Frameworks · GovRAMP (formerly StateRAMP)
One verification.
Every statehouse.
State and local government IT is a $155B+ market — and it just got a bouncer. Arizona and Nevada now require GovRAMP on new contracts, roughly 26 states participate, and every one of them accepts the same verification. Lionfish takes you up the ladder — Snapshot, Ready, Authorized — on the Cyber Tackle Box™, with the NIST controls, documentation, and 3PAO management handled.
The SLED door is closing on unverified vendors
Sources: GovWin SLED IT forecast; govramp.org program data (July 2026); Nevada and Arizona state IT announcements; FedRAMP Class A recognition, July 15, 2026. State participation levels vary — we map the states in your pipeline on the first call.
Who this is for
For govtech vendors tired of the questionnaire treadmill
Every state RFP used to mean a bespoke security review. GovRAMP is 'verify once, use many' — and the states that mandate it are multiplying.
- ✓SaaS vendors selling to states, counties, cities, K-12, and higher ed — permitting, courts, ERP, public safety, benefits, ed-tech — anything touching government data.
- ✓Incumbent vendors with renewals in mandating states — in Arizona, every new and renewal contract must now align to GovRAMP or FedRAMP. A renewal without status is churn.
- ✓10–500-person companies with SOC 2 but no NIST experience — the exact gap between what you have and what the program wants is the gap we close.
Sound familiar?
The pain we hear on every first call
- !Tier confusion. Snapshot (~40 controls), Core (~60), Ready (80), Authorized (300+) — knowing which tier which state actually requires is half the battle.
- !The 3PAO sticker shock. Full Authorized status needs a third-party assessment typically starting around $70K — budget surprise is the #1 program-killer.
- !SOC 2 isn't enough. States speak NIST 800-53. Vendors who assume their SOC 2 report transfers lose months discovering the delta.
The platform
How the Cyber Tackle Box™ runs your GovRAMP program
A NIST-native backbone that climbs the GovRAMP ladder tier by tier — and doubles as your FedRAMP Class A entry when you're ready to go federal.
NIST-Mapped Templates
Policies and documentation mapped to the 800-53-based control set — from the 40-control Snapshot through 300+ at Authorized.
Tier-by-Tier Objectives
Each verification tier tracked as a milestone with owners and dates — climb Snapshot → Ready → Authorized without repeating work.
POA&M Management
Findings driven to closure with the discipline the GovRAMP PMO's continuous monitoring expects.
Evidence & State Intel
One evidence library serving every state's review — plus intel on which states are adopting mandates next, before the RFP drops.
3PAO & PMO Playbooks
Runbooks for the security review, 3PAO assessment, and PMO submission — we manage the process so your team ships product.
Training Included
The workforce security training the control set requires, tracked per person — one less finding at assessment time.
Why Lionfish
A platform with humans attached
Practitioners, not just software
Checkbox tools leave you alone with the checklist. Our compliance advisors — the same team that trains certified CMMC assessors — work your program by, with, and through your people.
One system of record
Controls, policies, tasks, evidence, POA&Ms, and your workforce training in one platform — mapped across frameworks so one piece of evidence satisfies many requirements at once.
Veteran-owned & battle-tested
SDVOSB founded by a Green Beret, 4 IEEE-published papers, Purdue CERIAS partner, and multi-tenant for MSPs — trusted where security actually matters.
Straight answers
GovRAMP questions we answer every week
What is GovRAMP and how is it different from FedRAMP?
GovRAMP (formerly StateRAMP, renamed February 2025) is a nonprofit 'verify once, use many' program for cloud vendors selling to state, local, tribal, and education buyers. It uses the same NIST 800-53 control foundation as FedRAMP but with a tiered ladder — Security Snapshot, Core, Ready, and Authorized — at a fraction of federal costs. And since July 2026, FedRAMP recognizes GovRAMP in its Class A rules, so the same investment opens both markets.
Which states require GovRAMP?
Roughly 26 states participate, and mandates are hardening: Nevada requires GovRAMP progress on new contracts as of July 1, 2026, and Arizona retired its own AZRAMP — all new and renewal contracts must now align to GovRAMP or FedRAMP. Texas runs its separate TX-RAMP, which GovRAMP status partially reciprocates into. We map the states in your actual pipeline on the first call.
How much does GovRAMP cost?
Far less than FedRAMP, but it's real money: membership starts around $1,500 a year, the Security Snapshot is a low-cost entry point, and full Authorized status requires a 3PAO assessment typically starting around $70K plus remediation. The smart sequence is entering at the tier your buyers actually require and climbing as contracts justify it — which is exactly how we run the program.
How fast can we get verified?
A Security Snapshot takes weeks. Ready status commonly takes 3–6 months; Authorized runs 6–12+ months depending on your starting posture. If a live RFP or renewal is driving the clock, say so on the call — the Snapshot is often enough to stay in the running while the deeper verification proceeds.
Get in touch
Get GovRAMP before the next mandate
Tell us which states are in your pipeline and what you hold today. You'll get a tier recommendation and a scoped plan within one business day.
- 1We reply within one business day — usually faster.
- 2A 30-minute call with someone who can actually answer your questions.
- 3A straight recommendation — even if it's that you don't need us yet.
Prefer to skip the form? Book a time directly or call 1-877-732-6772.