44 USC Ch. 36: MANAGEMENT AND PROMOTION OF ELECTRONIC GOVERNMENT SERVICES

From Title 44—PUBLIC PRINTING AND DOCUMENTS

CHAPTER 36—MANAGEMENT AND PROMOTION OF ELECTRONIC GOVERNMENT SERVICES

Sec.

3601.

Definitions.

3602.

Office of Electronic Government.

3603.

Chief Information Officers Council.

3604.

E-Government Fund.

3605.

Program to encourage innovative solutions to enhance electronic Government services and processes.

3606.

E-Government report.

3607.

Definitions.

3608.

Federal Risk and Authorization Management Program.

3609.

Roles and responsibilities of the General Services Administration.

3610.

FedRAMP Board.

3611.

Independent assessment.

3612.

Declaration of foreign interests.

3613.

Roles and responsibilities of agencies.

3614.

Roles and responsibilities of the Office of Management and Budget.

3615.

Reports to Congress; GAO report.

3616.

Federal Secure Cloud Advisory Committee.

Amendment of Analysis

Pub. L. 117–263, div. E, title LIX, §5921(d)(2), Dec. 23, 2022, 136 Stat. 3458, provided that, effective on the date that is 5 years after Dec. 23, 2022, this analysis is amended by striking items 3607 to 3616.

Editorial Notes

Amendments

2022—Pub. L. 117–263, div. E, title LIX, §5921(d)(2), Dec. 23, 2022, 136 Stat. 3458, struck out items 3607 "Definitions", 3608 "Federal Risk and Authorization Management Program", 3609 "Roles and responsibilities of the General Services Administration", 3610 "FedRAMP Board", 3611 "Independent assessment", 3612 "Declaration of foreign interests", 3613 "Roles and responsibilities of agencies", 3614 "Roles and responsibilities of the Office of Management and Budget", 3615 "Reports to Congress; GAO report", and 3616 "Federal Secure Cloud Advisory Committee". See Effective Date of 2022 Amendment note below.

Pub. L. 117–263, div. E, title LIX, §5921(c), Dec. 23, 2022, 136 Stat. 3458, added items 3607 to 3616.

Statutory Notes and Related Subsidiaries

Effective Date of 2022 Amendment

§3601. Definitions

In this chapter, the definitions under section 3502 shall apply, and the term—

(1) "Administrator" means the Administrator of the Office of Electronic Government established under section 3602;

(2) "Council" means the Chief Information Officers Council established under section 3603;

(3) "electronic Government" means the use by the Government of web-based Internet applications and other information technologies, combined with processes that implement these technologies, to—

(A) enhance the access to and delivery of Government information and services to the public, other agencies, and other Government entities; or

(B) bring about improvements in Government operations that may include effectiveness, efficiency, service quality, or transformation;

(4) "enterprise architecture"—

(A) means—

(i) a strategic information asset base, which defines the mission;

(ii) the information necessary to perform the mission;

(iii) the technologies necessary to perform the mission; and

(iv) the transitional processes for implementing new technologies in response to changing mission needs; and

(B) includes—

(i) a baseline architecture;

(ii) a target architecture; and

(iii) a sequencing plan;

(5) "Fund" means the E-Government Fund established under section 3604;

(6) "interoperability" means the ability of different operating and software systems, applications, and services to communicate and exchange data in an accurate, effective, and consistent manner;

(7) "integrated service delivery" means the provision of Internet-based Federal Government information or services integrated according to function or topic rather than separated according to the boundaries of agency jurisdiction; and

(8) "tribal government" means—

(A) the governing body of any Indian tribe, band, nation, or other organized group or community located in the continental United States (excluding the State of Alaska) that is recognized as eligible for the special programs and services provided by the United States to Indians because of their status as Indians, and

(B) any Alaska Native regional or village corporation established pursuant to the Alaska Native Claims Settlement Act (43 U.S.C. 1601 et seq.).

(Added Pub. L. 107–347, title I, §101(a), Dec. 17, 2002, 116 Stat. 2901.)

Editorial Notes

References in Text

The Alaska Native Claims Settlement Act, referred to in par. (8)(B), is Pub. L. 92–203, Dec. 18, 1971, 85 Stat. 688, which is classified generally to chapter 33 (§1601 et seq.) of Title 43, Public Lands. For complete classification of this Act to the Code, see Short Title note set out under section 1601 of Title 43 and Tables.

Statutory Notes and Related Subsidiaries

Effective Date

Pub. L. 107–347, title IV, §402(a), Dec. 17, 2002, 116 Stat. 2961, provided that:

"(1) In general.—Except as provided under paragraph (2), titles I [enacting this chapter, section 507 of Title 31, Money and Finance, and section 305 of Title 40, Public Buildings, Property, and Works, and amending section 503 of Title 31] and II [enacting chapter 37 of Title 5, Government Organization and Employees, section 2332 of Title 10, Armed Forces, and section 266a of Title 41, Public Contracts, amending sections 3111, 4108, and 7353 of Title 5, sections 207, 209, and 1905 of Title 18, Crimes and Criminal Procedure, sections 502, 11501 to 11505 of Title 40, and section 423 of Title 41, repealing section 11521 of Title 40, directing the renumbering of section 11522 of Title 40 as section 11521, enacting provisions set out as notes under section 3501 of this title, and amending provisions set out as notes under section 8432 of Title 5 and section 1913 of Title 28, Judiciary and Judicial Procedure] and the amendments made by such titles shall take effect 120 days after the date of enactment of this Act [Dec. 17, 2002].

"(2) Immediate enactment.—Sections 207, 214, and 215 [set out in a note under section 3501 of this title] shall take effect on the date of enactment of this Act [Dec. 17, 2002]."

Federal Data Center Consolidation Initiative

Pub. L. 118–31, div. E, title LIII, §5302(a), Dec. 22, 2023, 137 Stat. 940, provided that:

"(a) Findings.—Congress finds the following:

"(1) The statutory authorization for the Federal Data Center Optimization Initiative under section 834 of the Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015 (44 U.S.C. 3601 note; Public Law 113–291) [set out below] expired at the end of fiscal year 2022.

"(2) The expiration of the authorization described in paragraph (1) presents Congress with an opportunity to review the objectives of the Federal Data Center Optimization Initiative to ensure that the initiative is meeting the current needs of the Federal Government.

