§ 3609.
(a)
Roles and Responsibilities.—
The Administrator shall—
(1)
in consultation with the Secretary, develop, coordinate, and implement a process to support agency review, reuse, and standardization, where appropriate, of security assessments of cloud computing products and services, including, as appropriate, oversight of continuous monitoring of cloud computing products and services, pursuant to guidance issued by the Director pursuant to section 3614;
(2)
establish processes and identify criteria consistent with guidance issued by the Director under section 3614 to make a cloud computing product or service eligible for a FedRAMP authorization and validate whether a cloud computing product or service has a FedRAMP authorization;
(3)
develop and publish templates, best practices, technical assistance, and other materials to support the authorization of cloud computing products and services and increase the speed, effectiveness, and transparency of the authorization process, consistent with standards and guidelines established by the Director of the National Institute of Standards and Technology and relevant statutes;
(4)
establish and update guidance on the boundaries of FedRAMP authorization packages to enhance the security and protection of Federal information and promote transparency for agencies and users as to which services are included in the scope of a FedRAMP authorization;
(5)
grant FedRAMP authorizations to cloud computing products and services consistent with the guidance and direction of the FedRAMP Board;
(6)
establish and maintain a public comment process for proposed guidance and other FedRAMP directives that may have a direct impact on cloud service providers and agencies before the issuance of such guidance or other FedRAMP directives;
(7)
coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the Director and the Secretary, to establish and regularly update a framework for continuous monitoring under section 3553;
(8)
provide a secure mechanism for storing and sharing necessary data, including FedRAMP authorization packages, to enable better reuse of such packages across agencies, including making available any information and data necessary for agencies to fulfill the requirements of section 3613;
(9)
provide regular updates to applicant cloud service providers on the status of any cloud computing product or service during an assessment process;
(10)
regularly review, in consultation with the FedRAMP Board—
(A)
the costs associated with the independent assessment services described in section 3611; and
(B)
the information relating to foreign interests submitted pursuant to section 3612;
(11)
in coordination with the Director, the Secretary, and other stakeholders, as appropriate, determine the sufficiency of underlying requirements to identify and assess the provenance of the software in cloud services and products;
(12)
support the Federal Secure Cloud Advisory Committee established pursuant to section 3616; and
(13)
take such other actions as the Administrator may determine necessary to carry out FedRAMP.
(b)
Website.—
(1)
In general.—
The Administrator shall maintain a public website to serve as the authoritative repository for FedRAMP, including the timely publication and updates for all relevant information, guidance, determinations, and other materials required under subsection (a).
(2)
Criteria and process for fedramp authorization priorities.—
The Administrator shall develop and make publicly available on the website described in paragraph (1) the criteria and process for prioritizing and selecting cloud computing products and services that will receive a FedRAMP authorization, in consultation with the FedRAMP Board and the Chief Information Officers Council.
(c)
Evaluation of Automation Procedures.—
(1)
In general.—
The Administrator, in coordination with the Secretary, shall assess and evaluate available automation capabilities and procedures to improve the efficiency and effectiveness of the issuance of FedRAMP authorizations, including continuous monitoring of cloud computing products and services.
(2)
Means for automation.—
Not later than 1 year after the date of enactment of this section, and updated regularly thereafter, the Administrator shall establish a means for the automation of security assessments and reviews.
(d)
Metrics for Authorization.—
The Administrator shall establish annual metrics regarding the time and quality of the assessments necessary for completion of a FedRAMP authorization process in a manner that can be consistently tracked over time in conjunction with the periodic testing and evaluation process pursuant to section 3554 in a manner that minimizes the agency reporting burden.
(Added [Pub. L. 117–263, div. E, title LIX, § 5921(b)], Dec. 23, 2022, [136 Stat. 3450].)