Cybersecurity and risk management rank second in NASCIO’s 2026 State CIO Top 10 Priorities — underscoring the important role that security frameworks like GovRAMP play in modernizing state government operations. As state regulatory agencies rely on a growing array of software vendors, the need for consistent security assessments remains critical.
Without rigorous standards like GovRAMP, state agencies face inconsistent security practices, along with the greater potential for incidents that disrupt essential services and erode public trust. GovRAMP Ready status, built around NIST 800-53 controls, introduces third-party validation, and measurable outcomes, setting a higher bar for vendor security and risk management.
Our article continues a 10-part series looking at NASCIO’s top priorities for state regulatory agencies in 2026. Each installment highlights how combining advanced technology platforms with disciplined compliance practices enables agencies to meet elevated security expectations and improve their risk posture.
We interview Bill Moseley, co-founder and CEO of GL Solutions, about the importance of GovRAMP Ready, a status the company’s regulatory software, GL Suite, achieved in January. He also serves on the GovRAMP Provider Leadership Council.
Bill Moseley: GovRAMP, formerly called StateRAMP, just to back up a little bit, is a non-profit organization that was created mostly by state governments, but also local governments, as a means of having a consolidated security assessment program. Before this, states would each come up with their own way of assessing the security readiness of their vendors. State governments had a really hard time trying to determine whether their vendors were actually secure or not. There weren’t consistent standards and states have a hard time retaining the IT staff necessary to do that.
To assess the systems of all the vendors is an enormous undertaking. And if you think of most state governments, they are going to have thousands if not hundreds of thousands of employees. And they probably have thousands of software vendors using different kinds of software in their state government. It can really be a challenge to assess the readiness or the security of each one of those vendors in their environments that they’re offering—the software that they’re offering. So, they started establishing a consistent set of standards.
GovRAMP Ready is the second of three tiers that GovRAMP offers to certify or to validate the security posture of a company like GL Solutions. And it confirms that you have a well-articulated security policy. You’ve established what the boundary is for your system. So that would mean you know where the software is; it’s not mingled with a bunch of other components. You must have a third-party audit done. Those audits are quite expensive, up to a quarter million dollars per audit. And they’re going to use someone external to the vendor to validate that you’ve met each and every one of these controls.
They’re all based around NIST 800-53. They essentially verify that you comply with all these baselines things. Do you have a security incident procedure and policy. What’s your disaster recovery? Do your disaster recovery mechanisms actually support the recovery time and recovery point objectives? How long will it take us to recover if a disaster occurs and how much data would we lose?
There’s a whole host of those that have to be validated to be GovRAMP Ready. And the next step beyond that, once you establish that baseline, is a more technical set of validations. That’s how you become GovRAMP Authorized.
Bill Moseley: We wanted to enhance our security posture to meet the highest levels of security standards. And we wanted to implement and validate that we were compliant with the NIST 800-53 controls. GovRAMP does that. And then increasingly, agencies themselves require that you meet these standards or use it as an alternative to meeting some kind of other audit by the state itself.
So why would a software company like GL Solutions do this? Well, we’re not too far away from states requiring software vendors to be GovRAMP Ready to even bid on contracts. There are some other certifications that are out there that are widely known: SOC 1 which is a financial audit; SOC 2 which is another kind of IT audit; and PCI DSS, which is the audit you do if you’re processing credit card payments. But those three allow substantial self-attestation. Basically, you can assert that you meet a certain type of requirement and that’s good enough. The auditing requirements, the PCI DSS, there may be no auditing requirement at all in some cases and you could self-attest that you are secure; that’s hardly a comfort to government agencies. It’s a lot more difficult to actually prove that you’re compliant with them. Even the SOC 1 and 2, in comparison is probably about one-tenth of the amount of security coverage or control coverage as the GovRAMP Ready status is.
There was an incident with the state of Nevada where they had a three-week outage. Someone penetrated the state government’s IT infrastructure and did a ransomware attack. So that means that unemployment checks, Medicaid, some highly visible systems were down for an extended period of time. And that not only breaks public trust; it’s also damaging because you leak a lot of information. That’s bad news. We don’t want that to happen.
