AddToAny share buttons

GovRAMP logo

Strengthening Compliance Through Updated GovRAMP Requirements on Existing IT Contracts

The N.C. Department of Information Technology continues to advance statewide cybersecurity through the adoption and implementation of strengthened GovRAMP requirements.

Earlier this year, NCDIT partnered with GovRAMP to establish a unified, risk‑based framework for cloud service providers supporting executive branch agencies. This framework helps reduce exposure to ransomware, data breaches, and vulnerabilities introduced by third‑party tools by ensuring all cloud services are evaluated against a consistent and rigorous standard.

Updated Guidance Now Available

To support stronger, more consistent compliance on existing IT contracts, new guidance is now available for applying GovRAMP requirements during contract extensions, renewals, and new engagements involving vendor‑hosted products and services where state data is stored, processed, or transmitted. 

These updates help ensure that security requirements are incorporated at key stages throughout the contract lifecycle, reducing risk and reinforcing the state’s cybersecurity posture.

Incorporating GovRAMP Requirements Into Existing Contracts

The updated guidance outlines how GovRAMP specifications, terms, and conditions will be integrated into existing contracts while maintaining strong protections for state data. 

Moving forward, GovRAMP updates will be applied when IT contracts are renewed, extended or modified through an amendment.

For contract extensions and renewals, agencies should begin incorporating GovRAMP language as part of amendment preparation. Updated language will be available in the Ariba Sourcing Tool, PCORE, and on the NCDIT website no later than July 15. Statewide IT Procurement will also support agencies with amendments already in progress as updated terms are finalized.

Clarification on Amendments

Short-term or Bridge Extensions - In limited circumstances where a short-term or bridge extension is necessary – typically less than one year and used during vendor transitions or active solicitations – agencies may continue to rely on the vendor’s existing security certification or attestation (such as Vendor Readiness Assessment Report or third-party reviews). Because these vendors have already undergone evaluation, situations of this nature are considered lower risk and allow for operational continuity without delay.

New Contracts - In April 2026, it was established that the state would transition to GovRAMP authorization requirements over the next 12 months and that GovRAMP is an essential security specification for vendor-hosted products and services. The IT Solicitation templates in the Ariba Sourcing Tool, PCORE and the NCDIT website have been updated for new IT vendor-hosted solicitations being issued or posted. Minor changes to the terms and conditions for the inclusion of GovRAMP just became available and will also be incorporated.

FedRAMP Rev. 5 authorizations may also satisfy the state’s security standards at the time of contract award in lieu of a GovRAMP authorization. However, where appropriate, the state may require a vendor holding a FedRAMP Authorized designation to initiate and actively pursue the GovRAMP Fast Track Process to obtain a GovRAMP Provisionally Authorized or Authorized status in order to satisfy the state’s continuous monitoring requirements.

Supporting a Stronger Cybersecurity Posture

By gradually incorporating GovRAMP requirements into existing contracts through amendments, Statewide IT Procurement and agency purchasing teams are helping unify and strengthen the state’s cybersecurity standards for vendor‑hosted solutions. These updates further the state’s commitment to consistent, secure management of data across all hosted environments.

Please note: No changes are necessary for IT contracts hosted on the state’s infrastructure.

Related Topics: