StateRAMP Completes Rebrand to GovRAMP, Reflecting Its Growing Cybersecurity Mission

“For government to be able to adopt these new technologies, we must validate that these technologies are secure, and not just once but ongoing throughout the contract duration,” she says. StateRAMP established a baseline of security standards to allow a common method for verifying products as secure across multiple governments.

“They’re reporting continuously, but they do that to one place: our centralized program management office. Then, they’re able to use that reporting and that validation by sharing it out with their government customers. The idea is that providers are able to verify once to serve many,” McGrath says.

As a nonprofit, StateRAMP is a membership organization that includes various public sector jurisdictions and private sector companies, representing an ecosystem around cloud services. And like Arapahoe County, not all public sector members are states.

Why Did StateRAMP Rebrand to GovRAMP?

When StateRAMP was founded in 2021, current and former state officials were the brains behind the initiative. However, the organization immediately saw the appeal of StateRAMP authorization to local governments and education institutions, McGrath says. StateRAMP began admitting government jurisdictions outside of state governments.

“StateRAMP was a misnomer because many of these local government leaders, for example, would call us and say, ‘We would really like to participate, but we’re not sure if StateRAMP is for us,’ because of the word state in our name,” McGrath says. “After talking with our steering committee last fall and working with our board, we decided it was time to make the change from StateRAMP to GovRAMP to better reflect our mission and those that we serve.”

StateRAMP’s rebranding to GovRAMP is also motivated by an embrace of whole-of-state cybersecurity. In a whole-of-state cybersecurity model, many state governments establish shared services, which they provide to local governments and other agencies. To support whole-of-state cybersecurity initiatives, GovRAMP leaders seek to emphasize that the organization’s certification is not just for state governments, McGrath says.

Legally, the organization has retained StateRAMP as its official name. However, the shift to GovRAMP in all public-facing branding has already started. As of March 2025, the website URL has been updated to govramp.org, and all web content has been edited to reflect the GovRAMP brand.

Government entities participating in GovRAMP include state executive agencies, local governments (cities and counties), judicial courts, K–12 schools, regional K–12 school networks, several higher education institutions and at least one tribal territory.

How Does GovRAMP Benefit Authorized Cloud Vendors?

Cloud solution providers receive certification on StateRAMP, qualifying them for contracting opportunities available through all participating jurisdictions. Once a product passes review, it may be certified as Ready, Provisionally Authorized or Authorized. Among other products, the StateRAMP Authorized Product List includes Zscaler Internet Access (Government) and Zscaler Private Access (Government), both of which have Authorized certification, the highest level, indicating the products are fully compliant with all mandated security controls.

Brian Conrad, director of strategic global compliance initiatives, Zscaler, says certification gives Zscaler an avenue by which to promote its products as premier cybersecurity solutions.

“It’s under the same model as FedRAMP. The reason FedRAMP came about was because cloud providers would have to go from agency to agency, using those individual templates and standards and baselines. That’s time-consuming and resource-intensive for the cloud provider. And it’s also inefficient for the government,” Conrad says.

EXPLORE: State and local governments must be strategic about AI adoption.

There are 50 states, and not all of them accept GovRAMP yet, but vendors also have to go from state to state to obtain individual certification without GovRAMP. Moreover, officials established GovRAMP because they wanted to manage their own relationships with cloud vendors.

“We can be authorized once and then be used many times. There are great advantages to that,” Conrad says. “The needs of the federal government are unique, and the needs of the states are unique. So, it was absolutely brilliant to set up StateRAMP to do what it’s doing.”

Click the banner below for information about government transformation.

How Do GovRAMP Authorized Products Help State and Local Governments?

The Center for Digital Government published the Best Practice Guide for Cloud and As-a-Service Procurements, which GovRAMP circulates as advice and terms and conditions for cloud solution procurements.

The document states, “Although the specific paths to cloud and as-a-service procurement may vary from state to state, CDG believes there are common practices and terms and conditions that state and local governments can use to streamline cloud solution contracting; strengthen cloud security, privacy and data protection; and lower supply chain risk.”

In support of that goal, government agencies can turn to the GovRAMP authorized products list to discover solutions already reviewed by a third-party assessment organization. State and local government agencies may release solicitations incorporating GovRAMP security requirements upfront. Then, cloud vendors can verify their compliance in replying to the solicitation with their GovRAMP product authorization.

With authorization, cloud service providers and other vendors can speed through security reviews, shortening the time required to procure the solution.

“It makes the entire process go more smoothly. If they’re awarded that contract, they don’t have to go through some lengthy vendor review of their security on the back end,” McGrath says.

GovRAMP then provides a single source of authorization for security compliance that multiple participating government agencies can rely upon.

What’s Next for GovRAMP?

When StateRAMP was founded, leaders sought to distinguish StateRAMP from FedRAMP by emphasizing its independence and the benefits of establishing personal relationships with vendors who seek to demonstrate their cybersecurity compliance for state and local contracting requirements.

But as GovRAMP heads into the future, the nonprofit organization would like to work more with the federal government.

“We want to collaborate better with the federal leaders who are establishing and setting cyber regulations that slow down the states and locals and impact the industry,” McGrath says.

A web of federal agencies established national cybersecurity regulations, which can occasionally fail to synchronize if not outright contradict one another, she adds. This can cause disharmony in the marketplace.

DISCOVER: State and local officials identify their top cybersecurity KPIs.

“Those regulations flow down to the states and local governments, and they also impact the provider community,” McGrath says. “One of our big strategic initiatives is to work toward greater harmonization of this framework across state and local governments and also within the federal government. Disjointed regulations may cause us to spend too much time trying to comply and not enough time on the security practices that really matter.”

Generally, GovRAMP would like to be a part of the conversation in federal discussions around regulations and other initiatives going forward, she says.

Soon, GovRAMP will launch a task force on artificial intelligence in cloud products. An AI executive council consisting of four state CIOs and three state CISOs is striving to define the scope of the task force.