Collapse to view only § 3609. Roles and responsibilities of the General Services Administration

§ 3601. DefinitionsIn this chapter, the definitions under section 3502 shall apply, and the term—
(1) “Administrator” means the Administrator of the Office of Electronic Government established under section 3602;
(2) “Council” means the Chief Information Officers Council established under section 3603;
(3) “electronic Government” means the use by the Government of web-based Internet applications and other information technologies, combined with processes that implement these technologies, to—
(A) enhance the access to and delivery of Government information and services to the public, other agencies, and other Government entities; or
(B) bring about improvements in Government operations that may include effectiveness, efficiency, service quality, or transformation;
(4) “enterprise architecture”—
(A) means—
(i) a strategic information asset base, which defines the mission;
(ii) the information necessary to perform the mission;
(iii) the technologies necessary to perform the mission; and
(iv) the transitional processes for implementing new technologies in response to changing mission needs; and
(B) includes—
(i) a baseline architecture;
(ii) a target architecture; and
(iii) a sequencing plan;
(5) “Fund” means the E-Government Fund established under section 3604;
(6) “interoperability” means the ability of different operating and software systems, applications, and services to communicate and exchange data in an accurate, effective, and consistent manner;
(7) “integrated service delivery” means the provision of Internet-based Federal Government information or services integrated according to function or topic rather than separated according to the boundaries of agency jurisdiction; and
(8) “tribal government” means—
(A) the governing body of any Indian tribe, band, nation, or other organized group or community located in the continental United States (excluding the State of Alaska) that is recognized as eligible for the special programs and services provided by the United States to Indians because of their status as Indians, and
(B) any Alaska Native regional or village corporation established pursuant to the Alaska Native Claims Settlement Act (43 U.S.C. 1601 et seq.).
(Added Pub. L. 107–347, title I, § 101(a), Dec. 17, 2002, 116 Stat. 2901.)
§ 3602. Office of Electronic Government
(a) There is established in the Office of Management and Budget an Office of Electronic Government.
(b) There shall be at the head of the Office an Administrator who shall be appointed by the President.
(c) The Administrator shall assist the Director in carrying out—
(1) all functions under this chapter;
(2) all of the functions assigned to the Director under title II of the E-Government Act of 2002; and
(3) other electronic government initiatives, consistent with other statutes.
(d) The Administrator shall assist the Director and the Deputy Director for Management and work with the Administrator of the Office of Information and Regulatory Affairs in setting strategic direction for implementing electronic Government, under relevant statutes, including—
(1) chapter 35;
(2) subtitle III of title 40, United States Code;
(3)section 552a of title 5 (commonly referred to as the “Privacy Act”);
(4) the Government Paperwork Elimination Act (44 U.S.C. 3504 note); and
(5) the Federal Information Security Management Act of 2002.
(e) The Administrator shall work with the Administrator of the Office of Information and Regulatory Affairs and with other offices within the Office of Management and Budget to oversee implementation of electronic Government under this chapter, chapter 35, the E-Government Act of 2002, and other relevant statutes, in a manner consistent with law, relating to—
(1) capital planning and investment control for information technology;
(2) the development of enterprise architectures;
(3) information security;
(4) privacy;
(5) access to, dissemination of, and preservation of Government information;
(6) accessibility of information technology for persons with disabilities; and
(7) other areas of electronic Government.
(f) Subject to requirements of this chapter, the Administrator shall assist the Director by performing electronic Government functions as follows:
(1) Advise the Director on the resources required to develop and effectively administer electronic Government initiatives.
(2) Recommend to the Director changes relating to Governmentwide strategies and priorities for electronic Government.
(3) Provide overall leadership and direction to the executive branch on electronic Government.
(4) Promote innovative uses of information technology by agencies, particularly initiatives involving multiagency collaboration, through support of pilot projects, research, experimentation, and the use of innovative technologies.
(5) Oversee the distribution of funds from, and ensure appropriate administration and coordination of, the E-Government Fund established under section 3604.
(6) Coordinate with the Administrator of General Services regarding programs undertaken by the General Services Administration to promote electronic government and the efficient use of information technologies by agencies.
(7) Lead the activities of the Chief Information Officers Council established under section 3603 on behalf of the Deputy Director for Management, who shall chair the council.
(8) Assist the Director in establishing policies which shall set the framework for information technology standards for the Federal Government developed by the National Institute of Standards and Technology and promulgated by the Secretary of Commerce under section 11331 of title 40, taking into account, if appropriate, recommendations of the Chief Information Officers Council, experts, and interested parties from the private and nonprofit sectors and State, local, and tribal governments, and maximizing the use of commercial standards as appropriate, including the following:
(A) Standards and guidelines for interconnectivity and interoperability as described under section 3504.
