Skip to content

M-24-15: Modernizing the Federal Risk and Authorization Management Program

The rescission and replacement of FedRAMP

OMB Memorandum M-24-15 was published on July 25, 2024, in response to the establishment of FedRAMP on December 23, 2022 in the FedRAMP Authorization Act.

This Memorandum formally rescinded and replaced FedRAMP in its entirety, effectively creating a new program with the same name but an entirely different set of authority and responsibilities.

Minor Modifications for Readability

The text of M-24-15 shown on this site has been modified slightly for readability (including additional subheaders) and to fix broken links. No material content or words have been changed. The original PDF is available on whitehouse.gov.

**MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES** **July 25, 2024** **Subject: Modernizing the Federal Risk and Authorization Management Program (FedRAMP)**

The Federal Risk and Authorization Management Program, known as FedRAMP, was established by the Office of Management and Budget (OMB) through a December 8, 2011 memorandum from the Federal Chief Information Officer (CIO), "Security Authorization of Information Systems in Cloud Computing Environments1," to safely accelerate the adoption of cloud computing products and services by Federal agencies, and help those agencies avoid duplicating efforts by offering a consistent and reusable authorization process.

In 2022, recognizing the value that FedRAMP has provided to Federal agencies and to industry, Congress passed the FedRAMP Authorization Act ("the Act"). The Act established FedRAMP within the General Services Administration (GSA) and created a FedRAMP Board to provide input and recommendations to the Administrator of GSA.2 The Act also requires OMB to issue guidance defining the scope of FedRAMP, establishing requirements for the use of the program by Federal agencies, establishing further responsibilities of the FedRAMpP Board and the program management office (PMO) at GSA, and generally promoting consistency in the assessment, authorization, and use of secure cloud services by Federal agencies.

As a result, this memorandum rescinds the Federal CIO's December 8, 2011 memorandum, and replaces it with an updated vision, scope, and governance structure for FedRAMP that is responsive to developments in Federal cybersecurity and substantial changes to the commercial cloud marketplace that have occurred since the program was established.

  1. https://bidenwhitehouse.archives.gov/wp-content/uploads/legacy_drupal_files/omb/assets/egov_docs/fedrampmemo.pdf 

  2. Pub. L. No. 117-263, § 5921 (2022), codified in part at 44 U.S.C. §§ 3607-16.