COV Ramp (formerly ECOS)

ramp, cov grade iconCOV Ramp is part of COV Grade, which is a brand family that signifies the Commonwealth of Virginia’s seal of approval for IT products, services and solutions.

COV Ramp Approved Applications List

Find the supplier name, product and brief SaaS/PaaS description

The COV RAMP Approved Applications list (.xlsx) is updated monthly.

COV RAMP Metrics

Below are the averages for 2018-2024:

COV RAMP Assessment Timeline Averages 2018 2019 2020 2021 2022 2023 2024**
Average # of days for VITA to complete initial review 12 9 12 10 11 11 10
Average # of days for Agency/Supplier to respond 25 22 23 24 25 28 25
Average # of days for VITA to review Agency/Supplier response 11 8 10 6 8 13 8
Average # of days for Agency/Supplier to respond to respond to second review 20 15 34 15 14 21 20
Average number of days for completion* 77 61 58 46 52 54 60

* Third and fourth reviews when required are included in the "average" number of days for completion.

** 2024 COV RAMP Metrics for Dec

COV Ramp Process

Watch video for High Level Overview Fireside Chat on the process.

Three Distinct Components of the COV RAMP Offering

COV RAMP Provides Oversight Functions and Management of Cloud Based Services

The service assures consistent performance from suppliers through service level and performance monitoring. Agencies benefit from flexibility with growing business demands by ensuring adequate security controls are in place for the protection of data, proper utilization of resources and compliance with regulations, laws and timely resolution of audit recommendations.

COV RAMP minimizes the need for exceptions in obtaining external software as a service (SaaS) services. COV RAMP provides a flexible and custom option for obtaining SaaS services which meet the specific needs of the agency. The service offers guidance and oversight activities for agencies in the following areas:

  • Assisting agencies meet commonwealth requirements, such as SEC 525 for hosted systems
  • Incorporating appropriate contract terms and conditions to mitigate risk
  • Completing Annual SOC2 Type II assessment reviews
  • Ensuring vulnerability scans and intrusion detection are conducted
  • Patching compliance of suppliers environment
  • Ensuring architectural standards are met
  • Monitoring performance against Service Level Agreements (SLAs)

COV RAMP is a service specifically created for third party vendors offering software as a service (SaaS) applications.

SaaS is the capability to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The provider manages or controls the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings.

SaaS Characteristics include:

  • Network-based access to, and management of, commercially available software
  • Access to provider’s services through an internet connection to a third party hosted facility
  • A one-to-many model (single instance, multi-tenant architecture) for service delivery
  • A common architecture for all tenants, usage based pricing, and scalable management
  • Third party management of the service including functions such as patching, upgrades, platform management, etc.  
  • A multi-tenant architecture with a single, centrally maintained, common infrastructure and code base shared by all users and applications
  • Subscriber/user managed access for the application
  • Provider-based data custodianship and server administration for the service

COV RAMP Applies when:

  • Services under procurement meet the above definition and/or characteristics of a SaaS provider.
  • When an agency is requesting the provider to act on behalf of a Commonwealth entity and/or is accepting commonwealth data, and/or serving as the data custodian and/or system administrator of that data for purposes of making it available back to the Commonwealth via an interface for fee.