(B) Consistent with the process under section 207(d) of the E-Government Act of 2002, standards and guidelines for categorizing Federal Government electronic information to enable efficient use of technologies, such as through the use of extensible markup language.
(C) Standards and guidelines for Federal Government computer system efficiency and security.
(9) Sponsor ongoing dialogue that—
(A) shall be conducted among Federal, State, local, and tribal government leaders on electronic Government in the executive, legislative, and judicial branches, as well as leaders in the private and nonprofit sectors, to encourage collaboration and enhance understanding of best practices and innovative approaches in acquiring, using, and managing information resources;
(B) is intended to improve the performance of governments in collaborating on the use of information technology to improve the delivery of Government information and services; and
(C) may include—
(i) development of innovative models—(I) for electronic Government management and Government information technology contracts; and(II) that may be developed through focused discussions or using separately sponsored research;
(ii) identification of opportunities for public-private collaboration in using Internet-based technology to increase the efficiency of Government-to-business transactions;
(iii) identification of mechanisms for providing incentives to program managers and other Government employees to develop and implement innovative uses of information technologies; and
(iv) identification of opportunities for public, private, and intergovernmental collaboration in addressing the disparities in access to the Internet and information technology.
(10) Sponsor activities to engage the general public in the development and implementation of policies and programs, particularly activities aimed at fulfilling the goal of using the most effective citizen-centered strategies and those activities which engage multiple agencies providing similar or related information and services.
(11) Oversee the work of the General Services Administration and other agencies in developing the integrated Internet-based system under section 204 of the E-Government Act of 2002.
(12) Coordinate with the Administrator for Federal Procurement Policy to ensure effective implementation of electronic procurement initiatives.
(13) Assist Federal agencies, including the General Services Administration, the Department of Justice, and the United States Access Board in—
(A) implementing accessibility standards under section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d); and
(B) ensuring compliance with those standards through the budget review process and other means.
(14) Oversee the development of enterprise architectures within and across agencies.
(15) Assist the Director and the Deputy Director for Management in overseeing agency efforts to ensure that electronic Government activities incorporate adequate, risk-based, and cost-effective security compatible with business processes.
(16) Administer the Office of Electronic Government established under this section.
(17) Assist the Director in preparing the E-Government report established under section 3606.
(g) The Director shall ensure that the Office of Management and Budget, including the Office of Electronic Government, the Office of Information and Regulatory Affairs, and other relevant offices, have adequate staff and resources to properly fulfill all functions under the E-Government Act of 2002.
(Added Pub. L. 107–347, title I, § 101(a), Dec. 17, 2002, 116 Stat. 2902.)
§ 3603. Chief Information Officers Council
(a) There is established in the executive branch a Chief Information Officers Council.
(b) The members of the Council shall be as follows:
(1) The Deputy Director for Management of the Office of Management and Budget, who shall act as chairperson of the Council.
(2) The Administrator of the Office of Electronic Government.
(3) The Administrator of the Office of Information and Regulatory Affairs.
(4) The chief information officer of each agency described under section 901(b) of title 31.
(5) The chief information officer of the Central Intelligence Agency.
(6) The chief information officer of the Department of the Army, the Department of the Navy, and the Department of the Air Force, if chief information officers have been designated for such departments under section 3506(a)(2)(B).
(7) Any other officer or employee of the United States designated by the chairperson.
(c)
(1) The Administrator of the Office of Electronic Government shall lead the activities of the Council on behalf of the Deputy Director for Management.
(2)
(A) The Vice Chairman of the Council shall be selected by the Council from among its members.
(B) The Vice Chairman shall serve a 1-year term, and may serve multiple terms.
(3) The Administrator of General Services shall provide administrative and other support for the Council.
(d) The Council is designated the principal interagency forum for improving agency practices related to the design, acquisition, development, modernization, use, operation, sharing, and performance of Federal Government information resources.
(e) In performing its duties, the Council shall consult regularly with representatives of State, local, and tribal governments.
(f) The Council shall perform functions that include the following:
(1) Develop recommendations for the Director on Government information resources management policies and requirements.
(2) Share experiences, ideas, best practices, and innovative approaches related to information resources management.
(3) Assist the Administrator in the identification, development, and coordination of multiagency projects and other innovative initiatives to improve Government performance through the use of information technology.
(4) Promote the development and use of common performance measures for agency information resources management under this chapter and title II of the E-Government Act of 2002.
