§3609 — Title 44 Public Printing and Documents | U.S. Code

Summary

The Administrator must run and improve the FedRAMP program so federal agencies can review, authorize, and reuse security assessments for cloud services. Working with the Secretary and other officials, the Administrator must create processes and rules for when a cloud product can get FedRAMP approval and how to check that approval. The Administrator must make and share templates, best practices, and guidance that follow NIST standards. The Administrator must decide what is covered in an authorization package, give FedRAMP authorizations following the FedRAMP Board’s guidance, and keep a public comment process before issuing new FedRAMP rules. The Administrator must also coordinate on a continuous-monitoring framework (section 3553), securely store and share authorization data so agencies can reuse packages and meet section 3613, update applicants on assessment status, review costs of independent assessors (section 3611) and foreign-interest information (section 3612), check rules for tracing software origin, support the Federal Secure Cloud Advisory Committee (section 3616), and take other needed actions to run FedRAMP. The Administrator must keep a public website with up-to-date FedRAMP materials and publish how priorities and selections for authorization are made with the FedRAMP Board and the Chief Information Officers Council. The Administrator must evaluate automation to speed authorizations and continuous monitoring and must establish automated security-assessment tools not later than 1 year after the date of enactment and update them regularly. The Administrator must also set yearly, trackable metrics on the time and quality of assessments, aligned with the testing process in section 3554, while keeping agency reporting low.

Title 44, §3609

Public Printing and Documents — Source: USLM XML via OLRC

(a)The Administrator shall—

(1)in consultation with the Secretary, develop, coordinate, and implement a process to support agency review, reuse, and standardization, where appropriate, of security assessments of cloud computing products and services, including, as appropriate, oversight of continuous monitoring of cloud computing products and services, pursuant to guidance issued by the Director pursuant to section 3614;

(2)establish processes and identify criteria consistent with guidance issued by the Director under section 3614 to make a cloud computing product or service eligible for a FedRAMP authorization and validate whether a cloud computing product or service has a FedRAMP authorization;

(3)develop and publish templates, best practices, technical assistance, and other materials to support the authorization of cloud computing products and services and increase the speed, effectiveness, and transparency of the authorization process, consistent with standards and guidelines established by the Director of the National Institute of Standards and Technology and relevant statutes;

(4)establish and update guidance on the boundaries of FedRAMP authorization packages to enhance the security and protection of Federal information and promote transparency for agencies and users as to which services are included in the scope of a FedRAMP authorization;

(5)grant FedRAMP authorizations to cloud computing products and services consistent with the guidance and direction of the FedRAMP Board;

(6)establish and maintain a public comment process for proposed guidance and other FedRAMP directives that may have a direct impact on cloud service providers and agencies before the issuance of such guidance or other FedRAMP directives;

(7)coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the Director and the Secretary, to establish and regularly update a framework for continuous monitoring under section 3553;

(8)provide a secure mechanism for storing and sharing necessary data, including FedRAMP authorization packages, to enable better reuse of such packages across agencies, including making available any information and data necessary for agencies to fulfill the requirements of section 3613;

(9)provide regular updates to applicant cloud service providers on the status of any cloud computing product or service during an assessment process;

(10)regularly review, in consultation with the FedRAMP Board—

(A)the costs associated with the independent assessment services described in section 3611; and

(B)the information relating to foreign interests submitted pursuant to section 3612;

(11)in coordination with the Director, the Secretary, and other stakeholders, as appropriate, determine the sufficiency of underlying requirements to identify and assess the provenance of the software in cloud services and products;

(12)support the Federal Secure Cloud Advisory Committee established pursuant to section 3616; and

(13)take such other actions as the Administrator may determine necessary to carry out FedRAMP.

(b)(1)The Administrator shall maintain a public website to serve as the authoritative repository for FedRAMP, including the timely publication and updates for all relevant information, guidance, determinations, and other materials required under subsection (a).

(2)The Administrator shall develop and make publicly available on the website described in paragraph (1) the criteria and process for prioritizing and selecting cloud computing products and services that will receive a FedRAMP authorization, in consultation with the FedRAMP Board and the Chief Information Officers Council.

(c)(1)The Administrator, in coordination with the Secretary, shall assess and evaluate available automation capabilities and procedures to improve the efficiency and effectiveness of the issuance of FedRAMP authorizations, including continuous monitoring of cloud computing products and services.

(2)Not later than 1 year after the date of enactment of this section, and updated regularly thereafter, the Administrator shall establish a means for the automation of security assessments and reviews.

(d)The Administrator shall establish annual metrics regarding the time and quality of the assessments necessary for completion of a FedRAMP authorization process in a manner that can be consistently tracked over time in conjunction with the periodic testing and evaluation process pursuant to section 3554 in a manner that minimizes the agency reporting burden.

Notes & Related Subsidiaries

Repeal of SectionFor repeal of section by section 5921(d)(1) of Pub. L. 117–263, see

Effective Date

of Repeal note below.

Editorial Notes

References in Text

The date of enactment of this section, referred to in subsec. (c)(2), is the date of enactment of Pub. L. 117–263, which was approved Dec. 23, 2022.

Statutory Notes and Related Subsidiaries

Effective Date

of Repeal Pub. L. 117–263, div. E, title LIX, § 5921(d)(1), Dec. 23, 2022, 136 Stat. 3458, provided that the repeal of this section is effective on the date that is 5 years after Dec. 23, 2022.

Construction

For rule of

Construction

regarding section 5921 of Pub. L. 117–263, see section 5921(e) of Pub. L. 117–263, set out as a note under section 3607 of this title.

§3609 Roles and Responsibilities of the General Services Administration

Summary

Title 44, §3609

Notes & Related Subsidiaries

Effective Date

Editorial Notes

References in Text

Statutory Notes and Related Subsidiaries

Effective Date

Construction

Construction

Citations & Metadata