Skip to content

M-24-15 Section VII. Roles and Responsibilities

This section details the responsibilities and interactions of key Government stakeholders that make up or interact with FedRAMP. These stakeholders include GSA, the FedRAMP Board, the FedRAMP Technical Advisory Group, NIST, CISA, and Federal agencies. The roles and responsibilities below are intended to identify many of the critical directives of this policy and applicable statutes.

a. The General Services Administration

GSA resources, administers, and operates the FedRAMP PMO, and is responsible for the successful implementation of FedRAMP.1

In operating FedRAMP, GSA will fulfill a variety of responsibilities, including:

  1. Develop and implement the process for FedRAMP authorizations, in consultation with DHS;2

  2. Define core security expectations across FedRAMP authorizations, consistent with this guidance and direction of the Board, including for requirements that may persist following authorization, such as continuous monitoring or red-teaming;

  3. Grant FedRAMP authorizations consistent with the guidance and direction of the Board and Section III of this memorandum, including program authorizations for cloud computing products and services that meet FedRAMP requirements and threat- based risk analysis;

  4. Provide in-process CSOs with additional transparency on the status of their authorization;

  5. Identify and address barriers to achieving and maintaining FedRAMP authorizations and provide stakeholder training as part of that effort;

  6. Provide a certain standard level of continuous monitoring support for the highest- impact controls of FedRAMP products and services, to include the use of machine- readable formats for automated data exchange where possible;

  7. Develop partnerships with Federal agencies to promote authorizations and reuse, and establish a secure, transparent, and automated process for enabling agency officials' access to artifacts in the FedRAMP repository;

  8. Consult with the Federal Secure Cloud Advisory Committee (FSCAC)3 as appropriate;

  9. Proactively engage with the commercial cloud sector, to communicate, as appropriate, the priorities of the Federal agency community and maintain awareness of contemporary technology and security practices;

  10. Establish systems that support automated, machine-readable processing of authorization materials, and drive adoption of relevant standards throughout the cloud ecosystem;

  11. Provide guidance related to control inheritance from existing FedRAMP-authorized cloud products and services;

  12. Provide guidance and tooling, in consultation with NIST, for the use of OSCAL by CSPs and agencies;

  13. Develop, as necessary, best practices and sample contract clauses and provisions for the procurement of cloud computing products and services, in coordination with OMB, the CIO Council, the Chief Acquisition Officers Council, and the FedRAMP Board, and in consultation with the FSCAC;

  14. In coordination with OMB and DHS, determine the adequacy of existing requirements for identification and assessment of the provenance of the software in cloud services and products;

  15. Provide guidance implementing the requirement for independent assessors to provide the FedRAMP PMO with information relating to a foreign interest in, foreign influence over, or foreign control of the independent assessment service;

  16. Establish metrics that measure agency participation in FedRAMP, the time and quality of each step of the initial FedRAMP authorization process and ongoing interactions with the FedRAMP program, and any other metrics requested by the FedRAMP Board or OMB to measure program health, and follow up with agencies as needed;

  17. Position FedRAMP as a central point of contact to the commercial cloud sector for Government-wide communications or requests for risk management information concerning commercial cloud providers used by Federal agencies; and

  18. Establish standard criteria for accepting widely recognized external cloud security frameworks and certifications as part of the FedRAMP authorization process.

b. The FedRAMP Board

The FedRAMP Board consists of up to seven senior officials or experts from agencies that are appointed by OMB in consultation with GSA.4 The Board must include at least one representative from each of GSA, DHS, and the Department of Defense, and will include representation from other agencies as determined by OMB. The FedRAMP Board members must possess technical expertise in cloud computing, cybersecurity, privacy, risk management, and other competencies identified by OMB, in consultation with GSA.5 OMB may elect to adjust the board membership over time, and the membership will be documented in the FedRAMP Board Charter maintained by GSA. OMB, through the Federal CIO, will participate in FedRAMP Board meetings to provide oversight and guidance, and the Office of the National Cyber Director may attend Board meetings as appropriate to assist in the coordination of FedRAMP activities with national cyber policy and strategy.

As a body intended to represent the entire participating Federal community, the FedRAMP Board should, in general, endeavor to maintain consensus among its members when making decisions. To ensure FedRAMP's effectiveness and efficiency, however, the Board must be able to reach final resolutions even when consensus is unattainable. Accordingly, it is the Board's responsibility to adopt internal operating procedures under which final decisions will be made even in the absence of unanimous support from its members.