"(3) The initial focus of the Federal Data Center Optimization Initiative, which was to consolidate data centers and create new efficiencies, has resulted in, since 2010—

"(A) the consolidation of more than 6,000 Federal data centers; and

"(B) cost savings and avoidance of $5,800,000,000.

"(4) The need of the Federal Government for access to data and data processing systems has evolved since the date of enactment in 2014 of subtitle D of title VIII of the Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015 [Pub. L. 113–291, approved Dec. 19, 2014].

"(5) Federal agencies and employees involved in mission critical functions increasingly need reliable access to secure, reliable, and protected facilities to house mission critical data and data operations to meet the immediate needs of the people of the United States.

"(6) As of the date of enactment of this title [Dec. 22, 2023], there is a growing need for Federal agencies to use data centers and cloud applications that meet high standards for cybersecurity, resiliency, and availability."

Pub. L. 118–31, div. E, title LIII, §5302(d), Dec. 22, 2023, 137 Stat. 943, provided that: "Not later than 1 year after the date of the enactment of this title [Dec. 22, 2023], and annually thereafter, the Comptroller General of the United States shall review, verify, and audit the compliance of covered agencies with the minimum requirements established pursuant to section 834(b)(1) of the Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015 (44 U.S.C. 3601 note; Public Law 113–291) [set out below] for new data centers and subsection (b)(3) of that section for existing data centers, as appropriate."

Pub. L. 113–291, div. A, title VIII, §834, Dec. 19, 2014, 128 Stat. 3444, as amended by Pub. L. 115–88, §4, Nov. 21, 2017, 131 Stat. 1278; Pub. L. 115–91, div. A, §819(c), Dec. 12, 2017, 131 Stat. 1464; Pub. L. 116–92, div. A, title VIII, §824, Dec. 20, 2019, 133 Stat. 1491; Pub. L. 118–31, div. E, title LIII, §5302(b), (c), Dec. 22, 2023, 137 Stat. 941, 943, provided that:

"(a) Definitions.—In this section:

"(1) Administrator.—The term 'Administrator' means the Administrator of the Office of Electronic Government established under section 3602 of title 44, United States Code (and also known as the Office of E-Government and Information Technology), within the Office of Management and Budget.

"(2) Covered agency.—The term 'covered agency' means the following (including all associated components of the agency):

"(A) Department of Agriculture.

"(B) Department of Commerce.

"(C) Department of Defense.

"(D) Department of Education.

"(E) Department of Energy.

"(F) Department of Health and Human Services.

"(G) Department of Homeland Security.

"(H) Department of Housing and Urban Development.

"(I) Department of the Interior.

"(J) Department of Justice.

"(K) Department of Labor.

"(L) Department of State.

"(M) Department of Transportation.

"(N) Department of Treasury.

"(O) Department of Veterans Affairs.

"(P) Environmental Protection Agency.

"(Q) General Services Administration.

"(R) National Aeronautics and Space Administration.

"(S) National Science Foundation.

"(T) Nuclear Regulatory Commission.

"(U) Office of Personnel Management.

"(V) Small Business Administration.

"(W) Social Security Administration.

"(X) United States Agency for International Development.

"(3) New data center.—The term 'new data center' means—

"(A)(i) a data center or a portion thereof that is owned, operated, or maintained by a covered agency; or

"(ii) to the extent practicable, a data center or portion thereof—

"(I) that is owned, operated, or maintained by a contractor on behalf of a covered agency on the date on which the contract between the covered agency and the contractor expires; and

"(II) with respect to which the covered agency extends the contract, or enters into a new contract, with the contractor; and

"(B) on or after the date that is 180 days after the date of enactment of the Federal Data Center Enhancement Act of 2023 [title LIII of div. E of Pub. L. 118–31, approved Dec. 22, 2023], a data center or portion thereof that is—

"(i) established; or

"(ii) substantially upgraded or expanded.

"(b) Minimum Requirements for New Data Centers.—

"(1) In general.—Not later than 180 days after the date of enactment of the Federal Data Center Enhancement Act of 2023 [title LIII of div. E of Pub. L. 118–31, approved Dec. 22, 2023], the Administrator shall establish minimum requirements for new data centers in consultation with the Administrator of General Services and the Federal Chief Information Officers Council.

"(2) Contents.—

"(A) In general.—The minimum requirements established under paragraph (1) shall include requirements relating to—

"(i) the availability of new data centers;

"(ii) the use of new data centers, including costs related to the facility, energy consumption, and related infrastructure;

"(iii) uptime percentage;

"(iv) protections against power failures, including on-site energy generation and access to multiple transmission paths;

"(v) protections against physical intrusions and natural disasters;

"(vi) information security protections required by subchapter II of chapter 35 of title 44, United States Code, and other applicable law and policy; and

"(vii) any other requirements the Administrator determines appropriate.

"(B) Consultation.—In establishing the requirements described in subparagraph (A)(vi), the Administrator shall consult with the Director of the Cybersecurity and Infrastructure Security Agency and the National Cyber Director.

"(3) Incorporation of minimum requirements into current data centers.—As soon as practicable, and in any case not later than 90 days after the Administrator establishes the minimum requirements pursuant to paragraph (1), the Administrator shall issue guidance to ensure, as appropriate, that covered agencies incorporate the minimum requirements established under that paragraph into the operations of any data center of a covered agency existing as of the date of enactment of the Federal Data Center Enhancement Act of 2023.

"(4) Review of requirements.—The Administrator, in consultation with the Administrator of General Services and the Federal Chief Information Officers Council, shall review, update, and modify the minimum requirements established under paragraph (1), as necessary.

"(5) Report on new data centers.—During the development and planning lifecycle of a new data center, if the head of a covered agency determines that the covered agency is likely to make a management or financial decision relating to any data center, the head of the covered agency shall—

"(A) notify—

"(i) the Administrator;

"(ii) [the] Committee on Homeland Security and Governmental Affairs of the Senate; and

"(iii) [the] Committee on Oversight and Accountability of the House of Representatives; and

"(B) describe in the notification with sufficient detail how the covered agency intends to comply with the minimum requirements established under paragraph (1).

"(6) Use of technology.—In determining whether to establish or continue to operate an existing data center, the head of a covered agency shall—

"(A) regularly assess the application portfolio of the covered agency and ensure that each at-risk legacy application is updated, replaced, or modernized, as appropriate, to take advantage of modern technologies; and

"(B) prioritize and, to the greatest extent possible, leverage commercial data center solutions, including hybrid cloud, multi-cloud, co-location, interconnection, or cloud computing (as defined in section 3607 of this Chapter [probably means chapter 36 of Title 44, United States Code]) rather than acquiring, overseeing, or managing custom data center infrastructure.