(5) Work as appropriate with the National Institute of Standards and Technology and the Administrator to develop recommendations on information technology standards developed under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) and promulgated under section 11331 of title 40, and maximize the use of commercial standards as appropriate, including the following:
(A) Standards and guidelines for interconnectivity and interoperability as described under section 3504.
(B) Consistent with the process under section 207(d) of the E-Government Act of 2002, standards and guidelines for categorizing Federal Government electronic information to enable efficient use of technologies, such as through the use of extensible markup language.
(C) Standards and guidelines for Federal Government computer system efficiency and security.
(6) Work with the Office of Personnel Management to assess and address the hiring, training, classification, and professional development needs of the Government related to information resources management.
(7) Work with the Archivist of the United States to assess how the Federal Records Act can be addressed effectively by Federal information resources management activities.
(Added Pub. L. 107–347, title I, § 101(a), Dec. 17, 2002, 116 Stat. 2905.)
§ 3604. E-Government Fund
(a)
(1) There is established in the Treasury of the United States the E-Government Fund.
(2) The Fund shall be administered by the Administrator of the General Services Administration to support projects approved by the Director, assisted by the Administrator of the Office of Electronic Government, that enable the Federal Government to expand its ability, through the development and implementation of innovative uses of the Internet or other electronic methods, to conduct activities electronically.
(3) Projects under this subsection may include efforts to—
(A) make Federal Government information and services more readily available to members of the public (including individuals, businesses, grantees, and State and local governments);
(B) make it easier for the public to apply for benefits, receive services, pursue business opportunities, submit information, and otherwise conduct transactions with the Federal Government; and
(C) enable Federal agencies to take advantage of information technology in sharing information and conducting transactions with each other and with State and local governments.
(b)
(1) The Administrator shall—
(A) establish procedures for accepting and reviewing proposals for funding;
(B) consult with interagency councils, including the Chief Information Officers Council, the Chief Financial Officers Council, and other interagency management councils, in establishing procedures and reviewing proposals; and
(C) assist the Director in coordinating resources that agencies receive from the Fund with other resources available to agencies for similar purposes.
(2) When reviewing proposals and managing the Fund, the Administrator shall observe and incorporate the following procedures:
(A) A project requiring substantial involvement or funding from an agency shall be approved by a senior official with agencywide authority on behalf of the head of the agency, who shall report directly to the head of the agency.
(B) Projects shall adhere to fundamental capital planning and investment control processes.
(C) Agencies shall identify in their proposals resource commitments from the agencies involved and how these resources would be coordinated with support from the Fund, and include plans for potential continuation of projects after all funds made available from the Fund are expended.
(D) After considering the recommendations of the interagency councils, the Director, assisted by the Administrator, shall have final authority to determine which of the candidate projects shall be funded from the Fund.
(E) Agencies shall assess the results of funded projects.
(c) In determining which proposals to recommend for funding, the Administrator—
(1) shall consider criteria that include whether a proposal—
(A) identifies the group to be served, including citizens, businesses, the Federal Government, or other governments;
(B) indicates what service or information the project will provide that meets needs of groups identified under subparagraph (A);
(C) ensures proper security and protects privacy;
(D) is interagency in scope, including projects implemented by a primary or single agency that—
(i) could confer benefits on multiple agencies; and
(ii) have the support of other agencies; and
(E) has performance objectives that tie to agency missions and strategic goals, and interim results that relate to the objectives; and
(2) may also rank proposals based on criteria that include whether a proposal—
(A) has Governmentwide application or implications;
(B) has demonstrated support by the public to be served;
(C) integrates Federal with State, local, or tribal approaches to service delivery;
(D) identifies resource commitments from nongovernmental sectors;
(E) identifies resource commitments from the agencies involved;
(F) uses web-based technologies to achieve objectives;
(G) identifies records management and records access strategies;
(H) supports more effective citizen participation in and interaction with agency activities that further progress toward a more citizen-centered Government;
(I) directly delivers Government information and services to the public or provides the infrastructure for delivery;
(J) supports integrated service delivery;
(K) describes how business processes across agencies will reflect appropriate transformation simultaneous to technology implementation; and
(L) is new or innovative and does not supplant existing funding streams within agencies.
(d) The Fund may be used to fund the integrated Internet-based system under section 204 of the E-Government Act of 2002.
(e) None of the funds provided from the Fund may be transferred to any agency until 15 days after the Administrator of the General Services Administration has submitted to the Committees on Appropriations of the Senate and the House of Representatives, the Committee on Governmental Affairs of the Senate, the Committee on Government Reform of the House of Representatives, and the appropriate authorizing committees of the Senate and the House of Representatives, a notification and description of how the funds are to be allocated and how the expenditure will further the purposes of this chapter.
