§3613 — Title 44 Public Printing and Documents | U.S. Code

Summary

Each agency head must follow the Director’s FedRAMP guidance. They must promote cloud services that meet FedRAMP and other risk-based rules set by the Director with the Secretary. Before starting an agency authorization, the agency must check the secure system under section 3609(a)(8) to see if a FedRAMP authorization already exists. When practical, the agency must use the security assessments and materials from an existing FedRAMP authorization. Agencies must give the Director any data he asks for under section 3614 so he can track how agencies meet the Administrator’s metrics. If the FedRAMP materials are missing or mostly inadequate, the agency head must explain why in the agency’s FedRAMP authorization package. When an agency issues an authorization to operate based on a FedRAMP authorization, it must send its authorization letter and any extra documents required under section 3609(a) to the Administrator. Within 180 days after the Director issues guidance under section 3614(1), each agency head, through the agency chief information officer, must send all agency cloud-authorization policies to the Director. A FedRAMP assessment is presumed adequate for an agency authorization, but agencies still must follow subchapter II of chapter 35 and may add extra security rules if there is a clear need.

Title 44, §3613

Public Printing and Documents — Source: USLM XML via OLRC

(a)In implementing the requirements of FedRAMP, the head of each agency shall, consistent with guidance issued by the Director pursuant to section 3614—

(1)promote the use of cloud computing products and services that meet FedRAMP security requirements and other risk-based performance requirements as determined by the Director, in consultation with the Secretary;

(2)confirm whether there is a FedRAMP authorization in the secure mechanism provided under section 3609(a)(8) before beginning the process of granting a FedRAMP authorization for a cloud computing product or service;

(3)to the extent practicable, for any cloud computing product or service the agency seeks to authorize that has received a FedRAMP authorization, use the existing assessments of security controls and materials within any FedRAMP authorization package for that cloud computing product or service; and

(4)provide to the Director data and information required by the Director pursuant to section 3614 to determine how agencies are meeting metrics established by the Administrator.

(b)Upon completing an assessment or authorization activity with respect to a particular cloud computing product or service, if an agency determines that the information and data the agency has reviewed under paragraph (2) or (3) of subsection (a) is wholly or substantially deficient for the purposes of performing an authorization of the cloud computing product or service, the head of the agency shall document as part of the resulting FedRAMP authorization package the reasons for this determination.

(c)Upon issuance of an agency authorization to operate based on a FedRAMP authorization, the head of the agency shall provide a copy of its authorization to operate letter and any supplementary information required pursuant to section 3609(a) to the Administrator.

(d)Not later than 180 days after the date on which the Director issues guidance in accordance with section 3614(1), the head of each agency, acting through the chief information officer of the agency, shall submit to the Director all agency policies relating to the authorization of cloud computing products and services.

(e)(1)The assessment of security controls and materials within the authorization package for a FedRAMP authorization shall be presumed adequate for use in an agency authorization to operate cloud computing products and services.

(2)The presumption under paragraph (1) does not modify or alter—

(A)the responsibility of any agency to ensure compliance with subchapter II of chapter 35 for any cloud computing product or service used by the agency; or

(B)the authority of the head of any agency to make a determination that there is a demonstrable need for additional security requirements beyond the security requirements included in a FedRAMP authorization for a particular control implementation.

Notes & Related Subsidiaries

Repeal of SectionFor repeal of section by section 5921(d)(1) of Pub. L. 117–263, see

Effective Date

of Repeal note below.

Statutory Notes and Related Subsidiaries

Effective Date

of Repeal Pub. L. 117–263, div. E, title LIX, § 5921(d)(1), Dec. 23, 2022, 136 Stat. 3458, provided that the repeal of this section is effective on the date that is 5 years after Dec. 23, 2022.

Construction

For rule of

Construction

regarding section 5921 of Pub. L. 117–263, see section 5921(e) of Pub. L. 117–263, set out as a note under section 3607 of this title.

§3613 Roles and Responsibilities of Agencies

Summary

Title 44, §3613

Notes & Related Subsidiaries

Effective Date

Statutory Notes and Related Subsidiaries

Effective Date

Construction

Construction

Citations & Metadata