AWS Public Sector Blog

Prepare for your GovRAMP Progressing Snapshot with AWS

Prepare for your GovRAMP Progressing Snapshot with AWS

If you’re a cloud service provider (CSP) selling to state and local governments, you’ve likely encountered growing demand for standardized cybersecurity verification. GovRAMP (formerly StateRAMP), a 501(c)(6) nonprofit, offers a structured path to demonstrate your security posture, and the Progressing Security Snapshot Program is designed to be the first step. In this post, we explain what the Progressing Snapshot program is, what the program is for, who it is for, and how Amazon Web Services (AWS) helps you lay the foundation to address many of the 40 snapshot controls.

The growing need for standardized cybersecurity verification

State and local governments increasingly rely on cloud-based solutions for citizen services, public safety, and internal operations. However, unlike the federal government, which has the Federal Risk and Authorization Management Program (FedRAMP) for standardizing cloud security assessments, state and local governments have historically lacked a unified framework for evaluating the security posture of their cloud vendors.

This gap creates challenges on both sides. Government agencies struggle to compare vendors on a consistent security basis, and CSPs face a patchwork of requirements that vary from state to state. GovRAMP addresses this by providing a standardized, National Institute of Standards and Technology (NIST)-based framework for verifying cloud security at the state and local level.

Founded in 2020, GovRAMP has grown to include hundreds of government members and service providers. States like Texas, Arizona, and Utah recognize GovRAMP statuses for their own procurement requirements, and the list of participating governments continues to expand.

Who is this for?

The Progressing Snapshot program is a good fit if you are:

  • A CSP building on AWS that sells or plans to sell software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS) solutions to state, local, or education (SLED) organizations.
  • New to compliance frameworks like NIST 800-53 and looking for a guided, incremental approach rather than a full assessment on day one.
  • A company that wants to appear on the GovRAMP Progressing Product List to signal cybersecurity maturity to government buyers during procurement.
  • A vendor doing business in Texas, where TX-RAMP recognizes GovRAMP Progressing Snapshot enrollment for Provisional status without the 18-month expiration that otherwise applies.
  • An organization already pursuing FedRAMP or other NIST-based frameworks that wants to extend its compliance posture to the state and local market with minimal additional effort.

Understanding the Progressing Security Snapshot

The Progressing Security Snapshot is an ongoing, iterative program, not a one-time assessment. The Snapshot evaluates your product against 40 security controls drawn from NIST Special Publication (SP) 800-53 Revision 5. These 40 controls represent the most impactful subset of the GovRAMP Ready baselines at a Moderate impact level, as determined by GovRAMP’s threat-informed methodology. Under this methodology, GovRAMP uses the MITRE ATT&CK Framework to map specific NIST controls against real-world threat behaviors. Each control is mathematically weighted by its control protection value, meaning requirements that block, detect, or mitigate higher-impact threats contribute significantly more to your overall risk score.

Table 1 shows representative example controls in each of the nine families; the full list of 40 controls is published in the GovRAMP Snapshot Matrix.

Control family Example controls What it covers
Access Control (AC) AC-2, AC-4, AC-6, AC-17 Account management, least privilege, information flow, remote access
Audit and Accountability (AU) AU-7, AU-11 Audit record reduction, report generation, log retention
Configuration Management (CM) CM-2, CM-4, CM-5, CM-6, CM-9 Baseline configurations, impact analysis, change restrictions, configuration settings
Identification and Authentication (IA) IA-2, IA-5 User identification, multi-factor authentication (MFA), authenticator management
Incident Response (IR) IR-4 Incident handling and automated incident response processes
Maintenance (MA) MA-3 Maintenance tool approval, control, and monitoring
Risk Assessment (RA) RA-5 Vulnerability monitoring, scanning, and privileged access scanning
System and Communications Protection (SC) SC-7, SC-28 Boundary protection, access points, encryption of data at rest
System and Information Integrity (SI) SI-2, SI-3, SI-4, SI-7 Flaw remediation, malicious code protection, system monitoring, integrity verification

Table 1: Snapshot control family coverage

Scoring methodology

Your score is calculated based on which controls you’ve implemented, weighted by each control’s MITRE ATT&CK protection value. For example, controls related to malicious code protection (SI-3) and configuration settings (CM-6) carry higher weight because of their broader impact on your security posture. The GovRAMP Program Management Office (PMO) reviews your evidence and assigns the score. Scores are confidential and shared only with you and, at your discretion, with government agencies you’re working with.

Quarterly cadence and monthly advisory calls

After your initial Snapshot, the program follows a structured rhythm:

  • Quarterly Snapshots: You submit updated artifacts every quarter, and the PMO issues a new score. You must demonstrate improvement with each Snapshot, and identical or declining scores can trigger an escalation process.
  • Monthly advisory calls: Hour-long consultative sessions with the GovRAMP Advisory team help you understand your gaps, prioritize remediation, and plan for the next quarter.
  • Evidence refresh: All artifacts must be refreshed if older than 12 months.
  • Listing requirement: Products must score above zero before they can appear on the Progressing Product List, a requirement that took effect January 1, 2026.

