2024 U.S. Code
Title 44 - Public Printing and Documents
Chapter 36 - Management and Promotion of Electronic Government Services
Sec. 3609 - Roles and responsibilities of the General Services Administration

Download PDF
Citation 44 U.S.C. § 3609 (2024)
Section Name §3609. Roles and responsibilities of the General Services Administration
Section Text

(a) Roles and Responsibilities.—The Administrator shall—

(1) in consultation with the Secretary, develop, coordinate, and implement a process to support agency review, reuse, and standardization, where appropriate, of security assessments of cloud computing products and services, including, as appropriate, oversight of continuous monitoring of cloud computing products and services, pursuant to guidance issued by the Director pursuant to section 3614;

(2) establish processes and identify criteria consistent with guidance issued by the Director under section 3614 to make a cloud computing product or service eligible for a FedRAMP authorization and validate whether a cloud computing product or service has a FedRAMP authorization;

(3) develop and publish templates, best practices, technical assistance, and other materials to support the authorization of cloud computing products and services and increase the speed, effectiveness, and transparency of the authorization process, consistent with standards and guidelines established by the Director of the National Institute of Standards and Technology and relevant statutes;

(4) establish and update guidance on the boundaries of FedRAMP authorization packages to enhance the security and protection of Federal information and promote transparency for agencies and users as to which services are included in the scope of a FedRAMP authorization;

(5) grant FedRAMP authorizations to cloud computing products and services consistent with the guidance and direction of the FedRAMP Board;

(6) establish and maintain a public comment process for proposed guidance and other FedRAMP directives that may have a direct impact on cloud service providers and agencies before the issuance of such guidance or other FedRAMP directives;

(7) coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the Director and the Secretary, to establish and regularly update a framework for continuous monitoring under section 3553;

(8) provide a secure mechanism for storing and sharing necessary data, including FedRAMP authorization packages, to enable better reuse of such packages across agencies, including making available any information and data necessary for agencies to fulfill the requirements of section 3613;

(9) provide regular updates to applicant cloud service providers on the status of any cloud computing product or service during an assessment process;

(10) regularly review, in consultation with the FedRAMP Board—

(A) the costs associated with the independent assessment services described in section 3611; and

(B) the information relating to foreign interests submitted pursuant to section 3612;


(11) in coordination with the Director, the Secretary, and other stakeholders, as appropriate, determine the sufficiency of underlying requirements to identify and assess the provenance of the software in cloud services and products;

(12) support the Federal Secure Cloud Advisory Committee established pursuant to section 3616; and

(13) take such other actions as the Administrator may determine necessary to carry out FedRAMP.


(b) Website.—

(1) In general.—The Administrator shall maintain a public website to serve as the authoritative repository for FedRAMP, including the timely publication and updates for all relevant information, guidance, determinations, and other materials required under subsection (a).

(2) Criteria and process for fedramp authorization priorities.—The Administrator shall develop and make publicly available on the website described in paragraph (1) the criteria and process for prioritizing and selecting cloud computing products and services that will receive a FedRAMP authorization, in consultation with the FedRAMP Board and the Chief Information Officers Council.


(c) Evaluation of Automation Procedures.—

(1) In general.—The Administrator, in coordination with the Secretary, shall assess and evaluate available automation capabilities and procedures to improve the efficiency and effectiveness of the issuance of FedRAMP authorizations, including continuous monitoring of cloud computing products and services.

(2) Means for automation.—Not later than 1 year after the date of enactment of this section, and updated regularly thereafter, the Administrator shall establish a means for the automation of security assessments and reviews.


(d) Metrics for Authorization.—The Administrator shall establish annual metrics regarding the time and quality of the assessments necessary for completion of a FedRAMP authorization process in a manner that can be consistently tracked over time in conjunction with the periodic testing and evaluation process pursuant to section 3554 in a manner that minimizes the agency reporting burden.

Source Credit

(Added Pub. L. 117–263, div. E, title LIX, §5921(b), Dec. 23, 2022, 136 Stat. 3450.)

Editorial Notes Repeal of Section

For repeal of section by section 5921(d)(1) of Pub. L. 117–263, see Effective Date of Repeal note below.


EDITORIAL NOTES REFERENCES IN TEXT

The date of enactment of this section, referred to in subsec. (c)(2), is the date of enactment of Pub. L. 117–263, which was approved Dec. 23, 2022.


STATUTORY NOTES AND RELATED SUBSIDIARIES EFFECTIVE DATE OF REPEAL

Pub. L. 117–263, div. E, title LIX, §5921(d)(1), Dec. 23, 2022, 136 Stat. 3458, provided that the repeal of this section is effective on the date that is 5 years after Dec. 23, 2022.

CONSTRUCTION

For rule of construction regarding section 5921 of Pub. L. 117–263, see section 5921(e) of Pub. L. 117–263, set out as a note under section 3607 of this title.

Publication Title United States Code, 2024 Edition, Title 44 - PUBLIC PRINTING AND DOCUMENTS
Category Bills and Statutes
Collection United States Code
SuDoc Class Number Y 1.2/5:
Contained Within Title 44 - PUBLIC PRINTING AND DOCUMENTS
CHAPTER 36 - MANAGEMENT AND PROMOTION OF ELECTRONIC GOVERNMENT SERVICES
Sec. 3609 - Roles and responsibilities of the General Services Administration
Contains section 3609
Date 2024
Laws In Effect As Of Date January 6, 2025
Positive Law Yes
Disposition standard
Statutes at Large References 136 Stat. 3450, 3458
Public Law References Public Law 117-263
Disclaimer: These codes may not be the most recent version. United States may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.