The following responsibilities of the Board have been established by or pursuant to the Act:

  1. Provide input and recommendations to GSA regarding the requirements and guidance for, and the prioritization of, security assessments of cloud products and services;

  2. Identify and convene Federal agency IT leaders to form authorization groups composed of multiple agencies, to jointly perform authorizations that leverage trust and shared needs between those agencies, to expand the FedRAMP authorizing capacity of the Federal ecosystem;

  3. In consultation with GSA, serve as a resource for best practices to accelerate the process for obtaining a FedRAMP authorization;

  4. Establish and regularly update requirements and guidance for security assessments of cloud computing products and services (including pilots), including Government- wide shared services, consistent with standards defined by NIST, to be used in the determination of a FedRAMP authorization. This guidance will include approval for additional authorization paths and FedRAMP designations designed by the PMO;

  5. Approve criteria for accepting (in whole or in part) widely recognized security frameworks and certifications applicable to cloud, based on its assessment of relevant risks and the needs of Federal agencies;

  6. Monitor and oversee, to the greatest extent practicable, the processes and procedures by which agencies determine and validate requirements for a FedRAMP authorization, including periodic review of agency determinations that existing assessments in the FedRAMP repository were not sufficient for the purpose of performing an authorization;

  7. Ensure consistency and transparency between agencies and CSPs in a manner that minimizes confusion and engenders trust;

  8. Promote FedRAMP through internal and external outreach activities; and

  9. Perform other roles and responsibilities as assigned by OMB, acting through the Federal CIO, with the concurrence of GSA.

As agreed by OMB and GSA, the Board will also provide input to GSA regarding the establishment of metrics reflecting the time and quality of the assessments necessary for completion of a FedRAMP authorization.

c. Technical Advisory Group

OMB and GSA will establish a Technical Advisory Group (TAG) to provide additional subject matter expertise to FedRAMP. The FedRAMP TAG will consist of a team of Federal practitioners not directly associated with the FedRAMP program that will provide advice and insights to FedRAMP on an as-needed basis. The TAG is not a governance body and only provides technical advice on pre-decisional information and situations, making it distinct from the FSCAC or the FedRAMP Board.

The TAG will comprise of several technical experts in cloud technologies, cybersecurity, privacy, risk management, digital service delivery, and other competencies as identified by GSA, with the concurrence of OMB. TAG members will be Federal employees. The FedRAMP PMO will provide operational support for the functions of the TAG.

The TAG will:

  1. Provide recommendations on best practices in continuous monitoring of cloud services and establishing control criteria;

  2. Provide advice on issues that arise during the process of performing risk assessments and technical reviews of authorization packages; and

  3. Advise on other issues as requested by the FedRAMP Director or the FedRAMP Board.

d. Agencies

To further strengthen the FedRAMP program, each agency must:

  1. Upon issuance of an authorization to operate or use based on a FedRAMP authorization, provide a copy of the authorization letter and any relevant supplementary information to the FedRAMP PMO, including agency-specific configuration information, as deemed appropriate, that may be helpful to other agencies;

  2. Ensure authorization artifacts meet FedRAMP requirements and are of sufficient quality for reuse by other agencies;

  3. Ensure authorization materials are provided to the FedRAMP PMO using machine- readable and interoperable formats, in accordance with any applicable guidance from the FedRAMP program;

  4. Leverage other agency security authorization materials within the FedRAMP repository to the greatest extent possible;

  5. Continuously diagnose and mitigate against cyber threats and vulnerabilities associated with usage of cloud service offerings;

  6. Ensure that agency governance, risk, and compliance (GRC) tools and system- inventory tools can produce, transmit, and ingest machine readable authorization artifacts using OSCAL or any succeeding formats as identified by FedRAMP;

  7. Provide data and information concerning how they are meeting relevant security metrics, in accordance with OMB guidance;

  8. Report costs related to the issuance of FedRAMP authorizations, in accordance with OMB budget guidance;

  9. Ensure that relevant contracts include language incorporating the FedRAMP security authorization requirements established by GSA pursuant to paragraph a.2 above; and

  10. Regularly review continuous monitoring materials provided by CSPs, and provide timely and actionable feedback as necessary to manage risk to the Government.

e. Department of Commerce

NIST, within the Department of Commerce, consistent with existing authorities, is responsible for developing and issuing standards and guidelines for the security and privacy of information in Federal information systems. In doing so, NIST has an essential role in the FedRAMP process.

NIST will:

  1. Assess and update standards and guidelines, as determined necessary, to keep pace with the evolving technology landscape and support the continued evolution of FedRAMP;

  2. Monitor and review private sector information security practices to understand potential application; and

  3. Support automation of security assessments, continuous monitoring, and other artifacts or processes required by the Risk Management Framework for Information Systems and Organizations.6

  1. 44 U.S.C. § 3608. 

  2. This process should provide any necessary clarification or specific procedures that agencies must be aware of related to their use of ongoing authorizations and continuous monitoring. For additional information on ongoing authorizations and continuous monitoring, refer to NIST SP 800-37 at: http://csrc.nist.gov/publications. 

  3. The FSCAC is established in accordance with the James M. Inhofe National Defense Authorization Act for Fiscal Year (FY) 2023, as codified at 44 U.S.C. § 3616. 

  4. 44 U.S.C. § 3610(b). 

  5. Id. § 3610(c). 

  6. NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.