The Federal Risk Authorization Management Program, known as FedRAMP, was established by the Office of Management and Budget (OMB) through a December 8, 2011 memorandum from the Federal Chief Information Officer, “Security Authorizations of Information Systems in Cloud Computing Environments,” to safely accelerate the adoption of cloud products and services by Federal agencies, and to help those agencies avoid duplicating effort by offering a consistent and reusable authorization process.
In 2022, recognizing the value that FedRAMP has provided to Federal agencies and to industry, Congress passed the FedRAMP Authorization Act (“Act”). The Act established FedRAMP within the General Services Administration (GSA) and created a FedRAMP Board to provide input and recommendations to the Administrator of GSA.
The Act also requires OMB to issue guidance defining the scope of FedRAMP, establishing requirements for the use of the program by Federal agencies, establishing further responsibilities of the FedRAMP Board and the program management office (PMO) at GSA, and generally promoting consistency in the assessment, authorization, and use of secure cloud services by Federal agencies.
As a result, this memorandum rescinds the Federal Chief Information Officer’s December 8, 2011 memorandum, and replaces it with an updated vision, scope, and governance structure for the FedRAMP program that is responsive to developments in Federal cybersecurity and substantial changes to the commercial cloud marketplace that have occurred since the program was established.