Revenue-tiered pricing

The program uses revenue-tiered pricing to make it accessible to businesses of all sizes. You pay three months upfront upon enrollment, then monthly fees beginning in the fourth month. For current pricing details, see the GovRAMP Fee Schedule.

The GovRAMP maturity pathway

The Progressing Snapshot is the entry point to a broader maturity journey. GovRAMP offers a clear progression from initial visibility to full authorization:

Status Controls Assessed by Description Estimated Timeline
Progressing Snapshot 40 GovRAMP PMO Ongoing quarterly assessments with monthly advisory calls. Provides a security maturity score and listing on the Progressing Product List. 3 weeks, scores are delivered within 3 weeks of submitting data and payment to the GovRAMP PMO. This acts as your quick entry onto the Progressing Product List.
Core 60 GovRAMP PMO Validated achievement of 60 foundational NIST controls. Listed on the Authorized Product List (APL). No third-party assessment organization (3PAO) required. 1 to 3 months, a PMO-managed review validating the implementation of 60 foundational NIST controls. Because it requires no third-party audit (3PAO), you bypass months of field-testing and scheduling delays.
Ready Minimum mandatory 3PAO Verified status through a readiness assessment by an approved 3PAO. Listed on the APL. Represents the minimum mandatory requirements. 3 to 6 months, requires hiring an approved 3PAO to conduct a formal readiness assessment. The audit itself takes several weeks, but preparation and scheduling typically extend the timeframe.
Authorized Full baseline 3PAO Full authorization through a complete security assessment. The highest GovRAMP verification status. 12 to 18 months, this spans the full lifecycle including gap remediation (4–8 months), a comprehensive 3PAO security assessment (3–4 months), and final government agency review and sign-off (4–6 months).

Table 2: GovRAMP maturity pathway from Progressing Snapshot through full Authorization

The Progressing Snapshot is not a terminal status. GovRAMP recommends that once you achieve a 100% Snapshot score, you work toward Core, Ready, or Authorized status to move your product from the Progressing Product List to the Authorized Product List.

How AWS services map to the Snapshot controls

If your product runs on AWS, you already have access to services that help you address the control families in the GovRAMP Snapshot Matrix. AWS operates under the AWS Shared Responsibility Model: AWS is responsible for security of the cloud (the infrastructure), and you’re responsible for security in the cloud (your data, configurations, and applications). Many of the 40 Snapshot controls fall on the customer side of this model, and AWS provides the tools to help you implement them.

The following table maps each GovRAMP control family to the supporting AWS services.

GovRAMP control family Relevant AWS services How they help
Access Control (AC) AWS Identity and Access Management (IAM), AWS IAM Identity Center, AWS Organizations Help enforce least privilege, manage accounts, require MFA, control remote access through federated identity
Audit and Accountability (AU) AWS CloudTrail, Amazon CloudWatch, AWS Security Hub Help log API activity, retain audit records, generate compliance reports, reduce and analyze audit data
Configuration Management (CM) AWS Config, AWS Systems Manager, AWS CloudFormation Help establish and enforce baseline configurations, track and prevent unauthorized configuration changes through proactive evaluation rules and automatic remediation actions, and automate infrastructure deployment through repeatable templates
Identification and Authentication (IA) AWS IAM, AWS IAM Identity Center, Amazon Cognito Help implement MFA, manage authenticators, enforce password policies, provide unique user identification
Incident Response (IR) Amazon GuardDuty, AWS Security Hub, Amazon EventBridge, AWS Lambda Provide support to detect threats, automate incident handling, centralize security findings, trigger automated response workflows
Maintenance (MA) AWS Systems Manager Provide support to manage maintenance windows, control and audit maintenance tool usage, automate patching
Risk Assessment (RA) Amazon Inspector, AWS Security Hub Help automate vulnerability scanning, prioritize findings, monitor for new vulnerabilities continuously
System and Communications Protection (SC) Amazon Virtual Private Cloud (Amazon VPC), AWS WAF, AWS Key Management Service (AWS KMS), AWS Certificate Manager Help enforce boundary protection, limit access points, encrypt data at rest and in transit
System and Information Integrity (SI) Amazon GuardDuty, Amazon Inspector, AWS Systems Manager, AWS Config Provide support to detect malicious code, automate flaw remediation, monitor system integrity, verify software and firmware integrity

Table 3: Snapshot control mapping

Additionally, AWS Artifact provides access to AWS compliance reports and certifications that you can reference in your GovRAMP documentation.

A phased approach to your first Progressing Snapshot

You don’t need to address all 40 controls at once. Here’s a phased approach to building your security posture on AWS in preparation for your first snapshot.

Phase 1: Establish your security foundation (Month 1)

Focus on the highest-weighted controls first: access control, identification and authentication, and configuration management.

