PRIA Logo
Take the PRIA Score
Title 44Public Printing and DocumentsRelease 119-73

§3609 Roles and responsibilities of the General Services Administration

Title 44 › Chapter CHAPTER 36— - MANAGEMENT AND PROMOTION OF ELECTRONIC GOVERNMENT SERVICES › § 3609

Last updated Apr 6, 2026|Official source

Summary

Require the General Services Administration (GSA) to run and manage FedRAMP for cloud services used by federal agencies. GSA must work with the Secretary and other federal cybersecurity leaders to create a system for reviewing, reusing, and standardizing cloud security checks and for overseeing continuous monitoring under the Director’s guidance at section 3614. GSA must set rules and criteria to decide when a cloud product can get FedRAMP authorization and confirm authorizations. It must publish templates, best practices, scope guidance, and other help that follow NIST standards. GSA will grant authorizations with input from the FedRAMP Board, keep a public comment process, provide secure storage and sharing of authorization packages (including information needed under section 3613), give status updates to applicants, review costs and foreign-interest info under sections 3611 and 3612, support the advisory committee under section 3616, and decide how to check software provenance. GSA must keep an official public website with all FedRAMP materials and explain how it picks which products get priority, working with the FedRAMP Board and the CIO Council. GSA must assess automation tools to speed authorizations and, not later than 1 year after the date of enactment of this section, put in a way to automate security assessments and update it regularly. GSA must also set yearly metrics on the time and quality of assessments that link to testing under section 3554 while minimizing agency reporting.

Full Legal Text

Title 44, §3609

Public Printing and Documents — Source: USLM XML via OLRC

(a)The Administrator shall—
(1)in consultation with the Secretary, develop, coordinate, and implement a process to support agency review, reuse, and standardization, where appropriate, of security assessments of cloud computing products and services, including, as appropriate, oversight of continuous monitoring of cloud computing products and services, pursuant to guidance issued by the Director pursuant to section 3614;
(2)establish processes and identify criteria consistent with guidance issued by the Director under section 3614 to make a cloud computing product or service eligible for a FedRAMP authorization and validate whether a cloud computing product or service has a FedRAMP authorization;
(3)develop and publish templates, best practices, technical assistance, and other materials to support the authorization of cloud computing products and services and increase the speed, effectiveness, and transparency of the authorization process, consistent with standards and guidelines established by the Director of the National Institute of Standards and Technology and relevant statutes;
(4)establish and update guidance on the boundaries of FedRAMP authorization packages to enhance the security and protection of Federal information and promote transparency for agencies and users as to which services are included in the scope of a FedRAMP authorization;
(5)grant FedRAMP authorizations to cloud computing products and services consistent with the guidance and direction of the FedRAMP Board;
(6)establish and maintain a public comment process for proposed guidance and other FedRAMP directives that may have a direct impact on cloud service providers and agencies before the issuance of such guidance or other FedRAMP directives;
(7)coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the Director and the Secretary, to establish and regularly update a framework for continuous monitoring under section 3553;
(8)provide a secure mechanism for storing and sharing necessary data, including FedRAMP authorization packages, to enable better reuse of such packages across agencies, including making available any information and data necessary for agencies to fulfill the requirements of section 3613;
(9)provide regular updates to applicant cloud service providers on the status of any cloud computing product or service during an assessment process;
(10)regularly review, in consultation with the FedRAMP Board—
(A)the costs associated with the independent assessment services described in section 3611; and
(B)the information relating to foreign interests submitted pursuant to section 3612;
(11)in coordination with the Director, the Secretary, and other stakeholders, as appropriate, determine the sufficiency of underlying requirements to identify and assess the provenance of the software in cloud services and products;
(12)support the Federal Secure Cloud Advisory Committee established pursuant to section 3616; and
(13)take such other actions as the Administrator may determine necessary to carry out FedRAMP.
(b)(1)The Administrator shall maintain a public website to serve as the authoritative repository for FedRAMP, including the timely publication and updates for all relevant information, guidance, determinations, and other materials required under subsection (a).
(2)The Administrator shall develop and make publicly available on the website described in paragraph (1) the criteria and process for prioritizing and selecting cloud computing products and services that will receive a FedRAMP authorization, in consultation with the FedRAMP Board and the Chief Information Officers Council.
(c)(1)The Administrator, in coordination with the Secretary, shall assess and evaluate available automation capabilities and procedures to improve the efficiency and effectiveness of the issuance of FedRAMP authorizations, including continuous monitoring of cloud computing products and services.
(2)Not later than 1 year after the date of enactment of this section, and updated regularly thereafter, the Administrator shall establish a means for the automation of security assessments and reviews.
(d)The Administrator shall establish annual metrics regarding the time and quality of the assessments necessary for completion of a FedRAMP authorization process in a manner that can be consistently tracked over time in conjunction with the periodic testing and evaluation process pursuant to section 3554 in a manner that minimizes the agency reporting burden.

Legislative History

Notes & Related Subsidiaries

Repeal of SectionFor repeal of section by section 5921(d)(1) of Pub. L. 117–263, see

Effective Date

of Repeal note below.

Editorial Notes

References in Text

The date of enactment of this section, referred to in subsec. (c)(2), is the date of enactment of Pub. L. 117–263, which was approved Dec. 23, 2022.

Statutory Notes and Related Subsidiaries

Effective Date

of Repeal Pub. L. 117–263, div. E, title LIX, § 5921(d)(1), Dec. 23, 2022, 136 Stat. 3458, provided that the repeal of this section is effective on the date that is 5 years after Dec. 23, 2022.

Construction

For rule of

Construction

regarding section 5921 of Pub. L. 117–263, see section 5921(e) of Pub. L. 117–263, set out as a note under section 3607 of this title.

Reference

Citations & Metadata

Citation

44 U.S.C. § 3609

Title 44Public Printing and Documents

Last Updated

Apr 6, 2026

Release point: 119-73