(f)
(1) The Director shall report annually to Congress on the operation of the Fund, through the report established under section 3606.
(2) The report under paragraph (1) shall describe—
(A) all projects which the Director has approved for funding from the Fund; and
(B) the results that have been achieved to date for these funded projects.
(g)
(1) There are authorized to be appropriated to the Fund—
(A) $45,000,000 for fiscal year 2003;
(B) $50,000,000 for fiscal year 2004;
(C) $100,000,000 for fiscal year 2005;
(D) $150,000,000 for fiscal year 2006; and
(E) such sums as are necessary for fiscal year 2007.
(2) Funds appropriated under this subsection shall remain available until expended.
(Added Pub. L. 107–347, title I, § 101(a), Dec. 17, 2002, 116 Stat. 2906.)
§ 3605. Program to encourage innovative solutions to enhance electronic Government services and processes
(a)Establishment of Program.—The Administrator shall establish and promote a Governmentwide program to encourage contractor innovation and excellence in facilitating the development and enhancement of electronic Government services and processes.
(b)Issuance of Announcements Seeking Innovative Solutions.—Under the program, the Administrator, in consultation with the Council and the Administrator for Federal Procurement Policy, shall issue announcements seeking unique and innovative solutions to facilitate the development and enhancement of electronic Government services and processes.
(c)Multiagency Technical Assistance Team.—
(1) The Administrator, in consultation with the Council and the Administrator for Federal Procurement Policy, shall convene a multiagency technical assistance team to assist in screening proposals submitted to the Administrator to provide unique and innovative solutions to facilitate the development and enhancement of electronic Government services and processes. The team shall be composed of employees of the agencies represented on the Council who have expertise in scientific and technical disciplines that would facilitate the assessment of the feasibility of the proposals.
(2) The technical assistance team shall—
(A) assess the feasibility, scientific and technical merits, and estimated cost of each proposal; and
(B) submit each proposal, and the assessment of the proposal, to the Administrator.
(3) The technical assistance team shall not consider or evaluate proposals submitted in response to a solicitation for offers for a pending procurement or for a specific agency requirement.
(4) After receiving proposals and assessments from the technical assistance team, the Administrator shall consider recommending appropriate proposals for funding under the E-Government Fund established under section 3604 or, if appropriate, forward the proposal and the assessment of it to the executive agency whose mission most coincides with the subject matter of the proposal.
(Added Pub. L. 107–347, title I, § 101(a), Dec. 17, 2002, 116 Stat. 2909.)
§ 3606. E-Government report
(a) Not later than March 1 of each year, the Director shall submit an E-Government status report to the Committee on Governmental Affairs of the Senate and the Committee on Government Reform of the House of Representatives.
(b) The report under subsection (a) shall contain—
(1) a summary of the information reported by agencies under section 202(f) 1
1 So in original. Probably should be “section 202(g)”.
of the E-Government Act of 2002;
(2) the information required to be reported by section 3604(f); and
(3) a description of compliance by the Federal Government with other goals and provisions of the E-Government Act of 2002.
(Added Pub. L. 107–347, title I, § 101(a), Dec. 17, 2002, 116 Stat. 2909.)
§ 3607. Definitions
(a)In General.—Except as provided under subsection (b), the definitions under sections 3502 and 3552 apply to this section through section 3616.
(b)Additional Definitions.—In this section through section 3616:
(1)Administrator.—The term “Administrator” means the Administrator of General Services.
(2)Appropriate congressional committees.—The term “appropriate congressional committees” means the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives.
(3)Authorization to operate; federal information.—The terms “authorization to operate” and “Federal information” have the meaning given those term 1
1 So in original. Probably should be “terms”.
in Circular A–130 of the Office of Management and Budget entitled “Managing Information as a Strategic Resource”, or any successor document.
(4)Cloud computing.—The term “cloud computing” has the meaning given the term in Special Publication 800–145 of the National Institute of Standards and Technology, or any successor document.
(5)Cloud service provider.—The term “cloud service provider” means an entity offering cloud computing products or services to agencies.
(6)FedRAMP.—The term “FedRAMP” means the Federal Risk and Authorization Management Program established under section 3608.
(7)FedRAMP authorization.—The term “FedRAMP authorization” means a certification that a cloud computing product or service has—
(A) completed a FedRAMP authorization process, as determined by the Administrator; or
(B) received a FedRAMP provisional authorization to operate, as determined by the FedRAMP Board.
(8)Fedramp authorization package.—The term “FedRAMP authorization package” means the essential information that can be used by an agency to determine whether to authorize the operation of an information system or the use of a designated set of common controls for all cloud computing products and services authorized by FedRAMP.