"(7) Public website.—

"(A) In general.—The Administrator shall maintain a public-facing website that includes information, data, and explanatory statements relating to the compliance of covered agencies with the requirements of this section.

"(B) Processes and procedures.—In maintaining the website described in subparagraph (A), the Administrator shall—

"(i) ensure covered agencies regularly, and not less frequently than biannually, update the information, data, and explanatory statements posed on the website, pursuant to guidance issued by the Administrator, relating to any new data centers and, as appropriate, each existing data center of the covered agency; and

"(ii) ensure that all information, data, and explanatory statements on the website are maintained as open Government data assets.

"(c) Ensuring Cybersecurity Standards for Data Center Consolidation and Cloud Computing.—

"(1) In general.—The head of a covered agency shall oversee and manage the data center portfolio and the information technology strategy of the covered agency in accordance with Federal cybersecurity guidelines and directives, including—

"(A) information security standards and guidelines promulgated by the Director of the National Institute of Standards and Technology;

"(B) applicable requirements and guidance issued by the Director of the Office of Management and Budget pursuant to section 3614 of title 44, United States Code; and

"(C) directives issued by the Secretary of Homeland Security under section 3553 of title 44, United States Code.

"(2) Rule of construction.—Nothing in this section shall be construed to limit the ability of the Director of the Office of Management and Budget to update or modify the Federal guidelines on cloud computing security.

"(d) Waiver of Requirements.—The Director of National Intelligence and the Secretary of Defense, or their respective designee, may waive the applicability to any national security system, as defined in [former] section 3542 of title 44, United States Code, [see 44 U.S.C. 3552] of any provision of this section if the Director of National Intelligence or the Secretary of Defense, or their respective designee, determines that such waiver is in the interest of national security. Not later than 30 days after making a waiver under this subsection, the Director of National Intelligence or the Secretary of Defense, or their respective designee, shall submit to the Committee on Homeland Security and Governmental Affairs and the Select Committee on Intelligence of the Senate and the Committee on Oversight and Government Reform [now Committee on Oversight and Accountability] and the Permanent Select Committee on Intelligence of the House of Representatives a statement describing the waiver and the reasons for the waiver.

"(e) Sunset.—This section is repealed effective on October 1, 2026."

[Amendment by section 5302(c) of Pub. L. 118–31, which substituted "2026" for "2022" in the date of repeal in section 834(e) of Pub. L. 113–291, set out above, was executed as directed to reflect the probable intent of Congress, even though the amendment was enacted on Dec. 22, 2023, after the repeal had taken effect.]

[Pub. L. 115–88 and Pub. L. 115–91 amended section 834(e) of Pub. L. 113–291, set out above, identically by striking "2018" and inserting "2020".]

E-Government Initiatives Funding

Pub. L. 110–161, div. D, title VII, §737, Dec. 26, 2007, 121 Stat. 2028, provided that:

"(a) For fiscal year 2008, no funds shall be available for transfers or reimbursements to the E-Government initiatives sponsored by the Office of Management and Budget prior to 15 days following submission of a report to the Committees on Appropriations by the Director of the Office of Management and Budget and receipt of approval to transfer funds by the House and Senate Committees on Appropriations.

"(b) Hereafter, any funding request for a new or ongoing E-Government initiative by any agency or agencies managing the development of an initiative shall include in justification materials submitted to the House and Senate Committees on Appropriations the information in subsection (d).

"(c) Hereafter, any funding request by any agency or agencies participating in the development of an E-Government initiative and contributing funding for the initiative shall include in justification materials submitted to the House and Senate Committees on Appropriations—

"(1) the amount of funding contributed to each initiative by program office, bureau, or activity, as appropriate; and

"(2) the relevance of that use to that department or agency and each bureau or office within, which is contributing funds.

"(d) The report in (a) and justification materials in (b) shall include at a minimum—

"(1) a description of each initiative including but not limited to its objectives, benefits, development status, risks, cost effectiveness (including estimated net costs or savings to the government), and the estimated date of full operational capability;

"(2) the total development cost of each initiative by fiscal year including costs to date, the estimated costs to complete its development to full operational capability, and estimated annual operations and maintenance costs; and

"(3) the sources and distribution of funding by fiscal year and by agency and bureau for each initiative including agency contributions to date and estimated future contributions by agency.

"(e) No funds shall be available for obligation or expenditure for new E-Government initiatives without the explicit approval of the House and Senate Committees on Appropriations."

[Provisions similar to subsecs. (a), (d), and (e) of section 737 of Pub. L. 110–161, set out above, were contained in sections of subsequent appropriations acts which are not set out in the Code.]

Findings and Purposes

Pub. L. 107–347, §2, Dec. 17, 2002, 116 Stat. 2900, provided that:

"(a) Findings.—Congress finds the following:

"(1) The use of computers and the Internet is rapidly transforming societal interactions and the relationships among citizens, private businesses, and the Government.

"(2) The Federal Government has had uneven success in applying advances in information technology to enhance governmental functions and services, achieve more efficient performance, increase access to Government information, and increase citizen participation in Government.

"(3) Most Internet-based services of the Federal Government are developed and presented separately, according to the jurisdictional boundaries of an individual department or agency, rather than being integrated cooperatively according to function or topic.

"(4) Internet-based Government services involving interagency cooperation are especially difficult to develop and promote, in part because of a lack of sufficient funding mechanisms to support such interagency cooperation.

"(5) Electronic Government has its impact through improved Government performance and outcomes within and across agencies.

"(6) Electronic Government is a critical element in the management of Government, to be implemented as part of a management framework that also addresses finance, procurement, human capital, and other challenges to improve the performance of Government.

"(7) To take full advantage of the improved Government performance that can be achieved through the use of Internet-based technology requires strong leadership, better organization, improved interagency collaboration, and more focused oversight of agency compliance with statutes related to information resource management.

"(b) Purposes.—The purposes of this Act [see Tables for classification] are the following:

"(1) To provide effective leadership of Federal Government efforts to develop and promote electronic Government services and processes by establishing an Administrator of a new Office of Electronic Government within the Office of Management and Budget.

