of the physical infrastructure to the CSP.
Software as a Service (SaaS) is a cloud computing solution that provides the consumer with access to a complete software product. The application resides on a cloud platform and is accessed by the consumer through a web interface or application program interface (API). The physical and virtual infrastructure, operating system, middleware and application are all managed by the CSP.
How can I contact GovRAMP to get started?
For questions or more information about GovRAMP, please contact: info@govramp.org.
If you have any questions for the State of North Carolina, please contact: ESRMO@nc.gov.
GovRAMP Participating Governments
GovRAMP is accepted by the State of North Carolina, as well as governments across the countryssssss. Click below to see a list of GovRAMP ‘s participating governments.
Contact Us
For additional information on North Carolina Procurement including bulletins, open bids, contracts and registration, please refer to the North Carolina electronic Vendor Portal. If you have any questions for the State of North Carolina, please contact ESRMO@nc.gov.
For additional information on how to get started with the GovRAMP process, please contact info@govramp.org.