State of Arizona & GovRAMP
Why GovRAMP?
The State of Arizona’s cloud security program, AZRAMP, is officially transitioning to StateRAMP (dba GovRAMP), reinforcing Arizona’s commitment to standardized cybersecurity requirements and enhanced vendor risk management. The move aligns Arizona’s cloud security policies with the widely adopted GovRAMP framework, ensuring consistency in security assessments and streamlined procurement processes for cloud service providers operating in the state.
With this transition, Arizona will leverage GovRAMP’s established compliance framework, which provides enhanced security oversight and efficiency for state agencies and service providers. This move simplifies compliance efforts for vendors while strengthening Arizona’s cybersecurity posture across public sector entities.
“The State Procurement Office continues to focus on streamlining business-to-business interactions to make it more transparent for businesses to understand what requirements are necessary to contract with the state of Arizona,” said David Steuber, the State Procurement Administrator. He added, “The introduction of cybersecurity standards will assist vendors with the security assessment process and will provide transparency in the steps needed before a contract award. We will continue to partner with the Arizona Department of Homeland Security (ADOHS) and other units within the Arizona Department of Administration to ensure alignment in processes to best serve those doing business on behalf of the state.”
New Cloud Product Requirements
As of July 1, 2025, all new contracts will include risk assessment requirements that align with the GovRAMP program which is based on National Institute of Technology and Standards (NIST) 800-53. Any grace period offered to reach the appropriate assessment level will be defined within the solicitation for the product/service.
As of July 1, 2026, all renewal contracts will include risk assessment requirements that align with GovRAMP or FedRAMP.
Announcements & Educational Opportunities
View the joint webinar with the AZRAMP and GovRAMP Teams held on April 28th, 2025 for more information.
If you missed the GovRAMP Webinar for Arizona vendors held on March 13th and want to know more about each GovRAMP status, you can view the video here.
Frequently Asked Questions
How can I contact GovRAMP to get started?
For questions or more information about GovRAMP, please contact: info@govramp.org
If you have any questions about AZ-RAMP, please contact: grc@azdohs.gov
What is GovRAMP?
Founded at the beginning of 2020, GovRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments.
As a 501(c)6 nonprofit, our mission is to promote cybersecurity best practices through education and policy development to improve the cyber posture of public institutions and the citizens they serve. GovRAMP is comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third-party assessment organizations, and government officials. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.
Do I need both GovRAMP and AZRAMP?
No. If you have an active AZRAMP status, will be able to use your AZRAMP status until it expires. There will be no further renewals for AZRAMP statuses and at the point of expiration, you will need to have an appropriate GovRAMP or FedRAMP status as defined by Arizona Department of Homeland Security (ADOHS).
Is there reciprocity between GovRAMP and TX-RAMP or any other frameworks?
AZRAMP will only be accepting GovRAMP or FedRAMP.
- This allows for Arizona to maintain their commitment to upholding the NIST 800-53 standard and streamline the oversight process.
- GovRAMP does offer a Fastrack option for FedRAMP products.
While GovRAMP provides reciprocity with TX-RAMP, compliance with TX-RAMP does not afford you a GovRAMP security status. The following will not be accepted:
- TXRAMP
- SOC 2
- ISO 27001
- HITRUST
Reason for Non-Acceptance
The 2018 National Cyber Strategy of the USA identifies NIST as the only Cybersecurity Framework (CSF) for assessing SaaS, PaaS, or IaaS vendor environments.
The State of Arizona is not authorized to accept any other form of CSF for this assessment to include; self-attestations, trust documents, third-party assessments to include COBIT, ISO/IEC 27000 series, PCI, SOC 2 or SOC 3 reports. Therefore, we will require a copy of your organization’s Systems Security Plan (SSP) or Written Information Security Program (WISP) for our evaluation process.
How do I enroll in the GovRAMP Progressing Security Snapshot Program?
For data stored, transmitted, and processed in protected systems, a verified status of GovRAMP Core may be required to satisfy AZRAMP’s minimum requirements. If applicable, this status must be achieved no later than 12 months from contract execution. Should ADOHS require a higher-level terminal status of Ready/Authorized, this requirement shall be included in the contract, and the products must meet this status within the timeframe outlined in the resulting contract, which shall be in conformance with the timeframes below:
If a verified status of Core is required, the status must be achieved no later than 12 months of the resulting contract award.
If a verified status of Ready is required, a provider will be allowed a minimum of 12 months from contract award date to ensure the contracted product has achieved Ready status, not to exceed 18 months.
If a verified status of Authorized is required, a provider will be allowed a minimum of 18 months from contract award date to ensure the contracted product has achieved Authorized status, not to exceed 24 months.
Any additional assessment requirements, such as regulatory compliance including, but not limited to CJIS, HIPAA, et al., shall also be determined by ADOHS and incorporated into the contract terms.