"(2) To promote use of the Internet and other information technologies to provide increased opportunities for citizen participation in Government.

"(3) To promote interagency collaboration in providing electronic Government services, where this collaboration would improve the service to citizens by integrating related functions, and in the use of internal electronic Government processes, where this collaboration would improve the efficiency and effectiveness of the processes.

"(4) To improve the ability of the Government to achieve agency missions and program performance goals.

"(5) To promote the use of the Internet and emerging technologies within and across Government agencies to provide citizen-centric Government information and services.

"(6) To reduce costs and burdens for businesses and other Government entities.

"(7) To promote better informed decisionmaking by policy makers.

"(8) To promote access to high quality Government information and services across multiple channels.

"(9) To make the Federal Government more transparent and accountable.

"(10) To transform agency operations by utilizing, where appropriate, best practices from public and private sector organizations.

"(11) To provide enhanced access to Government information and services in a manner consistent with laws regarding protection of personal privacy, national security, records retention, access for persons with disabilities, and other relevant laws."

Executive Documents

Building a 21st Century Digital Government

Memorandum of President of the United States, May 23, 2012, 77 F.R. 32391, provided:

Memorandum for the Heads of Executive Departments and Agencies

The innovative use of technology is fundamentally transforming how the American people do business and live their daily lives. Exponential increases in computing power, the rise of high-speed networks, and the growing mobile revolution have put the Internet at our fingertips, encouraging innovations that are giving rise to new industries and reshaping existing ones.

Innovators in the private sector and the Federal Government have used these technological advances to fundamentally change how they serve their customers. However, it is time for the Federal Government to do more. For far too long, the American people have been forced to navigate a labyrinth of information across different Government programs in order to find the services they need. In addition, at a time when Americans increasingly pay bills and buy tickets on mobile devices, Government services often are not optimized for smartphones or tablets, assuming the services are even available online.

On April 27, 2011, I issued Executive Order 13571 (Streamlining Service Delivery and Improving Customer Service), requiring executive departments and agencies (agencies) to, among other things, identify ways to use innovative technologies to streamline their delivery of services to lower costs, decrease service delivery times, and improve the customer experience. As the next step toward modernizing the way Government works, I charged my Federal Chief Information Officer (CIO) with developing a comprehensive Government-wide strategy to build a 21st century digital Government that delivers better digital services to the American people.

Today, the CIO is releasing that strategy, entitled "Digital Government: Building a 21st Century Platform to Better Serve the American People" (Strategy), which provides agencies with a 12-month roadmap that focuses on several priority areas. The Strategy will enable more efficient and coordinated digital service delivery by requiring agencies to establish specific, measurable goals for delivering better digital services; encouraging agencies to deliver information in new ways that fully utilize the power and potential of mobile and web-based technologies; ensuring the safe and secure delivery and use of digital services to protect information and privacy; requiring agencies to establish central online resources for outside developers and to adopt new standards for making applicable Government information open and machine-readable by default; aggregating agencies' online resource pages for developers in a centralized catalogue on www.Data.gov; and requiring agencies to use web performance analytics and customer satisfaction measurement tools on all ".gov" websites.

Ultimately, this Strategy will ensure that agencies use emerging technologies to serve the public as effectively as possible. As a Government, and as a trusted provider of services, we must never forget who our customers are—the American people.

In order to ensure that agencies make the best use of emerging technologies in serving the public, I hereby direct each agency to take the following actions:

(1) implement the requirements of the Strategy within 12 months of the date of this memorandum and comply with the timeframes for specific actions specified therein; and

(2) within 90 days of the date of this memorandum, create a page on its website, located at www.[agency].gov/digitalstrategy, to publicly report progress in meeting the requirements of the Strategy in a machine-readable format.

This memorandum shall be implemented consistent with applicable law and subject to the availability of appropriations, and with appropriate protections for privacy and civil liberties.

The Director of the Office of Management and Budget is authorized and directed to publish this memorandum in the Federal Register.

Barack Obama.

§3602. Office of Electronic Government

(a) There is established in the Office of Management and Budget an Office of Electronic Government.

(b) There shall be at the head of the Office an Administrator who shall be appointed by the President.

(1) all functions under this chapter;

(2) all of the functions assigned to the Director under title II of the E-Government Act of 2002; and

(3) other electronic government initiatives, consistent with other statutes.

(d) The Administrator shall assist the Director and the Deputy Director for Management and work with the Administrator of the Office of Information and Regulatory Affairs in setting strategic direction for implementing electronic Government, under relevant statutes, including—

(1) chapter 35;

(2) subtitle III of title 40, United States Code;

(3) section 552a of title 5 (commonly referred to as the "Privacy Act");

(4) the Government Paperwork Elimination Act (44 U.S.C. 3504 note); and

(5) the Federal Information Security Management Act of 2002.

(e) The Administrator shall work with the Administrator of the Office of Information and Regulatory Affairs and with other offices within the Office of Management and Budget to oversee implementation of electronic Government under this chapter, chapter 35, the E-Government Act of 2002, and other relevant statutes, in a manner consistent with law, relating to—

(1) capital planning and investment control for information technology;

(2) the development of enterprise architectures;

(3) information security;

(4) privacy;

(5) access to, dissemination of, and preservation of Government information;

(6) accessibility of information technology for persons with disabilities; and

(7) other areas of electronic Government.

(f) Subject to requirements of this chapter, the Administrator shall assist the Director by performing electronic Government functions as follows:

(1) Advise the Director on the resources required to develop and effectively administer electronic Government initiatives.

(2) Recommend to the Director changes relating to Governmentwide strategies and priorities for electronic Government.

(3) Provide overall leadership and direction to the executive branch on electronic Government.

(4) Promote innovative uses of information technology by agencies, particularly initiatives involving multiagency collaboration, through support of pilot projects, research, experimentation, and the use of innovative technologies.

(5) Oversee the distribution of funds from, and ensure appropriate administration and coordination of, the E-Government Fund established under section 3604.

(6) Coordinate with the Administrator of General Services regarding programs undertaken by the General Services Administration to promote electronic government and the efficient use of information technologies by agencies.

(7) Lead the activities of the Chief Information Officers Council established under section 3603 on behalf of the Deputy Director for Management, who shall chair the council.

