Indiana is raising the bar for cloud security. The Indiana Office of Technology (IOT) has launched its Risk Assessment Authorization Program (RAMP) policy to ensure any provider handling state data meets verified security requirements. It’s a clear signal: protecting Hoosiers’ information is now a shared responsibility for every cloud service provider working with the State.
This policy changes the expectations for every cloud provider working with Indiana. If GovRAMP is new to you, the requirements may feel daunting—but this is also a chance to strengthen your security practices and build trust with public sector partners. Getting ahead of these requirements puts you in a stronger position for future opportunities.
Indiana uses a broad definition of “cloud.” It includes subscription-based applications, virtualized computing resources, and managed services hosted externally from IOT. If your organization’s application, solution, or other software/hardware stores, processes, or transmits state data outside of IOT’s infrastructure, this new policy applies to you.
Compliance isn’t just for new solicitations or contracts. Every contract requiring IOT’s approval—whether an amendment, renewal, change order, or extension—must comply with this policy. The goal of the policy is clear: protect Hoosiers’ data, reduce risk, and maintain trust in the systems government relies on.
Indiana’s RAMP policy changes the procurement process and contract requirements significantly. Vendors responding to solicitations will need to demonstrate a GovRAMP verified status—or that they have a clear plan to get there. The State will not automatically disqualify respondents who haven’t yet achieved the required status, but if awarded a contract, compliance must be achieved within 18 months of the contract start date or half the initial term, whichever is shorter (e.g., 4-year contracts must comply within 18 months, 2-year contracts within 1 year, etc.)
This means vendors cannot afford to take a “wait and see” approach. Time is critical—the further along you are in the RAMP compliance journey, the better positioned you will be to respond to solicitations and implement contracts smoothly.
IOT has signaled that solicitations will specify the required GovRAMP status based on the sensitivity of the data involved. These statuses may include GovRAMP Core for non-confidential data, GovRAMP Authorized for sensitive data, or GovRAMP Authorized with CJIS Overlay for criminal justice information. Each level corresponds to different NIST 800-53 control sets. You can learn more about these statuses and controls by reviewing the matrices in Indiana’s RAMP Policy and by visiting GovRAMP’s website.
Compliance isn’t a one-time milestone. Providers will be expected to maintain their status through continuous monitoring, quarterly reporting, and routine assessments. Hardening cybersecurity posture is a long-term commitment. Changes in technology, evolving threats, and organizational shifts make cybersecurity an ongoing process—not a static achievement.
Your path to GovRAMP begins with understanding your offering and the data it handles. Is it SaaS, IaaS, or PaaS? Does it handle personally identifiable information (PII), health data, or criminal justice data? Will it support critical infrastructure? These factors determine your required GovRAMP level because each level is tied to the sensitivity of the data and the potential impact on critical systems. Knowing this upfront ensures you target the correct verification and avoid delays later.
A practical first step is reviewing IOT’s “RAMP Minimum Security Level Matrices: Data Type and Critical Infrastructure” within the Indiana RAMP Policy, which outline requirements based on data type and infrastructure impact. Once you know your level, you can begin your verification process and identify the controls you need to address.
The RAMPxchange marketplace is designed to connect members with providers who offer services to strengthen security posture and achieve compliance with Indiana’s RAMP policy. Through RAMPxchange, you can access a range of solutions, including assessments like the Progressing Snapshot offered by RAMPQuest, the founding Project Management Office (PMO) for GovRAMP, which helps identify strengths, gaps, and priorities for improvement. To learn more about procuring this assessment or exploring additional services from other RAMPxchange providers to support your compliance journey, reach out to a RAMPxchange Advisor.
Indiana’s RAMP policy sets a new standard for cloud providers. Achieving GovRAMP verification does more than check a box—it strengthens your security foundation and signals to public sector customers that you’re a trusted, long-term partner. Starting early gives you a competitive edge and helps you respond to solicitations with confidence.