A Bold Step Towards a More Secure Indiana
RAMPxchange congratulates Governor Braun and the State of Indiana for issuing Executive Order 25-19, a transformative step toward enhancing cybersecurity across state agencies, departments, and all other institutions that store, process, or transmit sensitive information or operate critical systems. By implementing a Risk and Authorization Management Program (RAMP) policy for cloud computing services, Indiana is prioritizing cost-effective, risk-based cybersecurity standards that improve the security posture for the Whole-of-State by strengthening its vendor supply chain.
This forward-thinking initiative demonstrates Indiana’s commitment to securing sensitive State data and setting a standard where vendors meet rigorous cybersecurity requirements. RAMPxchange stands ready to support Indiana’s vendor community and all covered public sector entities in navigating these new compliance measures efficiently.
Executive Order 25-19: What vendors need to know.
Governor Braun’s Executive Order 25-19 mandates the Indiana Office of Technology (IOT) must implement a RAMP policy, ensuring that all cloud computing services used by the State meet robust security controls by October 2025. The order impacts all state agencies, departments, and institutions managing sensitive information or critical systems (referred to as Covered Entities).
Four key requirements for vendors to do business with the State of Indiana:
1: Demonstrate compliance with NIST 800-53, revision 5, or using independent verification, demonstrate a plan of the vendor’s path forward to full compliance.
- Vendors must either prove they already comply with NIST 800-53, revision 5, or submit a detailed plan that outlines their path forward to full compliance.
2: Prepare for updated procurement and contract language.
- All procurements and contracts must include language that ensures full compliance with the RAMP policy. This includes timeframes for vendors to become compliant, as well as a requirement for vendors to provide the Covered Entity access to evidence on their progress, on a minimum of a quarterly basis.
- This applies to both new procurements and the renewal of any current contracts.
3: Plan for continuous risk assessments and monitoring.
- Vendors must ensure regular risk assessments and continuous monitoring is conducted by an independent and nationally recognized organization with multistate connections to identify potential vulnerabilities and threats and maintain compliance.
4: Expect the policy to last.
- The executive order took effect in January 2025 and will remain in effect until amended or rescinded by the Governor.
For vendors already working with or seeking to work with Indiana’s Covered Entities, this order presents both a challenge and an opportunity: ensuring compliance is now a critical requirement for doing business with the state.
The solution: start your RAMP journey in RAMPxchange.
As Indiana accelerates its cybersecurity efforts, RAMPxchange is here to help vendors navigate the compliance process efficiently and cost-effectively.
Our cybersecurity and risk management marketplace simplifies the process of meeting Executive Order 25-19’s requirements by providing structured tools, expert guidance, and a streamlined approach to risk assessments and authorization management. By connecting you with advisors, auditors, and security professionals who can guide you through the compliance process and help deliver on key milestones, ensure your organization’s readiness for state procurement opportunities.
Getting started is simple:
Step 1: Register with RAMPxchange today.
- Gain access to compliance tools, procurement insights, and expert support.
Step 2: Consult with a RAMPxchange advisor.
- Want to learn more about our platform? Speak with an expert to understand how RAMPxchange can help you achieve compliance with Indiana’s new policy.
Step 3: Conduct a current state assessment.
- Procure services in RAMPxchange to evaluate your current cybersecurity posture as it aligns to Indiana’s Executive Order.
- Once your assessment is complete, work alongside a RAMPxchange advisor and create a customized roadmap to achieve full compliance.
The cybersecurity landscape is evolving, and compliance is no longer optional—it’s a competitive advantage. Don’t wait to unlock new business opportunities and maintain your existing contracts. Instead, help your company meet state security standards in Indiana by starting your compliance initiatives in RAMPxchange.