The North Carolina Department of Information Technology (NCDIT) has partnered with GovRAMP to adopt a unified security framework for cloud service providers working with state agencies.
GovRAMP, a cybersecurity nonprofit, works to build trust in cloud solutions through standardized security requirements and third-party verification. Previously called StateRAMP, the nonprofit rebranded to GovRAMP last year to serve a broader range of government entities.
“This is about more than compliance. It’s about trust and progress,” NCDIT Secretary and State Chief Information Officer Teena Piccione said in a press release. “The public expects secure, reliable services. By adopting a consistent approach, we’re not only protecting the state’s digital assets, but we are empowering agencies to more quickly deliver online services for North Carolinians.”
NCDIT said the updated security requirements take effect April 1. The department also said it will provide an “on-ramp” period to give vendors time to achieve the required status under a contract, with specifics to be outlined in the purchasing mechanism or associated contract.
Full compliance will be mandatory without exception for all contracts containing a cloud component by April 1, 2027.
NCDIT will host webinars with GovRAMP to explain the new standards to vendors and provide guidance ahead of implementation.
Beyond security, the state said the move is intended to streamline IT procurement and accelerate vendor onboarding, supporting faster deployment of digital services, and potential cost efficiencies.
“Cloud security is critical to protecting the systems that serve our communities,” said Leah McGrath, executive director of GovRAMP. “By aligning with GovRAMP, North Carolina is reinforcing clear, risk-based requirements that help reduce exposure and protect public services.”