These days, cyberattacks are increasingly driven by AI tools. Criminals can attack faster than ever before, finding vulnerabilities that would be hard for a human to detect; but for a machine, finding them is actually very quick. I think vendors like GL Solutions need to up their game on security and need to do so quickly.
Bill Moseley: It really just means that of the other licensing platforms out there, we are the only licensing solution that has actually achieved GovRAMP Ready status. The other ones have not been authorized or validated to meet the controls. They may have done SOC 1 or SOC 2, maybe PCI, but like I discussed earlier, those are just such minor, minor verifications about the security posture of the organization that it really doesn’t offer much comfort or security at all to the state.
So, we’re really happy to be the first to have done this. It could be really difficult for some vendors to achieve GovRAMP Ready or GovRAMP Authorized status. Part of it is that a number of them out there are now conglomerations. They were bought by private equity companies. They went and acquired a whole bunch of little players that each had their own IT environments. And if you do it that way, that means you’re supporting numerous systems that are really different than one another. Some of them may be hosted in Azure, some may be hosted on premises, some may be hosted in AWS. They may have some of their employees over here in this old company and some of them are in another one. When you have an environment like that, it’s incredibly difficult to achieve GovRAMP Ready or Authorized status; it’s just so much more complicated.
GL Solutions has been a standalone entity. We have a unified platform for all of our customers. They’re all Azure hosted, which is a trusted Microsoft platform that’s already FedRAMP High authorized.
I think we have some advantages in this field that really allows us to stand out and stay ahead of some of these security concerns. And I think that’s proven by the fact that we were the first ones to get to this point.
Bill Moseley: Some states are explicitly changing the way they evaluate licensing and permitting. When an RFP is released, they simply require that you’re GovRAMP Ready or Authorized; if they do that, they know that a third party auditing company actually validated that your organization meets those security controls. On top of that you have to do monthly penetration tests and report those results to GovRAMP. GL Solutions has to report monthly compliance and we have to tell them every single change that we did to our environment, along with every incident that occurs, whether that’s an outage or anything else. It simplifies for the government agencies what they have to do to have a secure partner for their agency.
So, it helps on the evaluation front. And on a more practical basis, the state IT doesn’t have to go in and ask 5,000 questions about how you operate. It saves them so much time and money. They don’t have to have whole sets of staff evaluating each vendor one by one; instead all 50 states do the same validation as all the other 50 states. It’s just so much more efficient—not only for the government, but also for a company like GL Solutions as well. We don’t have to respond to 50 different requests. We can say we met the set of controls that were described by the standard.
Bill Moseley: There are three levels of government authorization statuses: Core, Ready and Authorized. Ready has about 80 controls that they validate. They validate things like: how do you authenticate your users? Do you do background checks on your employees? Do you encrypt all of your traffic, both in transit and within your network? Do you apply updates on a regular basis? Do you have intrusion detection? There’s really quite a large set of controls that are being validated at the GovRAMP Ready status.
Bill Moseley: If I worked at a government agency today and my vendor told me that they had a GovRAMP Ready status, it would give me a sense of confidence that a third-party auditor went in and actually did a thorough, forensics-type analysis of that environment and confirmed that it met the requirements. They actually looked at all the firewall rules, looked at the boundaries, the network, the network diagrams, and the machines themselves. They required the vendor to produce evidence that they were compliant with these standards; and the standards that are being complied with are the industry’s best practices for security.
There is no security system that is absolutely safe. But if you chose a vendor that is GovRAMP Ready, you could assume that many of these controls are being met. I’ve done my due diligence. I’m doing my duty to keep public data safe and my organization running.
Bill Moseley: I think they assume that all vendors are safe. I think there are a lot of reasons that a vendor might choose to take shortcuts on security. It’s really expensive. If you want to be GovRAMP Ready or Authorized as a status, you’re probably going to spend almost $1,000,000 in changes to your environment and policies and procedures in order to become compliant. And then you’re very likely to spend $250,000 a year or more just on the audit and maintaining compliance after that. So, it’s a very expensive proposition and it means you have to have skilled staff on board, which are very hard to find and train. There’s a lot of reasons that a vendor might take a shortcut on being compliant because they think they can save money.
The second one is the idea that security isn’t something to worry about. An agency, for instance, will be really concerned if their software doesn’t work to meet their business requirement, but they don’t seem to have that kind of level of concern if the environment isn’t secure. I think they underestimate the amount of risk that’s actually out there.