(8) Assist the Director in establishing policies which shall set the framework for information technology standards for the Federal Government developed by the National Institute of Standards and Technology and promulgated by the Secretary of Commerce under section 11331 of title 40, taking into account, if appropriate, recommendations of the Chief Information Officers Council, experts, and interested parties from the private and nonprofit sectors and State, local, and tribal governments, and maximizing the use of commercial standards as appropriate, including the following:

(A) Standards and guidelines for interconnectivity and interoperability as described under section 3504.

(B) Consistent with the process under section 207(d) of the E-Government Act of 2002, standards and guidelines for categorizing Federal Government electronic information to enable efficient use of technologies, such as through the use of extensible markup language.

(9) Sponsor ongoing dialogue that—

(A) shall be conducted among Federal, State, local, and tribal government leaders on electronic Government in the executive, legislative, and judicial branches, as well as leaders in the private and nonprofit sectors, to encourage collaboration and enhance understanding of best practices and innovative approaches in acquiring, using, and managing information resources;

(B) is intended to improve the performance of governments in collaborating on the use of information technology to improve the delivery of Government information and services; and

(i) development of innovative models—

(I) for electronic Government management and Government information technology contracts; and

(II) that may be developed through focused discussions or using separately sponsored research;

(ii) identification of opportunities for public-private collaboration in using Internet-based technology to increase the efficiency of Government-to-business transactions;

(iii) identification of mechanisms for providing incentives to program managers and other Government employees to develop and implement innovative uses of information technologies; and

(iv) identification of opportunities for public, private, and intergovernmental collaboration in addressing the disparities in access to the Internet and information technology.

(10) Sponsor activities to engage the general public in the development and implementation of policies and programs, particularly activities aimed at fulfilling the goal of using the most effective citizen-centered strategies and those activities which engage multiple agencies providing similar or related information and services.

(11) Oversee the work of the General Services Administration and other agencies in developing the integrated Internet-based system under section 204 of the E-Government Act of 2002.

(12) Coordinate with the Administrator for Federal Procurement Policy to ensure effective implementation of electronic procurement initiatives.

(13) Assist Federal agencies, including the General Services Administration, the Department of Justice, and the United States Access Board in—

(A) implementing accessibility standards under section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d); and

(B) ensuring compliance with those standards through the budget review process and other means.

(14) Oversee the development of enterprise architectures within and across agencies.

(15) Assist the Director and the Deputy Director for Management in overseeing agency efforts to ensure that electronic Government activities incorporate adequate, risk-based, and cost-effective security compatible with business processes.

(16) Administer the Office of Electronic Government established under this section.

(17) Assist the Director in preparing the E-Government report established under section 3606.

(g) The Director shall ensure that the Office of Management and Budget, including the Office of Electronic Government, the Office of Information and Regulatory Affairs, and other relevant offices, have adequate staff and resources to properly fulfill all functions under the E-Government Act of 2002.

(Added Pub. L. 107–347, title I, §101(a), Dec. 17, 2002, 116 Stat. 2902.)

Editorial Notes

References in Text

The E-Government Act of 2002, referred to in text, is Pub. L. 107–347, Dec. 17, 2002, 116 Stat. 2899. Title II of the Act, including sections 204 and 207(d) of the Act, is set out as a note under section 3501 of this title. For complete classification of this Act to the Code, see Tables.

The Government Paperwork Elimination Act, referred to in subsec. (d)(4), is title XVII of Pub. L. 105–277, div. C, Oct. 21, 1998, 112 Stat. 2681–749, which amended section 3504 of this title and enacted provisions set out as a note under section 3504 of this title. For complete classification of this Act to the Code, see Tables.

The Federal Information Security Management Act of 2002, referred to in subsec. (d)(5), probably means title III of Pub. L. 107–347, Dec. 17, 2002, 116 Stat. 2946, which was classified principally to subchapter III of chapter 35 of this title and was repealed by Pub. L. 113–283, §2(a), Dec. 18, 2014, 128 Stat. 3073. For complete classification of this Act to the Code, see Short Title of 2002 Amendments note set out under section 101 of this title and Tables. Another Federal Information Security Management Act of 2002 is title X of Pub. L. 107–296, Nov. 25, 116 Stat. 2259. For complete classification of this Act to the Code, see Short Title note set out under section 101 of Title 6, Domestic Security.

Statutory Notes and Related Subsidiaries

Effective Date

Section effective 120 days after Dec. 17, 2002, see section 402(a) of Pub. L. 107–347, set out as a note under section 3601 of this title.

§3603. Chief Information Officers Council

(a) There is established in the executive branch a Chief Information Officers Council.

(b) The members of the Council shall be as follows:

(1) The Deputy Director for Management of the Office of Management and Budget, who shall act as chairperson of the Council.

(2) The Administrator of the Office of Electronic Government.

(3) The Administrator of the Office of Information and Regulatory Affairs.

(4) The chief information officer of each agency described under section 901(b) of title 31.

(5) The chief information officer of the Central Intelligence Agency.

(6) The chief information officer of the Department of the Army, the Department of the Navy, and the Department of the Air Force, if chief information officers have been designated for such departments under section 3506(a)(2)(B).

(7) Any other officer or employee of the United States designated by the chairperson.

(c)(1) The Administrator of the Office of Electronic Government shall lead the activities of the Council on behalf of the Deputy Director for Management.

(2)(A) The Vice Chairman of the Council shall be selected by the Council from among its members.

(B) The Vice Chairman shall serve a 1-year term, and may serve multiple terms.

(3) The Administrator of General Services shall provide administrative and other support for the Council.

(d) The Council is designated the principal interagency forum for improving agency practices related to the design, acquisition, development, modernization, use, operation, sharing, and performance of Federal Government information resources.

(e) In performing its duties, the Council shall consult regularly with representatives of State, local, and tribal governments.

(f) The Council shall perform functions that include the following:

(1) Develop recommendations for the Director on Government information resources management policies and requirements.

(2) Share experiences, ideas, best practices, and innovative approaches related to information resources management.

(3) Assist the Administrator in the identification, development, and coordination of multiagency projects and other innovative initiatives to improve Government performance through the use of information technology.

(4) Promote the development and use of common performance measures for agency information resources management under this chapter and title II of the E-Government Act of 2002.

(5) Work as appropriate with the National Institute of Standards and Technology and the Administrator to develop recommendations on information technology standards developed under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) and promulgated under section 11331 of title 40, and maximize the use of commercial standards as appropriate, including the following:

(A) Standards and guidelines for interconnectivity and interoperability as described under section 3504.