  • Set up identity and access management: Use AWS IAM to enforce least privilege across your environment. Create individual user accounts (no shared credentials), implement MFA for all privileged accounts using AWS IAM Identity Center, and establish role-based access controls.
  • Enable logging and audit trails: Turn on AWS CloudTrail across all Regions and accounts to capture API activity. Configure Amazon CloudWatch for log retention that meets GovRAMP requirements (at least 90 days online, one year total).
  • Define baseline configurations: Use AWS Config rules to establish, monitor, and enforce baseline configurations for your resources. Configure proactive rules to evaluate resource compliance before deployment and attach automatic remediation actions to detective rules so that non-compliant resources are corrected without manual intervention. This shifts your configuration management posture from detection to prevention, directly supporting CM-5 and CM-6.
  • Encrypt data at rest: Enable encryption on all data stores using AWS KMS. This addresses SC-28 (Protection of Information at Rest) directly.

Phase 2: Build monitoring and detection capabilities (Months 2-3)

With your foundation in place, add the monitoring and detection capabilities that address incident response, system monitoring, and vulnerability management controls.

  • Enable threat detection: Activate Amazon GuardDuty for continuous threat monitoring across your accounts. GuardDuty analyzes event sources like AWS CloudTrail management events, Amazon VPC Flow Logs, and DNS logs to identify unexpected and potentially unauthorized activity.
  • Automate vulnerability scanning: Turn on Amazon Inspector to continuously scan your workloads for software vulnerabilities and unintended network exposure. This supports RA-5 (Vulnerability Monitoring and Scanning).
  • Centralize security findings: Use AWS Security Hub to aggregate findings from Amazon GuardDuty, Amazon Inspector, and AWS Config into a single dashboard. Security Hub’s NIST SP 800-53 Rev 5 standard covers a superset of the Snapshot controls; not all 40 map one-to-one.
  • Implement boundary protection: Configure Amazon VPC with proper subnet isolation, security groups, and network access control lists (ACLs). Use AWS WAF to protect web-facing applications.

Phase 3: Prepare for continuous improvement (Month 4 and ongoing)

Prepare the documentation and processes you need for your initial Snapshot and the quarterly cadence that follows.

  • Automate evidence collection: Build an evidence pipeline using the AWS services you already have in place. Export AWS Config compliance snapshots and rule evaluation results to demonstrate configuration baselines and change tracking. Pull AWS Security Hub findings reports to show your security posture across controls. Use AWS CloudTrail Lake to query and export audit logs that demonstrate access control and monitoring. Schedule these exports with AWS Lambda and store them in Amazon Simple Storage Service (Amazon S3) to create a quarterly evidence repository that’s ready for each Snapshot submission.
  • Document your incident response plan: Create an incident response plan that incorporates your AWS-based detection and response capabilities. Reference how Amazon GuardDuty findings generate automated workflows through Amazon EventBridge and AWS Lambda.
  • Automate patching and flaw remediation: Use AWS Systems Manager Patch Manager to automate operating system and application patching. GovRAMP requires flaw remediation within 30 days of release for updates, and automated patching helps you meet this timeline consistently.
  • Review AWS compliance documentation: Access AWS Artifact to download AWS compliance reports, including SOC reports and NIST-related attestations. These documents support your GovRAMP submissions by demonstrating the security posture of the underlying AWS infrastructure.

Conclusion

The GovRAMP Progressing Security Snapshot Program gives CSPs a structured entry point into cybersecurity verification for the state and local government market. Rather than requiring a full assessment upfront, the program meets you where you are and helps you improve quarter over quarter through scored evaluations and monthly advisory support.

If your product runs on AWS, you already have services that help you implement the NIST 800-53 controls evaluated in the Snapshot, from identity and encryption through threat detection and automated evidence collection. Use the phased approach above to address the 40 Snapshot controls, post a non-zero score in your first quarter, and build the foundation for Core, Ready, and Authorized status as your GovRAMP journey continues.

Resources and next steps

 

Paul Keastead

Paul Keastead

Paul Keastead is a Senior Security Engineer with AWS Global Professional Services Security, where he builds the operational security mechanisms that govern how ProServe delivers to customers worldwide. His work spans engagement security automation, AI-powered provider risk assessments, and GenAI governance for a global delivery organization across 24 countries. He designs assessment frameworks and tooling that enable providers to demonstrate security posture across complex control environments including CMMC, FedRAMP, and critical infrastructure protection. He brings over a decade of security leadership across the Marine Corps, federal research, and private sector technology compliance.

Allen DeWalt

Allen DeWalt

Allen DeWalt is a Practice Manager at AWS Security Assurance Services. With an Executive MBA from Auburn University, a PMP certification, and over a decade of experience managing large-scale IT operations and multi-million-dollar programs in the federal and defense sectors, Allen’s team helps customers navigate compliance frameworks and strengthen their security posture on AWS.

Juan Rodriguez

Juan Rodriguez

Juan Rodriguez is an Associate Assurance Consultant at AWS, where he works with strategic services and customers to assess and secure cloud environments against frameworks including CMMC, FedRAMP, GovRAMP, and NIST based practices. He holds his CMMC Certified Professional and AWS Certified Security – Specialty certifications. Juan pairs technical expertise with a research-driven mindset to help organizations strengthen and architect their security posture and align with federal and industry standards.