Cyber Check-In Program Boosts Government Trust in Cloud Vendors

A quarterly check-in program is helping public-sector-adjacent cloud companies steadily strengthen their cybersecurity, leading to increased confidence in their products from government clients, a new report has found.

The report is from the nonprofit cybersecurity advisory group GovRAMP, and it studies the organization's own Progressing Security Snapshot Program, which gives cloud companies quarterly assessments and advisory feedback, specifically aligned to the federal government-issued National Institute of Standards and Technology (NIST) SP 800-53 Revision 5. Essentially, how the Progressing Security Snapshot Program works is that it checks in with its subscribers quarterly, almost like a consultancy, to give them benchmarks and advice for improving their cybersecurity postures in accordance with info from the feds.

This new report looks at the efficiency of those efforts. Dubbed Insights From the Progressing Security Snapshot Program, the report found that cloud companies who participate in the program improve their security control performance over time, especially when they remain engaged. They typically reach passing status on individual controls in a timeframe of slightly longer than two quarters.

And that participation also boosts government confidence in cloud providers, said Mattie Gullixson, one of the report's authors.

“Our goal is to try and create a system in which it takes as little lift as possible on the government side to verify security while still providing continuous monitoring of a provider’s posture,” Gullixson said. “That takes a lot of staff time from security teams and procurement teams. What we’re really trying to do is take on [part of] that lift.”

GovRAMP also maintains an Authorized Product List, which has three potential designations. Authorized products are those that meet all requirements and have a government sponsor; provisional products exceed minimum requirements and have a sponsor; and ready products simply meet baseline requirements.

The snapshot program starts with a baseline review of 40 NIST controls and follows providers through quarterly reassessments as they build evidence and close cybersecurity gaps. Rather than being a one-time scorecard, it is designed to show progress over time, allowing governments to see how vendors’ security practices mature as they move toward GovRAMP readiness or authorization. The report found that agencies get earlier insight into vendor risk this way, and providers can more easily focus their security efforts.
GovRAMP’s risk management assessments, programs and outreach are guided by state government leaders, industry representatives and other experts. The nonprofit organization, launched as StateRAMP in 2020, offers a standardized risk assessment that allows vendors to work with participating state and local jurisdictions. Currently, 30 states are members, along with local governments, higher education institutions, at least one tribal government and one federal entity.

New Hampshire CISO Ken Weeks said in a statement that the snapshot program helps his state "understand which providers are actively investing in security and building the practices needed to protect public data — well before formal authorization. Given the pace of change in the industry, this early perspective is vital to our procurement processes.”

Gullixson said the ultimate goal is to get better resources to the public sector, and the report is part of the effort to move the snapshot program forward.

“It’s really a learning system," Gullixson said, "and, in particular, really helps show that shared responsibility and structured feedback for providers can raise the entire ecosystem of security.”