(9)FedRAMP board.—The term “FedRAMP Board” means the board established under section 3610.
(10)Independent assessment service.—The term “independent assessment service” means a third-party organization accredited by the Administrator to undertake conformity assessments of cloud service providers and the products or services of cloud service providers.
(11)Secretary.—The term “Secretary” means the Secretary of Homeland Security.
(Added Pub. L. 117–263, div. E, title LIX, § 5921(b), Dec. 23, 2022, 136 Stat. 3449.)
§ 3608. Federal risk and authorization management program

There is established within the General Services Administration the Federal Risk and Authorization Management Program. The Administrator, subject to section 3614, shall establish a Government-wide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies.

(Added Pub. L. 117–263, div. E, title LIX, § 5921(b), Dec. 23, 2022, 136 Stat. 3450.)
§ 3609. Roles and responsibilities of the General Services Administration
(a)Roles and Responsibilities.—The Administrator shall—
(1) in consultation with the Secretary, develop, coordinate, and implement a process to support agency review, reuse, and standardization, where appropriate, of security assessments of cloud computing products and services, including, as appropriate, oversight of continuous monitoring of cloud computing products and services, pursuant to guidance issued by the Director pursuant to section 3614;
(2) establish processes and identify criteria consistent with guidance issued by the Director under section 3614 to make a cloud computing product or service eligible for a FedRAMP authorization and validate whether a cloud computing product or service has a FedRAMP authorization;
(3) develop and publish templates, best practices, technical assistance, and other materials to support the authorization of cloud computing products and services and increase the speed, effectiveness, and transparency of the authorization process, consistent with standards and guidelines established by the Director of the National Institute of Standards and Technology and relevant statutes;
(4) establish and update guidance on the boundaries of FedRAMP authorization packages to enhance the security and protection of Federal information and promote transparency for agencies and users as to which services are included in the scope of a FedRAMP authorization;
(5) grant FedRAMP authorizations to cloud computing products and services consistent with the guidance and direction of the FedRAMP Board;
(6) establish and maintain a public comment process for proposed guidance and other FedRAMP directives that may have a direct impact on cloud service providers and agencies before the issuance of such guidance or other FedRAMP directives;
(7) coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the Director and the Secretary, to establish and regularly update a framework for continuous monitoring under section 3553;
(8) provide a secure mechanism for storing and sharing necessary data, including FedRAMP authorization packages, to enable better reuse of such packages across agencies, including making available any information and data necessary for agencies to fulfill the requirements of section 3613;
(9) provide regular updates to applicant cloud service providers on the status of any cloud computing product or service during an assessment process;
(10) regularly review, in consultation with the FedRAMP Board—
(A) the costs associated with the independent assessment services described in section 3611; and
(B) the information relating to foreign interests submitted pursuant to section 3612;
(11) in coordination with the Director, the Secretary, and other stakeholders, as appropriate, determine the sufficiency of underlying requirements to identify and assess the provenance of the software in cloud services and products;
(12) support the Federal Secure Cloud Advisory Committee established pursuant to section 3616; and
(13) take such other actions as the Administrator may determine necessary to carry out FedRAMP.
(b)Website.—
(1)In general.—The Administrator shall maintain a public website to serve as the authoritative repository for FedRAMP, including the timely publication and updates for all relevant information, guidance, determinations, and other materials required under subsection (a).
(2)Criteria and process for fedramp authorization priorities.—The Administrator shall develop and make publicly available on the website described in paragraph (1) the criteria and process for prioritizing and selecting cloud computing products and services that will receive a FedRAMP authorization, in consultation with the FedRAMP Board and the Chief Information Officers Council.
(c)Evaluation of Automation Procedures.—
(1)In general.—The Administrator, in coordination with the Secretary, shall assess and evaluate available automation capabilities and procedures to improve the efficiency and effectiveness of the issuance of FedRAMP authorizations, including continuous monitoring of cloud computing products and services.
(2)Means for automation.—Not later than 1 year after the date of enactment of this section, and updated regularly thereafter, the Administrator shall establish a means for the automation of security assessments and reviews.
(d)Metrics for Authorization.—The Administrator shall establish annual metrics regarding the time and quality of the assessments necessary for completion of a FedRAMP authorization process in a manner that can be consistently tracked over time in conjunction with the periodic testing and evaluation process pursuant to section 3554 in a manner that minimizes the agency reporting burden.
(Added Pub. L. 117–263, div. E, title LIX, § 5921(b), Dec. 23, 2022, 136 Stat. 3450.)
