Skip to content

Agency Specific Rules

The FedRAMP Authorization Act and OMB Memorandum M-24-15 establish requirements for federal agencies that use cloud computing products and services within the scope of FedRAMP. These authorities require agencies to follow the FedRAMP process, promote the use of FedRAMP Certified cloud services, reuse FedRAMP authorization materials to the greatest extent possible, and provide required agency authorization information back to FedRAMP.

FedRAMP agency rules are intended to summarize how agencies can meet those legal and policy requirements in most common situations. In other cases, the rules provide specific FedRAMP process information, such as where to send authorization letters, when to notify FedRAMP, how to handle additional information requests, and how to participate in ongoing monitoring.

FedRAMP rules do not replace agency legal review.

FedRAMP rules are practical implementation guidance for the FedRAMP process. They do not replace the FedRAMP Authorization Act, OMB Memorandum M-24-15, FISMA, OMB Circular A-130, agency-specific authorities, or legal advice from agency counsel.

When in doubt, agencies should consult their technology lawyers, privacy officials, security officials, procurement officials, and OMB to understand their responsibilities.

How to Use These Rules

Agencies should read these rules as a plain-language operating layer on top of the law and policy. They are written to help agency teams understand what FedRAMP expects without needing to translate every statutory or policy requirement from scratch.

In practice, agencies should use these rules to:

  1. Align agency cloud authorization policies with OMB Memorandum M-24-15.

  2. Confirm when FedRAMP applies to an agency cloud use case.

  3. Reuse FedRAMP Certification Packages and avoid duplicative assessment work.

  4. Complete agency authorization activities for federal information systems that use FedRAMP Certified cloud service offerings.

  5. Notify FedRAMP when required, including after authorization and when requesting additional information beyond what FedRAMP normally requires.

  6. Review ongoing certification information and participate in Collaborative Continuous Monitoring.

  7. Coordinate with FedRAMP when package conflicts, serious monitoring concerns, or agency-specific requirements arise.

Agency Rule Pages

The Agency Use of FedRAMP Certified Cloud Services rules summarize the main requirements that apply when agencies use FedRAMP Certifications.

The Collaborative Continuous Monitoring rules explain how agencies should review ongoing provider information as part of their own monitoring programs.

The Vulnerability Evaluation and Reporting rules explain how agencies should review provider vulnerability information and when agency POA&Ms may be appropriate.

Comments