North Dakota & GovRAMP

North Dakota
& GovRAMP

Updated: June 9, 2026

Why GovRAMP?

North Dakota has partnered with GovRAMP. The decision to utilize GovRAMP allows for North Dakota to strengthen its security posture through:

Increased security standards: National level security hardening
Standardization and consistency: Uniform assessment process
Improved interoperability: Easier collaboration with public sector agencies
Cost efficiency: Leveraging a shared assessment framework
Alignment with national cybersecurity strategy

Why Third-Party Risk?

The State of North Dakota has a fundamental responsibility to safeguard the sensitive information entrusted to us by our citizens. North Dakotans share personal data in order to access essential state‑administered services—such as supplemental nutrition assistance, fishing and hunting licenses, mental health support, and driver’s licensing. These services are vital to daily life, and residents depend on them to Be Legendary.

To uphold this responsibility, North Dakota Information Technology (NDIT) works proactively to defend citizen data across the state network, cloud platforms, and the applications that power these services. One of the ways we strengthen this protection is by partnering with GovRAMP.

What is North Dakota’s Third-Party Risk Management Program?

North Dakota’s TPRM Program ensures that risks related to third‑party vendors are consistently identified, assessed, and mitigated. Through comprehensive due‑diligence activities, the program provides reasonable assurance that citizen data is properly protected. The level of assessment performed depends on the type of data a vendor stores or transmits, as defined by NDIT’s Data Classification Policy.

GovRAMP plays a key strategic role in this process. Vendors that are authorized by GovRAMP are fast‑tracked through NDIT’s TPRM assessment, helping accelerate secure service delivery. With GovRAMP, North Dakota’s third‑party cloud providers demonstrate that:

Government‑published cybersecurity policies are met and maintained.
Data is stored and processed within a secure, compliant environment.
Security controls are assessed and validated by an accredited, independent third‑party assessor organization (3PAO).

GovRAMP also provides continuous monitoring, allowing NDIT cybersecurity teams to focus on additional priorities that reduce risk to North Dakotans.

Key Outcomes of TPRM

North Dakota’s TPRM Program helps the state:

Understand security considerations when selecting vendors.
Protect sensitive data and strengthen citizen trust.
Reduce exposure to financial and operational risks associated with third‑party breaches.
Maintain compliance with legal, privacy, policy, and industry‑standard requirements.
Ensure business continuity by confirming that vendors have effective contingency plans.
Foster strong, collaborative partnerships—because cybersecurity is a shared responsibility.

State Bidding Opportunities

Click below to see the list of current government solicitations for the State of North Dakota.

North Dakota Procurement

Click below to learn more about how to do business with the State.

GovRAMP Requirements

Download a quick guide on the State of North Dakota and GovRAMP requirements.

North Dakota Standards & Guidelines

Click below to view State of North Dakota’s IT Governance program.

GovRAMP Participating Governments

GovRAMP is accepted by the State of North Dakota, as well as governments across the country. Click below to see a list of GovRAMP ‘s participating governments.

Contact Us

For additional information on how to get started with the GovRAMP process, please contact info@govramp.org.

For North Dakota-related inquiries, please contact cygrc@nd.gov.

Frequently Asked Questions

What is GovRAMP?

Founded at the beginning of 2020, GovRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments.

As a 501(c)6 nonprofit, our mission is to promote cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve. GovRAMP is comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third-party assessment organizations, and government officials. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.

How do I get a GovRAMP status?

To learn more about how to obtain any of our GovRAMP statuses, visit our GovRAMP for Service Providers page. This page provides an overview of the GovRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the GovRAMP verification process.

How much does a GovRAMP assessment cost?

Our assessment fees are tiered based on the annual revenue for the company.

View the full GovRAMP Fee Schedule.

What are the continuous monitoring requirements?

GovRAMP requires monthly continuous monitoring once a product reaches Core, Ready, Provisionally Authorized, or Authorized. This includes:

Security status checks
Vulnerability tracking and closure
Ongoing alignment with NIST control requirements

Download GovRAMP’s Continuous Monitoring Guide.

Providers must maintain and provide continuous monitoring access to the State of Indiana for the lifecycle of their contract.

What are the guidelines for determining if my product is a cloud solution?

The State of North Dakota identifies the following service models for the cloud environment:

Infrastructure as a Service (IaaS) is a cloud environment with computing resources such as virtual servers, storage, and network. The consumer uses their own software, including operating systems, middleware and applications. The underlying physical infrastructure is managed by the Cloud Service Provider (CSP).

Platform as a Service (PaaS) is a cloud environment for development and management of consumer applications. It includes the infrastructure layer – virtual servers, storage and network – while tying in middleware and development tools to allow the consumer to deploy their applications. It is designed to support the complete development of lifecycle while leaving the management of the physical infrastructure to the CSP.

Software as a Service (SaaS) is a cloud computing solution that provides the consumer with access to a complete software product. The application resides on a cloud platform and is accessed by the consumer through a web interface or application program interface (API). The physical and virtual infrastructure, operating system, middleware and application are all managed by the CSP.

Other storing, processing, and/or transmitting North Dakota data in environments outside the control of the state.

Still have questions?

For questions or more information about GovRAMP, please contact: info@govramp.org.

If you have any questions for the State of North Dakota Procurement, please contact: infospo@nd.gov

For any questions related to North Dakota Security and Assessment, please contact: cygrc@nd.gov