§ 3610. FedRAMP Board
(a)Establishment.—There is established a FedRAMP Board to provide input and recommendations to the Administrator regarding the requirements and guidelines for, and the prioritization of, security assessments of cloud computing products and services.
(b)Membership.—The FedRAMP Board shall consist of not more than 7 senior officials or experts from agencies appointed by the Director, in consultation with the Administrator, from each of the following:
(1) The Department of Defense.
(2) The Department of Homeland Security.
(3) The General Services Administration.
(4) Such other agencies as determined by the Director, in consultation with the Administrator.
(c)Qualifications.—Members of the FedRAMP Board appointed under subsection (b) shall have technical expertise in domains relevant to FedRAMP, such as—
(1) cloud computing;
(2) cybersecurity;
(3) privacy;
(4) risk management; and
(5) other competencies identified by the Director to support the secure authorization of cloud services and products.
(d)Duties.—The FedRAMP Board shall—
(1) in consultation with the Administrator, serve as a resource for best practices to accelerate the process for obtaining a FedRAMP authorization;
(2) establish and regularly update requirements and guidelines for security authorizations of cloud computing products and services, consistent with standards and guidelines established by the Director of the National Institute of Standards and Technology, to be used in the determination of FedRAMP authorizations;
(3) monitor and oversee, to the greatest extent practicable, the processes and procedures by which agencies determine and validate requirements for a FedRAMP authorization, including periodic review of the agency determinations described in section 3613(b);
(4) ensure consistency and transparency between agencies and cloud service providers in a manner that minimizes confusion and engenders trust; and
(5) perform such other roles and responsibilities as the Director may assign, with concurrence from the Administrator.
(e)Determinations of Demand for Cloud Computing Products and Services.—The FedRAMP Board may consult with the Chief Information Officers Council to establish a process, which may be made available on the website maintained under section 3609(b), for prioritizing and accepting the cloud computing products and services to be granted a FedRAMP authorization.
(Added Pub. L. 117–263, div. E, title LIX, § 5921(b), Dec. 23, 2022, 136 Stat. 3452.)
§ 3611. Independent assessment

The Administrator may determine whether FedRAMP may use an independent assessment service to analyze, validate, and attest to the quality and compliance of security assessment materials provided by cloud service providers during the course of a determination of whether to use a cloud computing product or service.

(Added Pub. L. 117–263, div. E, title LIX, § 5921(b), Dec. 23, 2022, 136 Stat. 3453.)
§ 3612. Declaration of foreign interests
(a)In General.—An independent assessment service that performs services described in section 3611 shall annually submit to the Administrator information relating to any foreign interest, foreign influence, or foreign control of the independent assessment service.
(b)Updates.—Not later than 48 hours after there is a change in foreign ownership or control of an independent assessment service that performs services described in section 3611, the independent assessment service shall submit to the Administrator an update to the information submitted under subsection (a).
(c)Certification.—The Administrator may require a representative of an independent assessment service to certify the accuracy and completeness of any information submitted under this section.
(Added Pub. L. 117–263, div. E, title LIX, § 5921(b), Dec. 23, 2022, 136 Stat. 3453.)
§ 3613. Roles and responsibilities of agencies
(a)In General.—In implementing the requirements of FedRAMP, the head of each agency shall, consistent with guidance issued by the Director pursuant to section 3614—
(1) promote the use of cloud computing products and services that meet FedRAMP security requirements and other risk-based performance requirements as determined by the Director, in consultation with the Secretary;
(2) confirm whether there is a FedRAMP authorization in the secure mechanism provided under section 3609(a)(8) before beginning the process of granting a FedRAMP authorization for a cloud computing product or service;
(3) to the extent practicable, for any cloud computing product or service the agency seeks to authorize that has received a FedRAMP authorization, use the existing assessments of security controls and materials within any FedRAMP authorization package for that cloud computing product or service; and
(4) provide to the Director data and information required by the Director pursuant to section 3614 to determine how agencies are meeting metrics established by the Administrator.
(b)Attestation.—Upon completing an assessment or authorization activity with respect to a particular cloud computing product or service, if an agency determines that the information and data the agency has reviewed under paragraph (2) or (3) of subsection (a) is wholly or substantially deficient for the purposes of performing an authorization of the cloud computing product or service, the head of the agency shall document as part of the resulting FedRAMP authorization package the reasons for this determination.
(c)Submission of Authorizations to Operate Required.—Upon issuance of an agency authorization to operate based on a FedRAMP authorization, the head of the agency shall provide a copy of its authorization to operate letter and any supplementary information required pursuant to section 3609(a) to the Administrator.