(6) Work with the Office of Personnel Management to assess and address the hiring, training, classification, and professional development needs of the Government related to information resources management.

(7) Work with the Archivist of the United States to assess how the Federal Records Act can be addressed effectively by Federal information resources management activities.

(Added Pub. L. 107–347, title I, §101(a), Dec. 17, 2002, 116 Stat. 2905.)

Editorial Notes

References in Text

The E-Government Act of 2002, referred to in subsec. (f)(4), is Pub. L. 107–347, Dec. 17, 2002, 116 Stat. 2899. Title II of the Act, including section 207(d) of the Act, is set out as a note under section 3501 of this title. For complete classification of this Act to the Code, see Tables.

No act with the name the "Federal Records Act", referred to in subsec. (f)(7), has been enacted. The Federal Records Act of 1950, which has a similar name, was title V of act June 30, 1949, ch. 288, as added Sept. 5, 1950, ch. 849, §6(d), 64 Stat. 583, which was classified generally to sections 392 to 396 and 397 to 401 of former Title 44, Public Printing and Documents. Section 6(d) of act Sept. 5, 1950, was repealed by Pub. L. 90–620, Oct. 22, 1968, 82 Stat. 1238, the first section of which enacted this title. For disposition of sections of former Title 44, see Table at the beginning of this title. Title V of act June 30, 1949, was repealed by Pub. L. 107–217, §4, Aug. 21, 2002, 116 Stat. 1303.

Statutory Notes and Related Subsidiaries

Effective Date

Section effective 120 days after Dec. 17, 2002, see section 402(a) of Pub. L. 107–347, set out as a note under section 3601 of this title.

§3604. E-Government Fund

(a)(1) There is established in the Treasury of the United States the E-Government Fund.

(2) The Fund shall be administered by the Administrator of the General Services Administration to support projects approved by the Director, assisted by the Administrator of the Office of Electronic Government, that enable the Federal Government to expand its ability, through the development and implementation of innovative uses of the Internet or other electronic methods, to conduct activities electronically.

(3) Projects under this subsection may include efforts to—

(A) make Federal Government information and services more readily available to members of the public (including individuals, businesses, grantees, and State and local governments);

(B) make it easier for the public to apply for benefits, receive services, pursue business opportunities, submit information, and otherwise conduct transactions with the Federal Government; and

(C) enable Federal agencies to take advantage of information technology in sharing information and conducting transactions with each other and with State and local governments.

(b)(1) The Administrator shall—

(A) establish procedures for accepting and reviewing proposals for funding;

(B) consult with interagency councils, including the Chief Information Officers Council, the Chief Financial Officers Council, and other interagency management councils, in establishing procedures and reviewing proposals; and

(C) assist the Director in coordinating resources that agencies receive from the Fund with other resources available to agencies for similar purposes.

(2) When reviewing proposals and managing the Fund, the Administrator shall observe and incorporate the following procedures:

(A) A project requiring substantial involvement or funding from an agency shall be approved by a senior official with agencywide authority on behalf of the head of the agency, who shall report directly to the head of the agency.

(B) Projects shall adhere to fundamental capital planning and investment control processes.

(C) Agencies shall identify in their proposals resource commitments from the agencies involved and how these resources would be coordinated with support from the Fund, and include plans for potential continuation of projects after all funds made available from the Fund are expended.

(D) After considering the recommendations of the interagency councils, the Director, assisted by the Administrator, shall have final authority to determine which of the candidate projects shall be funded from the Fund.

(E) Agencies shall assess the results of funded projects.

(1) shall consider criteria that include whether a proposal—

(A) identifies the group to be served, including citizens, businesses, the Federal Government, or other governments;

(B) indicates what service or information the project will provide that meets needs of groups identified under subparagraph (A);

(D) is interagency in scope, including projects implemented by a primary or single agency that—

(i) could confer benefits on multiple agencies; and

(ii) have the support of other agencies; and

(E) has performance objectives that tie to agency missions and strategic goals, and interim results that relate to the objectives; and

(2) may also rank proposals based on criteria that include whether a proposal—

(A) has Governmentwide application or implications;

(B) has demonstrated support by the public to be served;

(D) identifies resource commitments from nongovernmental sectors;

(E) identifies resource commitments from the agencies involved;

(F) uses web-based technologies to achieve objectives;

(G) identifies records management and records access strategies;

(H) supports more effective citizen participation in and interaction with agency activities that further progress toward a more citizen-centered Government;

(I) directly delivers Government information and services to the public or provides the infrastructure for delivery;

(J) supports integrated service delivery;

(K) describes how business processes across agencies will reflect appropriate transformation simultaneous to technology implementation; and

(L) is new or innovative and does not supplant existing funding streams within agencies.

(d) The Fund may be used to fund the integrated Internet-based system under section 204 of the E-Government Act of 2002.

(e) None of the funds provided from the Fund may be transferred to any agency until 15 days after the Administrator of the General Services Administration has submitted to the Committees on Appropriations of the Senate and the House of Representatives, the Committee on Governmental Affairs of the Senate, the Committee on Government Reform of the House of Representatives, and the appropriate authorizing committees of the Senate and the House of Representatives, a notification and description of how the funds are to be allocated and how the expenditure will further the purposes of this chapter.

(f)(1) The Director shall report annually to Congress on the operation of the Fund, through the report established under section 3606.

(2) The report under paragraph (1) shall describe—

(A) all projects which the Director has approved for funding from the Fund; and

(B) the results that have been achieved to date for these funded projects.

(g)(1) There are authorized to be appropriated to the Fund—

(A) $45,000,000 for fiscal year 2003;

(B) $50,000,000 for fiscal year 2004;

(D) $150,000,000 for fiscal year 2006; and

(E) such sums as are necessary for fiscal year 2007.

(2) Funds appropriated under this subsection shall remain available until expended.

(Added Pub. L. 107–347, title I, §101(a), Dec. 17, 2002, 116 Stat. 2906.)

Editorial Notes

References in Text

Section 204 of the E-Government Act of 2002, referred to in subsec. (d), is section 204 of Pub. L. 107–347, which is set out in a note under section 3501 of this title.