I can say that just by watching our firewall, every single day of the week, probably every hour of the year, someone is testing our perimeter of our hosting facility to determine if they can find a vulnerability or weakness—to exploit every single hour and day. The truth is, in this day and age, you are probably under at least some type of low-risk attack all the time. I think that regulatory agencies really underestimate how important that is.
Another misconception I think that agencies have is that state IT is taking care of this. No, they’re not. There are a few states that will do a slightly more thorough investigation. But states have a hard time retaining technical security staff. They’re hard to find. There’s a skill shortage in this area. They’re very expensive. And frankly, the private sector is going to hire them away for higher rates of pay than what the state governments usually pay. So, state governments actually have a big security gap here.
I’m not saying that state IT is bad. I’m just saying they struggle to be able to do this effectively. And so, I think that’s a misconception that they have about cloud security too and the compliance related to it.
The last misconception is that SOC 2 should make me feel safe. SOC 2 should not make you feel safe. Flat out, it may be a minimum baseline set of controls, but it is not a security standard that I would personally say is sufficient to ensure the integrity of your agency software.
Bill Moseley: On the risk reduction, you have a third-party auditor. The auditor is trained and skilled to make sure you’re meeting the requirements. And then on the standards, the state IT departments got together and formed the GovRAMP board and decided what the important security controls are. So, there’s kind of a common consensus on what the NIST 800-53 controls are that you need to meet and how you can meet them. Everyone agrees on a common set of standards and requirements; it provides that baseline set. You don’t have to go revalidate everything.
Bill Moseley: Some of our customers we’ve had for 20 years now and some longer than that. We still have our second customer after 28 years of doing business with them. And when you’re looking at a long-term partnership, that means you need long-term security. You’re not going to be a vendor very long if the data isn’t secure. And so overall, we value our long-term relationships. We want to keep our customers for decades and to be able to do that, modernizing our overall systems and our security infrastructure and posture is a part of maintaining and keeping that relationship safe.
Bill Moseley: If I were at the state CIO’s office, I would move towards requiring at least GovRAMP Ready, if not Authorized, for all of your vendors. And that’s going to be difficult, because like I said, it’s very expensive. Regulatory agencies have a lot of software in their environment. Some of the vendors are going to have a real challenge in ever meeting the requirement. At that point the state needs to assess the risk of having software that is unable to prove that it meets these standards or choose different software applications.
I would continue to move in this direction. It’s going to take years. There’s a lot of software vendors out there. They’re on all different kinds of platforms. Some of them are desktop software; some of them are in the cloud; some of them are still in a data center. The environment is really complex. It’s heterogeneous.
In this day and age, you won’t meet GovRAMP Ready merely by being hosted with AWS or Azure; that’s not good enough. That covers about 1/4 of the overall controls. But about 3/4 of them are still things that those hosting environments don’t provide to you that the vendor still has to implement.
We’re in a Microsoft Azure data center where our application is hosted in the cloud. Microsoft provides a whole set of tools around security, compliance, monitoring and logging. As far as scalability, if your data center goes down in one location, you can just fail over to another location.
There’s hardware standing by waiting to be pulled up. When you go to the cloud and you host entirely within Microsoft Azure, for instance, you get security, resilience and scalability. I can just create another virtual machine on the fly. It takes about 10 minutes.
And if I’ve got a lot of load, I can scale up on the environment. You could do that at the drop of a hat. It used to be that you’d have to call Dell and get a server ordered. You’d have to have these special people to be able to install it and you really couldn’t do it within a month. And if your site’s down, it’s not much comfort knowing that you’ve got a server on order.
As cybersecurity threats evolve, standards like GovRAMP Ready ensure the security and reliability of state regulatory operations. By adopting these frameworks, agencies and vendors alike foster greater trust, efficiency and resilience in their technology partnerships.
On January 19, GovRAMP awarded GL Suite, regulatory software from GL Solutions, GovRAMP Ready status—the first licensing solution to achieve the security standard. Learn more about GL Solutions’ GovRAMP Ready status.
Renee Moseley joined GL Solutions in 2016 with an educational and professional background in research and writing, along with software documentation. At GL Solutions she produces informative content to help regulatory agencies stay current on news and information that supports their success.