(d)Submission of Policies Required.—Not later than 180 days after the date on which the Director issues guidance in accordance with section 3614(1), the head of each agency, acting through the chief information officer of the agency, shall submit to the Director all agency policies relating to the authorization of cloud computing products and services.
(e)Presumption of Adequacy.—
(1)In general.—The assessment of security controls and materials within the authorization package for a FedRAMP authorization shall be presumed adequate for use in an agency authorization to operate cloud computing products and services.
(2)Information security requirements.—The presumption under paragraph (1) does not modify or alter—
(A) the responsibility of any agency to ensure compliance with subchapter II of chapter 35 for any cloud computing product or service used by the agency; or
(B) the authority of the head of any agency to make a determination that there is a demonstrable need for additional security requirements beyond the security requirements included in a FedRAMP authorization for a particular control implementation.
(Added Pub. L. 117–263, div. E, title LIX, § 5921(b), Dec. 23, 2022, 136 Stat. 3453.)
§ 3614. Roles and responsibilities of the Office of Management and BudgetThe Director shall—
(1) in consultation with the Administrator and the Secretary, issue guidance that—
(A) specifies the categories or characteristics of cloud computing products and services that are within the scope of FedRAMP;
(B) includes requirements for agencies to obtain a FedRAMP authorization when operating a cloud computing product or service described in subparagraph (A) as a Federal information system; and
(C) encompasses, to the greatest extent practicable, all necessary and appropriate cloud computing products and services;
(2) issue guidance describing additional responsibilities of FedRAMP and the FedRAMP Board to accelerate the adoption of secure cloud computing products and services by the Federal Government;
(3) in consultation with the Administrator, establish a process to periodically review FedRAMP authorization packages to support the secure authorization and reuse of secure cloud products and services;
(4) oversee the effectiveness of FedRAMP and the FedRAMP Board, including the compliance by the FedRAMP Board with the duties described in section 3610(d); and
(5) to the greatest extent practicable, encourage and promote consistency of the assessment, authorization, adoption, and use of secure cloud computing products and services within and across agencies.
(Added Pub. L. 117–263, div. E, title LIX, § 5921(b), Dec. 23, 2022, 136 Stat. 3454.)
§ 3615. Reports to Congress; GAO report
(a)Reports to Congress.—Not later than 1 year after the date of enactment of this section, and annually thereafter, the Director shall submit to the appropriate congressional committees a report that includes the following:
(1) During the preceding year, the status, efficiency, and effectiveness of the General Services Administration under section 3609 and agencies under section 3613 and in supporting the speed, effectiveness, sharing, reuse, and security of authorizations to operate for secure cloud computing products and services.
(2) Progress towards meeting the metrics required under section 3609(d).
(3) Data on FedRAMP authorizations.
(4) The average length of time to issue FedRAMP authorizations.
(5) The number of FedRAMP authorizations submitted, issued, and denied for the preceding year.
(6) A review of progress made during the preceding year in advancing automation techniques to securely automate FedRAMP processes and to accelerate reporting under this section.
(7) The number and characteristics of authorized cloud computing products and services in use at each agency consistent with guidance provided by the Director under section 3614.
(8) A review of FedRAMP measures to ensure the security of data stored or processed by cloud service providers, which may include—
(A) geolocation restrictions for provided products or services;
(B) disclosures of foreign elements of supply chains of acquired products or services;
(C) continued disclosures of ownership of cloud service providers by foreign entities; and
(D) encryption for data processed, stored, or transmitted by cloud service providers.
(b)GAO Report.—Not later than 180 days after the date of enactment of this section, the Comptroller General of the United States shall report to the appropriate congressional committees an assessment of the following:
(1) The costs incurred by agencies and cloud service providers relating to the issuance of FedRAMP authorizations.
(2) The extent to which agencies have processes in place to continuously monitor the implementation of cloud computing products and services operating as Federal information systems.
(3) How often and for which categories of products and services agencies use FedRAMP authorizations.
(4) The unique costs and potential burdens incurred by cloud computing companies that are small business concerns (as defined in section 3(a) of the Small Business Act (15 U.S.C. 632(a)) as a part of the FedRAMP authorization process.
(Added Pub. L. 117–263, div. E, title LIX, § 5921(b), Dec. 23, 2022, 136 Stat. 3455.)
§ 3616. Federal Secure Cloud Advisory Committee
(a)Establishment, Purposes, and Duties.—
(1)Establishment.—There is established a Federal Secure Cloud Advisory Committee (referred to in this section as the “Committee”) to ensure effective and ongoing coordination of agency adoption, use, authorization, monitoring, acquisition, and security of cloud computing products and services to enable agency mission and administrative priorities.