Statutory Notes and Related Subsidiaries

Change of Name

Committee on Government Reform of House of Representatives changed to Committee on Oversight and Government Reform of House of Representatives by House Resolution No. 6, One Hundred Tenth Congress, Jan. 5, 2007. Committee on Oversight and Government Reform of House of Representatives changed to Committee on Oversight and Reform of House of Representatives by House Resolution No. 6, One Hundred Sixteenth Congress, Jan. 9, 2019. Committee on Oversight and Reform of House of Representatives changed to Committee on Oversight and Accountability of House of Representatives by House Resolution No. 5, One Hundred Eighteenth Congress, Jan. 9, 2023.

Committee on Governmental Affairs of Senate changed to Committee on Homeland Security and Governmental Affairs of Senate, effective Jan. 4, 2005, by Senate Resolution No. 445, One Hundred Eighth Congress, Oct. 9, 2004.

Effective Date

Section effective 120 days after Dec. 17, 2002, see section 402(a) of Pub. L. 107–347, set out as a note under section 3601 of this title.

§3605. Program to encourage innovative solutions to enhance electronic Government services and processes

(a) Establishment of Program.—The Administrator shall establish and promote a Governmentwide program to encourage contractor innovation and excellence in facilitating the development and enhancement of electronic Government services and processes.

(b) Issuance of Announcements Seeking Innovative Solutions.—Under the program, the Administrator, in consultation with the Council and the Administrator for Federal Procurement Policy, shall issue announcements seeking unique and innovative solutions to facilitate the development and enhancement of electronic Government services and processes.

(c) Multiagency Technical Assistance Team.—(1) The Administrator, in consultation with the Council and the Administrator for Federal Procurement Policy, shall convene a multiagency technical assistance team to assist in screening proposals submitted to the Administrator to provide unique and innovative solutions to facilitate the development and enhancement of electronic Government services and processes. The team shall be composed of employees of the agencies represented on the Council who have expertise in scientific and technical disciplines that would facilitate the assessment of the feasibility of the proposals.

(2) The technical assistance team shall—

(A) assess the feasibility, scientific and technical merits, and estimated cost of each proposal; and

(B) submit each proposal, and the assessment of the proposal, to the Administrator.

(3) The technical assistance team shall not consider or evaluate proposals submitted in response to a solicitation for offers for a pending procurement or for a specific agency requirement.

(4) After receiving proposals and assessments from the technical assistance team, the Administrator shall consider recommending appropriate proposals for funding under the E-Government Fund established under section 3604 or, if appropriate, forward the proposal and the assessment of it to the executive agency whose mission most coincides with the subject matter of the proposal.

(Added Pub. L. 107–347, title I, §101(a), Dec. 17, 2002, 116 Stat. 2909.)

Statutory Notes and Related Subsidiaries

Effective Date

Section effective 120 days after Dec. 17, 2002, see section 402(a) of Pub. L. 107–347, set out as a note under section 3601 of this title.

§3606. E-Government report

(a) Not later than March 1 of each year, the Director shall submit an E-Government status report to the Committee on Governmental Affairs of the Senate and the Committee on Government Reform of the House of Representatives.

(b) The report under subsection (a) shall contain—

(1) a summary of the information reported by agencies under section 202(f) ¹ of the E-Government Act of 2002;

(2) the information required to be reported by section 3604(f); and

(3) a description of compliance by the Federal Government with other goals and provisions of the E-Government Act of 2002.

(Added Pub. L. 107–347, title I, §101(a), Dec. 17, 2002, 116 Stat. 2909.)

Editorial Notes

References in Text

The E-Government Act of 2002, referred to in subsec. (b)(3), is Pub. L. 107–347, Dec. 17, 2002, 116 Stat. 2899. Section 202 of the Act is set out in a note under section 3501 of this title. For complete classification of this Act to the Code, see Tables.

Statutory Notes and Related Subsidiaries

Change of Name

Effective Date

Section effective 120 days after Dec. 17, 2002, see section 402(a) of Pub. L. 107–347, set out as a note under section 3601 of this title.

¹ So in original. Probably should be "section 202(g)".

§3607. Definitions

(a) In General.—Except as provided under subsection (b), the definitions under sections 3502 and 3552 apply to this section through section 3616.

(b) Additional Definitions.—In this section through section 3616:

(1) Administrator.—The term "Administrator" means the Administrator of General Services.

(2) Appropriate congressional committees.—The term "appropriate congressional committees" means the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Oversight and Reform of the House of Representatives.

(3) Authorization to operate; federal information.—The terms "authorization to operate" and "Federal information" have the meaning given those term ¹ in Circular A–130 of the Office of Management and Budget entitled "Managing Information as a Strategic Resource", or any successor document.

(4) Cloud computing.—The term "cloud computing" has the meaning given the term in Special Publication 800–145 of the National Institute of Standards and Technology, or any successor document.

(5) Cloud service provider.—The term "cloud service provider" means an entity offering cloud computing products or services to agencies.

(6) FedRAMP.—The term "FedRAMP" means the Federal Risk and Authorization Management Program established under section 3608.

(7) FedRAMP authorization.—The term "FedRAMP authorization" means a certification that a cloud computing product or service has—

(A) completed a FedRAMP authorization process, as determined by the Administrator; or

(B) received a FedRAMP provisional authorization to operate, as determined by the FedRAMP Board.

(8) Fedramp authorization package.—The term "FedRAMP authorization package" means the essential information that can be used by an agency to determine whether to authorize the operation of an information system or the use of a designated set of common controls for all cloud computing products and services authorized by FedRAMP.

(9) FedRAMP board.—The term "FedRAMP Board" means the board established under section 3610.

(10) Independent assessment service.—The term "independent assessment service" means a third-party organization accredited by the Administrator to undertake conformity assessments of cloud service providers and the products or services of cloud service providers.

(11) Secretary.—The term "Secretary" means the Secretary of Homeland Security.

(Added Pub. L. 117–263, div. E, title LIX, §5921(b), Dec. 23, 2022, 136 Stat. 3449.)

Repeal of Section

For repeal of section by section 5921(d)(1) of Pub. L. 117–263, see Effective Date of Repeal note below.

Statutory Notes and Related Subsidiaries

Change of Name

Committee on Oversight and Reform of House of Representatives changed to Committee on Oversight and Accountability of House of Representatives by House Resolution No. 5, One Hundred Eighteenth Congress, Jan. 9, 2023.

Effective Date of Repeal

Pub. L. 117–263, div. E, title LIX, §5921(d)(1), Dec. 23, 2022, 136 Stat. 3458, provided that the repeal of this section is effective on the date that is 5 years after Dec. 23, 2022.

