Embedding Security in State and Local Procurement

Original broadcast 8/19/25

Presented by Carahsoft

State and local governments face many of the same cybersecurity challenges as federal agencies, but they often have fewer resources and a more diverse technology vendor base. Leah McGrath, Executive Director of GovRamp, is working to bridge that gap by helping states, cities, and school systems build security requirements directly into their procurement processes.

GovRamp’s security program is now leveraged by more than 30 states to validate the security of their technology providers. McGrath says this approach is essential for enabling innovation in government while ensuring systems are protected. “If those requirements are not incorporated into the contracts, the procurement up front, and the terms and conditions,” she explains, “then it’s just pretty words on paper.”

To address that, GovRamp has collaborated with the National Association of State Procurement Officials (NASPO) and the Center for Digital Government to develop a procurement best practices toolkit. This toolkit helps agencies incorporate security clauses based on the sensitivity of the data involved and the level of risk. It also provides model contract language and guidance that can be adapted to each jurisdiction’s needs.

The results are already visible. In July 2025, both Arizona and Utah went live with procurement terms embedding these security requirements, and more states are preparing to follow suit. GovRamp’s website offers examples so that other agencies can see exactly how the clauses look in practice.

One important lesson McGrath’s team has drawn from the federal FedRAMP program is the value of enabling secure innovation more quickly. While FedRAMP sets a high bar for full authorization, many state and local providers are not ready to meet that standard immediately. To address this, GovRamp developed the Snapshot and Core Status programs — early-stage validations that provide transparency into a product’s security posture before it completes full authorization.

These statuses have been incorporated into procurement processes so that agencies can make risk-based decisions early, knowing what level of security a product has today and how it plans to mature. This allows smaller vendors to begin working with governments sooner while they complete the full certification process.

GovRamp also operates a centralized portal where private-sector members can share continuous monitoring reports with their government customers. An escalation policy ensures that agencies are notified of changes or issues without having to log in daily — they receive alerts only when action is required.

McGrath says this community-based approach has been central to GovRamp’s success. By bringing together industry, government, and educational institutions to share best practices and feedback, they can adapt quickly to new challenges. “We innovate through iteration,” she says, emphasizing the importance of agility and continuous improvement in cybersecurity.

Key Takeaways:

• Embedding security requirements in contracts ensures they are enforceable and actionable.

• Early-stage validations like Snapshot and Core Status allow agencies to assess providers before full authorization.

• Continuous monitoring portals and escalation policies improve transparency while reducing administrative burden.

Watch the full episode at InnovationInGov.com