Earning a State Risk and Authorization Management Program (GovRAMP)—formerly known as StateRAMP—authorization to operate (ATO) not only indicates a cloud service provider’s (CSP) ability to meet a state and local government’s strict security standards but can also help unlock a significant revenue stream.

GovRAMP is a security framework designed to standardize cloud security for state, local, and tribal governments, as well as educational institutions. Modeled after Federal Risk and Authorization Management Program (FedRAMP), it follows NIST 800-53 standards.

Leveraging this opportunity requires navigating an intricate, highly prescriptive process that many CSPs underestimate resulting in delayed authorization, increased costs, and an overburdened team.

Expand your business opportunities and level-up your creditability as a CSP with GovRAMP services that can streamline the authorization process and accelerate your go-to-market strategy.

Leverage GovRAMP Advisory Experience

Create a well-crafted GovRAMP security package that passes the required independent assessment with support from our experienced professionals.

Advisory offerings include:

GovRAMP Assessment Services

Undergoing a rigorous GovRAMP assessment is a complex, thorough process in which our assessors perform all requisite tests against the system. As an A2LA-accredited third-party assessment organization (3PAO), Moss Adams conducts GovRAMP assessments for organizations ready to take the next step in the GovRAMP authorization process.

Assessment services include:

How the Assessment Process Works

Each assessment engagement follows GovRAMP’s prescribed testing protocols. Below is an overview of the process.

• Analyze Documentation. Our GovRAMP professionals review and analyze your submitted documentation package.
• Inventory Alignment. We match your inventory against detailed GovRAMP diagrams.
• Perform GovRAMP Testing. Each CSO undergoes GovRAMP-required manual, technical, penetration, and red team testing.
• Create Risk Exposure Table & Security Assessment Report. After vulnerabilities or findings are confirmed, we create a risk exposure table and security assessment report summarizing each finding, including its risk level and other relevant information from testing.
• Create Recommendation Report. Our independent 3PAO review and findings are compiled in a Security Assessment Report (SAR) with a recommendation to either issue or not issue an ATO or provisional ATO (P-ATO) or a continuance depending on the authorization path.

Deeply immersed in more than 30 industries, our professionals provide solutions specific to the nuances, challenges, and operations of the sector in which you work—while customizing plans to meet your unique needs.

Armed with a deep knowledge of and experience with all aspects of the GovRAMP authorization process, our professionals bring insights and guidance that can help you successfully earn a GovRAMP authorization while also identifying how to leverage the authorization across all areas of your business.

From gap analyses to technical testing, our subject matter experts collaborate with you to identify crossover with other frameworks—such as FedRAMP, HIPAA, ISO 27000, PCI, and SOC—that can reduce costs and ease the audit burden on your team. We also have extensive technical experience in the technologies and processes needed to support organizations undergoing GovRAMP authorization, such as cybersecurity, IT compliance, and internal audits.

Our one-firm approach allows your organization to tap into the full resources of our firm, integrating guidance and solutions related to finance, tax, and audit concerns, technology services, and risk and IT compliance.