Upon award of contract, if the protected system does not currently hold a GovRAMP verified status, the provider will be required to participate in the GovRAMP Progressing Snapshot program prior to any data being transferred, stored or processed with the expectation that progress will be made on a quarterly basis. A provider may also provide a letter from the GovRAMP PMO indicating that the product currently holds an Active, In Process, or Pending status, indicating that the product is in the pipeline to receive a GovRAMP Ready, Authorized, or Provisionally Authorized status.
How do I get a GovRAMP status?
To learn more about how to obtain any of our GovRAMP statuses, visit our GovRAMP for Service Providers page. This page provides an overview of the GovRAMP organization, general onboarding information, a getting started checklist, and complete details regarding the requirements for beginning the GovRAMP verification process.
Do I need to tell AZRAMP I am enrolled in the Progressing Snapshot program or have a product with a verified GovRAMP status?
Yes, if you are enrolled in GovRAMP’s Progressing Snapshot program or have a verified GovRAMP status, you will need to include a GovRAMP letter indicating the product verified and the status achieved, when responding to a solicitation to do business with the State of Arizona.
As of July 1, 2025, for new contracts, based on the data impact level, ADOHS will select the appropriate level of risk assessment required for the procurement and determine the necessary terminal status to be defined within the contract for the product. A “terminal security status” is a status where a product has met a natural endpoint and moves into continuous monitoring. There are three GovRAMP statuses that are always considered terminal security statuses: GovRAMP Core, Ready, Provisionally Authorized, and Authorized. GovRAMP Core may be considered a terminal security status should ADOHS determine that no additional security assessments are needed to meet its requirements for that contract. ADOHS shall ensure compliance with NIST 800-53 Rev 5 (or current) based on third-party assessments provided by GovRAMP, FedRAMP, and/or by the AZRAMP ADOHS exception process.
If I am awarded a contract, how long will we have to get the product assessed? What if the product doesn't currently hold a GovRAMP status?
For data stored, transmitted, and processed in protected systems, a verified status of GovRAMP Core may be required to satisfy AZRAMP’s minimum requirements. If applicable, this status must be achieved no later than 12 months from contract execution. Should ADOHS require a higher-level terminal status of Ready/Authorized, this requirement shall be included in the contract, and the products must meet this status within the timeframe outlined in the resulting contract, which shall be in conformance with the timeframes below:
If a verified status of Core is required, the status must be achieved no later than 12 months of the resulting contract award.
If a verified status of Ready is required, a provider will be allowed a minimum of 12 months from contract award date to ensure the contracted product has achieved Ready status, not to exceed 18 months.
If a verified status of Authorized is required, a provider will be allowed a minimum of 18 months from contract award date to ensure the contracted product has achieved Authorized status, not to exceed 24 months.
Any additional assessment requirements, such as regulatory compliance including, but not limited to CJIS, HIPAA, et al., shall also be determined by ADOHS and incorporated into the contract terms.
Upon award of contract, if the protected system does not currently hold a GovRAMP verified status, the provider will be required to participate in the GovRAMP Progressing Snapshot program prior to any data being transferred, stored or processed with the expectation that progress will be made on a quarterly basis. A provider may also provide a letter from the GovRAMP PMO indicating that the product currently holds an Active, In Process, or Pending status, indicating that the product is in the pipeline to receive a GovRAMP Ready, Authorized, or Provisionally Authorized status.
What are the continuous monitoring requirements?
Continuous monitoring involves regular security status checks of a cloud solution, conducted monthly or quarterly. This process starts once the product reaches a GovRAMP milestone status such as Core, Ready, Provisionally Authorized, or Authorized. The purpose of continuous monitoring is to ensure that the service provider’s solution is meeting security requirements and maintaining a secure system state. It provides insights into vulnerabilities, allowing service providers to address issues and comply with GovRAMP standards. By identifying areas of risk, continuous monitoring enables service providers to take prompt action to protect the system.
Download GovRAMP’s Continuous Monitoring Guide
Continuous monitoring must be maintained for the lifecycle of your contract with the State of Arizona, and upon request, access to the product’s security package and continuous monitoring artifacts must be granted to ADOHS.
What if I don't own the solution but use cloud products to deliver services to the State of Arizona?
Based on the data processed, transferred, or stored, the State of Arizona may require that the cloud solutions used to deliver services be assessed by GovRAMP or FedRAMP. Specific requirements can be found within the solicitation for the services.
Bidding Opportunities & Solicitations
Click below to see the list of current solicitations for the State of Arizona.
Arizona Department of Homeland Security
Click below to learn more about how to do business with the State.
GovRAMP Provider Templates & Resources
Click below for additional guidance on the validation process and requirements.
GovRAMP Participating Governments
GovRAMP is accepted by the State of Arizona, as well as other cities and states. Click below to see a list of GovRAMP ‘s participating governments.
Contact Us
For additional information on how to get started with the GovRAMP process, please contact info@govramp.org. For Arizona-related inquiries, please contact grc@azdohs.gov