Building Trust at Scale: How GovRAMP and Zero Trust Are Modernizing State & Local Cybersecurity

Presented by Google & Carahsoft

State and local governments are facing a defining challenge: how to modernize rapidly while maintaining the security, compliance, and trust that citizens expect. In a conversation featuring Tony Sauerhoff, Chief AI & Innovation Officer and State CIO for Texas and Board President of GovRAMP, Bernice Russell-Bond, State Chief Information Security Officer for North Carolina, and Leah McGrath, Executive Director of GovRAMP, one message comes through clearly—trust at scale requires a shared, standardized approach.

At the center of that approach is GovRAMP, a framework designed to help state and local governments assess, authorize, and continuously monitor cloud service providers. For Sauerhoff, the appeal of GovRAMP is both practical and mission-driven. In Texas alone, thousands of local government entities operate with varying levels of resources and cybersecurity maturity. Many simply don’t have the staff or expertise to conduct rigorous third-party risk assessments on their own. GovRAMP provides a shared assurance model that allows those organizations to rely on a centralized, standardized process—bringing capabilities within reach that would otherwise be unattainable.

Leah McGrath emphasizes that this kind of collaboration is a defining strength of the state and local ecosystem. Unlike other sectors, government leaders are often willing to share solutions and learn from one another. That collaborative mindset is critical in an environment where agencies face persistent constraints—limited budgets, workforce shortages, and an ever-expanding threat landscape. By adopting a framework like GovRAMP, agencies can “verify once and reuse many,” reducing duplication of effort while accelerating the adoption of secure technologies.

For Bernice Russell-Bond, North Carolina’s recent move to become a GovRAMP state reflects a broader transformation in cybersecurity strategy. Historically, many agencies relied on point-in-time assessments of vendors—evaluating risk once and moving forward. But in today’s environment, where threats evolve constantly, that model is no longer sufficient. North Carolina is shifting toward continuous monitoring, enabling real-time visibility into vendor risk and allowing teams to respond more quickly when issues arise.

This transition is about more than technology—it’s about changing how government organizations think about risk. Instead of focusing primarily on compliance checklists, agencies are increasingly prioritizing active risk management. McGrath notes that frameworks like GovRAMP free up cybersecurity teams to move beyond repetitive assessments and into more strategic roles, where they can make informed decisions about risk tolerance and mitigation.

Efficiency is a recurring theme throughout the discussion, but not in the traditional sense. It’s not just about doing things faster—it’s about doing the right things with limited resources. By centralizing vendor assessments and sharing results across agencies, GovRAMP reduces redundant work and shortens procurement timelines. Russell-Bond highlights that this approach allows agencies to deliver services to citizens more quickly, while also creating a more consistent experience for vendors.

That consistency also benefits the vendor community, particularly smaller companies that may lack the resources to navigate complex, fragmented compliance requirements. By providing a clear pathway to improving cyber hygiene, GovRAMP helps vendors mature their security practices, making them more competitive not just within a single state, but across multiple jurisdictions.

Another critical component of building trust at scale is the concept of “security by design” and “privacy by design.” Russell-Bond underscores the importance of involving cybersecurity teams early in the development process, ensuring that security and privacy controls are built into systems from the outset. This proactive approach avoids costly rework, reduces delays, and ultimately leads to more secure and reliable services for citizens.

Zero trust architecture further reinforces this foundation. Sauerhoff describes zero trust as both a technical framework and a cultural shift—one that moves organizations away from implicit trust and toward continuous verification. Rather than relying on perimeter defenses, zero trust emphasizes identity, data protection, and ongoing monitoring. For Russell-Bond, establishing clear baselines within a zero trust framework creates consistency across agencies while still allowing flexibility in how solutions are implemented.

Importantly, the panel makes clear that there is no one-size-fits-all solution. GovRAMP itself is designed to be flexible, offering different levels of authorization based on the sensitivity of the data being handled. McGrath describes this as a “choose your own adventure” model, where agencies can align security requirements with their specific risk profiles while still benefiting from a common foundation.

As emerging technologies like artificial intelligence continue to evolve, the need for that foundation becomes even more critical. Russell-Bond points out that while technologies will change, the fundamentals of cybersecurity remain constant. Strong foundational controls—consistent cyber hygiene, shared standards, and continuous monitoring—are what enable agencies to adapt to new risks without losing sight of their core mission.

Ultimately, establishing trust at scale is not about a single tool or framework. It is about aligning people, processes, and technology around a shared understanding of risk and responsibility. By embracing collaboration, standardization, and proactive security strategies, state and local governments are not only modernizing their systems—they are building a more resilient and trustworthy digital future for the citizens they serve.

Key Takeaways

• GovRAMP enables a shared, scalable approach to vendor risk management, making advanced cybersecurity capabilities accessible to all levels of government
• Continuous monitoring and shared authorization models allow agencies to shift from compliance-driven processes to proactive risk management
• Zero trust and security-by-design principles create a strong, flexible foundation for modernizing government systems while maintaining public trust