Arkansas Flag

The State of Arkansas and GovRAMP

The State of Arkansas has chosen to utilize the GovRAMP program to validate and verify NIST 800-53 compliance for products that have the ability to impact the State’s data to protect their systems and the citizens they serve.  

About the Program

Why GovRAMP

Protecting our State’s most sensitive and critical information is a team sport in Arkansas. We have cybersecurity teams working non-stop to protect and defend our networks and systems from hackers, but the threats are always changing, and must work to stay ahead by strengthening those networks and systems.

One way we can do this is by ensuring that the products that touch or hold any of our critical data are meeting minimum cybersecurity standards. This is where GovRAMP comes in.

GovRAMP (State Risk and Authorization Management Program) has developed a roadmap for vendors to follow to demonstrate through an externally verifiable process that they are meeting national cybersecurity standards.

Arkansas is excited to strengthen out cyber defenses by adopting GovRAMP as a framework for our contract and procurement process to ensure that we are covering every angle possible when it comes to protecting our residents’ data and ensuring our overall security.

Learn more about GovRAMP on govramp.org.

The Process

Act 504

OIT and DPA are teaming up to help implement GovRAMP in Arkansas. Together, OIT and DPA have worked to update Arkansas’s cybersecurity procedures and policy language to require GovRAMP authorization for vendors that touch or hold our data. Additionally, Arkansas’s solicitation and contract language is in the process of being updated so that agencies can make the process as seamless as possible.

Act 846

The updated language and templates will be available here once finalized. 

Not every contract will require GovRAMP validation. The State of Arkansas’s Office of Information Technology (OIT) will determine when GovRAMP  validation is required. 

For those products that do require GovRAMP validation, the following is a list of survey questions to help determine the appropriate impact level:  

  • Will the vendor process, transmit, and/or store non-sensitive State data, metadata, and/or data that may be released to the public that requires no additional levels of protection?
      • If yes, GovRAMP Low is recommended. 
  • Will the vendor process, transmit, and/or store personally identifiable information (PII) as defined by the U.S. Department of Labor (DOL)?
      • If yes, GovRAMP Moderate is recommended. 
  • Will the vendor process, transmit, and/or store protected health information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA)?
      • If yes, GovRAMP Moderate is recommended. 
  • Will the vendor process, transmit, and/or store payment card industry (PCI) data as defined by the PCI Security Standards Council (PCI SSC)?
      • If yes, GovRAMP Moderate is recommended.
  • Will the loss or unavailability of the data that is processed, transmitted, and/or stored by the service provider result in a disruption to government operations?
      • If yes, GovRAMP Moderate is recommended.
  • Will the loss or unavailability of the data that is processed, transmitted, and/or stored by the service provider result in a loss of confidence or trust in the government?
      • If yes, GovRAMP Moderate is recommended. 
  • Will the vendor process, transmit, and/or store criminal justice information (CJI) data?
      • If yes, GovRAMP Moderate is recommended. Note: States may add additional controls to GovRAMP Moderate to comply with the CJIS requirements. 

For additional questions on identifying what qualifies for GovRAMP requirements, please contact the Arkansas OIT. 

For additional questions and clarification of impact levels, please review our recorded data classification training here. [link needed]

Please also feel free to reach out to info@stateramp.org

GovRAMP enables vendors to become authorized through a sequence of steps that are streamlined and can translate across participating states in order to reduce redundancy and improve efficiency.  

The three stages of GovRAMP validation are GovRAMP Security Snapshot, GovRAMP Ready and GovRAMP Authorized. 

The Security SnapShot is a gap analysis for vendors to identify any areas that may not meet standards yet. This helps to ready them for the full review. The remaining steps are more in-depth and a full overview is listed here: https://stateramp.org/wp-content/uploads/2022/12/Authorized-Service-Provider-Getting-Started-Guide.pdf

Announcements

No Announcements at this time.

State Bidding Opportunities

Click below to see the list of current government solicitations for the State of Arkansas.

View List

Arkansas Procurement 

Click below to learn more about how to do business with the State.

Learn More

Arkansas Standards and Guidelines

Click below to see the State’s Standards and Guidelines.

View

Contact Information and Trainings

Contact Information and Educational Opportunities will be listed here as they become available.

GovRAMP Overall Statement

GovRAMP is accepted by Arkansas and other states. Click below to see a list of GovRAMP’s participating governments.

See Participating Governments

State and Local Government

Contact us and schedule a conversation to get started. For more information about how GovRAMP works with governments, visit our Governments page.

Schedule a Conversation

Providers

For many service providers, meeting security standards and supplying documentation to governments can be time consuming and costly. GovRAMP allows service providers to leverage their verified IaaS, PaaS, and SaaS solutions across multiple government contracts. Learn more about the benefits and process for service providers, or contact our team to get started.

Get in Touch
Scroll to Top