PRIA Logo
Take the PRIA Score
Title 44Public Printing and DocumentsRelease 119-73

§3613 Roles and responsibilities of agencies

Title 44 › Chapter CHAPTER 36— - MANAGEMENT AND PROMOTION OF ELECTRONIC GOVERNMENT SERVICES › § 3613

Last updated Apr 6, 2026|Official source

Summary

Require agencies to favor and use cloud services that meet FedRAMP security and the Director’s risk rules (made with input from the Secretary). Before an agency starts its own authorization for a cloud service, it must check the secure system under section 3609(a)(8) to see if a FedRAMP authorization already exists. When possible, agencies should reuse the security assessments and materials from an existing FedRAMP authorization. Agencies must give the Director the data called for under section 3614 so the Director can track agency performance. If an agency finds the FedRAMP package is missing or clearly inadequate, the agency must explain those reasons in its authorization file. When an agency issues an authorization based on FedRAMP, it must send the authorization letter and any extra information required under section 3609(a) to the Administrator. Within 180 days after the Director issues guidance under section 3614(1), each agency head, through the agency’s CIO, must send all of the agency’s cloud-authorization policies to the Director. FedRAMP authorization packages are presumed usable by agencies, but that presumption does not remove an agency’s duties under subchapter II of chapter 35 or the agency head’s right to require extra security controls when needed.

Full Legal Text

Title 44, §3613

Public Printing and Documents — Source: USLM XML via OLRC

(a)In implementing the requirements of FedRAMP, the head of each agency shall, consistent with guidance issued by the Director pursuant to section 3614
(1)promote the use of cloud computing products and services that meet FedRAMP security requirements and other risk-based performance requirements as determined by the Director, in consultation with the Secretary;
(2)confirm whether there is a FedRAMP authorization in the secure mechanism provided under section 3609(a)(8) before beginning the process of granting a FedRAMP authorization for a cloud computing product or service;
(3)to the extent practicable, for any cloud computing product or service the agency seeks to authorize that has received a FedRAMP authorization, use the existing assessments of security controls and materials within any FedRAMP authorization package for that cloud computing product or service; and
(4)provide to the Director data and information required by the Director pursuant to section 3614 to determine how agencies are meeting metrics established by the Administrator.
(b)Upon completing an assessment or authorization activity with respect to a particular cloud computing product or service, if an agency determines that the information and data the agency has reviewed under paragraph (2) or (3) of subsection (a) is wholly or substantially deficient for the purposes of performing an authorization of the cloud computing product or service, the head of the agency shall document as part of the resulting FedRAMP authorization package the reasons for this determination.
(c)Upon issuance of an agency authorization to operate based on a FedRAMP authorization, the head of the agency shall provide a copy of its authorization to operate letter and any supplementary information required pursuant to section 3609(a) to the Administrator.
(d)Not later than 180 days after the date on which the Director issues guidance in accordance with section 3614(1), the head of each agency, acting through the chief information officer of the agency, shall submit to the Director all agency policies relating to the authorization of cloud computing products and services.
(e)(1)The assessment of security controls and materials within the authorization package for a FedRAMP authorization shall be presumed adequate for use in an agency authorization to operate cloud computing products and services.
(2)The presumption under paragraph (1) does not modify or alter—
(A)the responsibility of any agency to ensure compliance with subchapter II of chapter 35 for any cloud computing product or service used by the agency; or
(B)the authority of the head of any agency to make a determination that there is a demonstrable need for additional security requirements beyond the security requirements included in a FedRAMP authorization for a particular control implementation.

Legislative History

Notes & Related Subsidiaries

Repeal of SectionFor repeal of section by section 5921(d)(1) of Pub. L. 117–263, see

Effective Date

of Repeal note below.

Statutory Notes and Related Subsidiaries

Effective Date

of Repeal Pub. L. 117–263, div. E, title LIX, § 5921(d)(1), Dec. 23, 2022, 136 Stat. 3458, provided that the repeal of this section is effective on the date that is 5 years after Dec. 23, 2022.

Construction

For rule of

Construction

regarding section 5921 of Pub. L. 117–263, see section 5921(e) of Pub. L. 117–263, set out as a note under section 3607 of this title.

Reference

Citations & Metadata

Citation

44 U.S.C. § 3613

Title 44Public Printing and Documents

Last Updated

Apr 6, 2026

Release point: 119-73