(2)Purposes.—The purposes of the Committee are the following:
(A) To examine the operations of FedRAMP and determine ways that authorization processes can continuously be improved, including the following:
(i) Measures to increase agency reuse of FedRAMP authorizations.
(ii) Proposed actions that can be adopted to reduce the burden, confusion, and cost associated with FedRAMP authorizations for cloud service providers.
(iii) Measures to increase the number of FedRAMP authorizations for cloud computing products and services offered by small businesses concerns (as defined by section 3(a) of the Small Business Act (15 U.S.C. 632(a)).
(iv) Proposed actions that can be adopted to reduce the burden and cost of FedRAMP authorizations for agencies.
(B) Collect information and feedback on agency compliance with and implementation of FedRAMP requirements.
(C) Serve as a forum that facilitates communication and collaboration among the FedRAMP stakeholder community.
(3)Duties.—The duties of the Committee include providing advice and recommendations to the Administrator, the FedRAMP Board, and agencies on technical, financial, programmatic, and operational matters regarding secure adoption of cloud computing products and services.
(b)Members.—
(1)Composition.—The Committee shall be comprised of not more than 15 members who are qualified representatives from the public and private sectors, appointed by the Administrator, in consultation with the Director, as follows:
(A) The Administrator or the Administrator’s designee, who shall be the Chair of the Committee.
(B) At least 1 representative each from the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology.
(C) At least 2 officials who serve as the Chief Information Security Officer within an agency, who shall be required to maintain such a position throughout the duration of their service on the Committee.
(D) At least 1 official serving as Chief Procurement Officer (or equivalent) in an agency, who shall be required to maintain such a position throughout the duration of their service on the Committee.
(E) At least 1 individual representing an independent assessment service.
(F) At least 5 representatives from unique businesses that primarily provide cloud computing services or products, including at least 2 representatives from a small business concern (as defined by section 3(a) of the Small Business Act (15 U.S.C. 632(a))).
(G) At least 2 other representatives of the Federal Government as the Administrator determines necessary to provide sufficient balance, insights, or expertise to the Committee.
(2)Deadline for appointment.—Each member of the Committee shall be appointed not later than 90 days after the date of enactment of this section.
(3)Period of appointment; vacancies.—
(A)In general.—Each non-Federal member of the Committee shall be appointed for a term of 3 years, except that the initial terms for members may be staggered 1-, 2-, or 3-year terms to establish a rotation in which one-third of the members are selected each year. Any such member may be appointed for not more than 2 consecutive terms.
(B)Vacancies.—Any vacancy in the Committee shall not affect its powers, but shall be filled in the same manner in which the original appointment was made. Any member appointed to fill a vacancy occurring before the expiration of the term for which the member’s predecessor was appointed shall be appointed only for the remainder of that term. A member may serve after the expiration of that member’s term until a successor has taken office.
(c)Meetings and Rules of Procedures.—
(1)The Committee shall hold not fewer than 3 meetings in a calendar year, at such time and place as determined by the Chair.
(2)Initial meeting.—Not later than 120 days after the date of enactment of this section, the Committee shall meet and begin the operations of the Committee.
(3)Rules of procedure.—The Committee may establish rules for the conduct of the business of the Committee if such rules are not inconsistent with this section or other applicable law.
(d)Employee Status.—
(1)In general.—A member of the Committee (other than a member who is appointed to the Committee in connection with another Federal appointment) shall not be considered an employee of the Federal Government by reason of any service as such a member, except for the purposes of section 5703 of title 5, relating to travel expenses.
(2)Pay not permitted.—A member of the Committee covered by paragraph (1) may not receive pay by reason of service on the Committee.
(e)Applicability to the Federal Advisory Committee Act.—Section 14 of the Federal Advisory Committee Act (5 U.S.C. App.) 1
1 See References in Text note below.
shall not apply to the Committee.
(f)Detail of Employees.—Any Federal Government employee may be detailed to the Committee without reimbursement from the Committee, and such detailee shall retain the rights, status, and privileges of his or her regular employment without interruption.
(g)Postal Services.—The Committee may use the United States mails in the same manner and under the same conditions as agencies.
(h)Reports.—
(1)Interim reports.—The Committee may submit to the Administrator and Congress interim reports containing such findings, conclusions, and recommendations as have been agreed to by the Committee.
(2)Annual reports.—Not later than 540 days after the date of enactment of this section, and annually thereafter, the Committee shall submit to the Administrator and Congress a report containing such findings, conclusions, and recommendations as have been agreed to by the Committee.
(Added Pub. L. 117–263, div. E, title LIX, § 5921(b), Dec. 23, 2022, 136 Stat. 3456.)