§3609. Roles and responsibilities of the General Services Administration
(a)
(1) in consultation with the Secretary, develop, coordinate, and implement a process to support agency review, reuse, and standardization, where appropriate, of security assessments of cloud computing products and services, including, as appropriate, oversight of continuous monitoring of cloud computing products and services, pursuant to guidance issued by the Director pursuant to section 3614;
(2) establish processes and identify criteria consistent with guidance issued by the Director under section 3614 to make a cloud computing product or service eligible for a FedRAMP authorization and validate whether a cloud computing product or service has a FedRAMP authorization;
(3) develop and publish templates, best practices, technical assistance, and other materials to support the authorization of cloud computing products and services and increase the speed, effectiveness, and transparency of the authorization process, consistent with standards and guidelines established by the Director of the National Institute of Standards and Technology and relevant statutes;
(4) establish and update guidance on the boundaries of FedRAMP authorization packages to enhance the security and protection of Federal information and promote transparency for agencies and users as to which services are included in the scope of a FedRAMP authorization;
(5) grant FedRAMP authorizations to cloud computing products and services consistent with the guidance and direction of the FedRAMP Board;
(6) establish and maintain a public comment process for proposed guidance and other FedRAMP directives that may have a direct impact on cloud service providers and agencies before the issuance of such guidance or other FedRAMP directives;
(7) coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the Director and the Secretary, to establish and regularly update a framework for continuous monitoring under section 3553;
(8) provide a secure mechanism for storing and sharing necessary data, including FedRAMP authorization packages, to enable better reuse of such packages across agencies, including making available any information and data necessary for agencies to fulfill the requirements of section 3613;
(9) provide regular updates to applicant cloud service providers on the status of any cloud computing product or service during an assessment process;
(10) regularly review, in consultation with the FedRAMP Board-
(A) the costs associated with the independent assessment services described in section 3611; and
(B) the information relating to foreign interests submitted pursuant to section 3612;
(11) in coordination with the Director, the Secretary, and other stakeholders, as appropriate, determine the sufficiency of underlying requirements to identify and assess the provenance of the software in cloud services and products;
(12) support the Federal Secure Cloud Advisory Committee established pursuant to section 3616; and
(13) take such other actions as the Administrator may determine necessary to carry out FedRAMP.
(b)
(1)
(2)
(c)
(1)
(2)
(d)
(Added
Repeal of Section
For repeal of section by section 5921(d)(1) of
Editorial Notes
References in Text
The date of enactment of this section, referred to in subsec. (c)(2), is the date of enactment of
Statutory Notes and Related Subsidiaries
Effective Date of Repeal
Construction
For rule of construction regarding section 5921 of