Authority & Responsibility¶
FedRAMP is currently operating as a government-wide program established in the law supported by OMB policy in mid-2024. These updated laws and policies effectively "patched" historical FISMA requirements along with the OMB A-130 to formally establish FedRAMP as the program responsible for developing, coordinating, and implementing the government-wide process for assessing and continuously monitoring the security of cloud services used by any federal agency.
Agencies are required by both law and OMB policy to use the processes established by FedRAMP.
This section includes easy to reference versions of the authority and responsibilities for FedRAMP, agencies, and related entities from the law and policy.
| Source | Date | Summary |
|---|---|---|
| FedRAMP Authorization Act | December 23, 2022 | This act amended 44 USC ยง 36 to establish FedRAMP as a "government-wide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies." |
| OMB Memorandum M-24-15 | July 25, 2024 | This memorandum issued guidance and requirements for government-wide implementation of the FedRAMP Authorization Act, including additional expectations for FedRAMP and agencies. |
| Scope of FedRAMP Guidance and Examples | August 28, 2025 | This official guidance and examples was mandated by M-24-15 and approved by OMB to help agencies understand when FedRAMP does and does not apply to the use of cloud services. |
Historical Reference¶
This section includes easy to reference historical items that no longer apply to FedRAMP.
| Source | Original Date | Rescinded | Summary |
|---|---|---|---|
| Security Authorization of Information Systems in Cloud Computing Environments | December 8, 2011 | July 25, 2024 | This memorandum, published by the Federal Chief Information Officer, first introduced FedRAMP and set the original expectations for the program. This memorandum no longer applies. |
Historical Executive Orders
This section does not include historical executive orders that no longer apply to FedRAMP because they have been rescinded or took place before FedRAMP was established by the FedRAMP Authorization Act.