Through the arrangement, cloud service providers already vetted by GovRAMP can be utilized by state agencies without requiring repeated security checks, which Kelly Gardner, communications manager for the North Carolina Department of Information Technology (NCDIT), said “will help state agencies more quickly deliver secure online services.”
GovRAMP itself is not new, but its role has expanded in recent years. The program evolved from StateRAMP, an earlier initiative that focused specifically on states seeking a shared alternative to conducting separate cloud security audits. Over time, participation widened beyond state governments to include local governments and other public-sector entities, prompting the transition to GovRAMP as a broader umbrella framework.
That expansion is reflected in the list of governments that have already adopted the model. States including Arizona, California, Florida, Georgia, Massachusetts, Michigan, New Hampshire, Oklahoma, Texas and North Carolina have participated in the program at various stages, using it as a way to align cloud security requirements and reduce redundancy across agencies.
For North Carolina specifically, the partnership places GovRAMP within the state’s existing technology governance structure rather than creating a new approval process. Agencies remain responsible for selecting vendors and managing projects, but the security review component can now be handled through a shared authorization already recognized by other governments.
The announcement framed the move as part of the state’s broader approach to cloud adoption, in which agencies increasingly rely on externally hosted systems to deliver services. Bernice Russell-Bond, North Carolina’s chief information security officer, noted in a news release that “cybersecurity is a shared responsibility” and the new partnership “builds a stronger foundation for resilience and trust, creating an environment where technology can thrive securely and efficiently.”
