Skip to content

M-24-15 Section IX. Implementation

For two years, FedRAMP will submit an annual plan in the second quarter of FY 2025 and FY 2026, approved by the GSA Administrator, to OMB, detailing program activities, including staffing plans and budget information, for implementing the requirements in this memorandum. The plan will include a timeline and strategy to bring any pending authorizations or existing FedRAMP initiatives into conformance with the Act and this memorandum.

Agency Policies

Within 180 days1 of issuance of this memorandum, each agency must issue or update agency-wide policy that aligns with the requirements of this memorandum. This agency policy must promote the use of cloud computing products and services that meet FedRAMP security requirements and other risk-based performance requirements as determined by OMB, in consultation with GSA and CISA. In accordance with the presumption of adequacy of FedRAMP authorizations, agency policies should not assume that particular paths or sponsors of FedRAMP authorizations are unacceptable.

GSA Updates and Plans

Within 180 days2 of issuance of this memorandum, GSA will update FedRAMP's continuous monitoring processes and associated documentation to reflect the principles in this memorandum.

Within one year3 of the issuance of this memorandum, GSA will produce a plan, approved by the FedRAMP Board and developed in consultation with industry, to structure FedRAMP to encourage the transition of Federal agencies away from the use of Government-specific cloud infrastructure. As part of the plan development process, GSA will explore the use of emerging technologies in various FedRAMP processes, as appropriate.

The Act requires GSA to establish a means for the automation of security assessments and reviews. Within 18 months4 of the issuance of this memorandum, GSA will build on this work to receive FedRAMP authorization and continuous monitoring artifacts through automated, machine-readable means, to the extent possible. Some continuing reliance on documentation may be necessary where machine-readable representations are not possible. Within 24 months5 of the issuance of this memorandum, agencies shall ensure that agency GRC and system-inventory tools can ingest and produce machine-readable authorization and continuous monitoring artifacts using OSCAL, or any succeeding protocol as identified by FedRAMP.

  1. January 21, 2025 

  2. January 21, 2025 

  3. July 25, 2025 

  4. January 25, 2026 

  5. July 25, 2026