Construction

Pub. L. 117–263, div. E, title LIX, §5921(e), Dec. 23, 2022, 136 Stat. 3458, provided that: "Nothing in this section [see Short Title of 2022 Amendment note set out under section 101 of this title] or any amendment made by this section shall be construed as altering or impairing the authorities of the Director of the Office of Management and Budget or the Secretary of Homeland Security under subchapter II of chapter 35 of title 44, United States Code."

¹ So in original. Probably should be "terms".

§3608. Federal risk and authorization management program

There is established within the General Services Administration the Federal Risk and Authorization Management Program. The Administrator, subject to section 3614, shall establish a Government-wide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies.

(Added Pub. L. 117–263, div. E, title LIX, §5921(b), Dec. 23, 2022, 136 Stat. 3450.)

Repeal of Section

For repeal of section by section 5921(d)(1) of Pub. L. 117–263, see Effective Date of Repeal note below.

Statutory Notes and Related Subsidiaries

Effective Date of Repeal

Pub. L. 117–263, div. E, title LIX, §5921(d)(1), Dec. 23, 2022, 136 Stat. 3458, provided that the repeal of this section is effective on the date that is 5 years after Dec. 23, 2022.

Construction

For rule of construction regarding section 5921 of Pub. L. 117–263, see section 5921(e) of Pub. L. 117–263, set out as a note under section 3607 of this title.

§3609. Roles and responsibilities of the General Services Administration

(a) Roles and Responsibilities.—The Administrator shall—

(1) in consultation with the Secretary, develop, coordinate, and implement a process to support agency review, reuse, and standardization, where appropriate, of security assessments of cloud computing products and services, including, as appropriate, oversight of continuous monitoring of cloud computing products and services, pursuant to guidance issued by the Director pursuant to section 3614;

(2) establish processes and identify criteria consistent with guidance issued by the Director under section 3614 to make a cloud computing product or service eligible for a FedRAMP authorization and validate whether a cloud computing product or service has a FedRAMP authorization;

(3) develop and publish templates, best practices, technical assistance, and other materials to support the authorization of cloud computing products and services and increase the speed, effectiveness, and transparency of the authorization process, consistent with standards and guidelines established by the Director of the National Institute of Standards and Technology and relevant statutes;

(4) establish and update guidance on the boundaries of FedRAMP authorization packages to enhance the security and protection of Federal information and promote transparency for agencies and users as to which services are included in the scope of a FedRAMP authorization;

(5) grant FedRAMP authorizations to cloud computing products and services consistent with the guidance and direction of the FedRAMP Board;

(6) establish and maintain a public comment process for proposed guidance and other FedRAMP directives that may have a direct impact on cloud service providers and agencies before the issuance of such guidance or other FedRAMP directives;

(7) coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the Director and the Secretary, to establish and regularly update a framework for continuous monitoring under section 3553;

(8) provide a secure mechanism for storing and sharing necessary data, including FedRAMP authorization packages, to enable better reuse of such packages across agencies, including making available any information and data necessary for agencies to fulfill the requirements of section 3613;

(9) provide regular updates to applicant cloud service providers on the status of any cloud computing product or service during an assessment process;

(10) regularly review, in consultation with the FedRAMP Board—

(A) the costs associated with the independent assessment services described in section 3611; and

(B) the information relating to foreign interests submitted pursuant to section 3612;

(11) in coordination with the Director, the Secretary, and other stakeholders, as appropriate, determine the sufficiency of underlying requirements to identify and assess the provenance of the software in cloud services and products;

(12) support the Federal Secure Cloud Advisory Committee established pursuant to section 3616; and

(13) take such other actions as the Administrator may determine necessary to carry out FedRAMP.

(b) Website.—

(1) In general.—The Administrator shall maintain a public website to serve as the authoritative repository for FedRAMP, including the timely publication and updates for all relevant information, guidance, determinations, and other materials required under subsection (a).

(2) Criteria and process for fedramp authorization priorities.—The Administrator shall develop and make publicly available on the website described in paragraph (1) the criteria and process for prioritizing and selecting cloud computing products and services that will receive a FedRAMP authorization, in consultation with the FedRAMP Board and the Chief Information Officers Council.

(1) In general.—The Administrator, in coordination with the Secretary, shall assess and evaluate available automation capabilities and procedures to improve the efficiency and effectiveness of the issuance of FedRAMP authorizations, including continuous monitoring of cloud computing products and services.

(2) Means for automation.—Not later than 1 year after the date of enactment of this section, and updated regularly thereafter, the Administrator shall establish a means for the automation of security assessments and reviews.

(d) Metrics for Authorization.—The Administrator shall establish annual metrics regarding the time and quality of the assessments necessary for completion of a FedRAMP authorization process in a manner that can be consistently tracked over time in conjunction with the periodic testing and evaluation process pursuant to section 3554 in a manner that minimizes the agency reporting burden.

(Added Pub. L. 117–263, div. E, title LIX, §5921(b), Dec. 23, 2022, 136 Stat. 3450.)

Repeal of Section

For repeal of section by section 5921(d)(1) of Pub. L. 117–263, see Effective Date of Repeal note below.

Editorial Notes

References in Text

The date of enactment of this section, referred to in subsec. (c)(2), is the date of enactment of Pub. L. 117–263, which was approved Dec. 23, 2022.

Statutory Notes and Related Subsidiaries

Effective Date of Repeal

Pub. L. 117–263, div. E, title LIX, §5921(d)(1), Dec. 23, 2022, 136 Stat. 3458, provided that the repeal of this section is effective on the date that is 5 years after Dec. 23, 2022.

Construction

For rule of construction regarding section 5921 of Pub. L. 117–263, see section 5921(e) of Pub. L. 117–263, set out as a note under section 3607 of this title.

§3610. FedRAMP Board

(a) Establishment.—There is established a FedRAMP Board to provide input and recommendations to the Administrator regarding the requirements and guidelines for, and the prioritization of, security assessments of cloud computing products and services.

(b) Membership.—The FedRAMP Board shall consist of not more than 7 senior officials or experts from agencies appointed by the Director, in consultation with the Administrator, from each of the following:

(1) The Department of Defense.

(2) The Department of Homeland Security.

(3) The General Services Administration.

(4) Such other agencies as determined by the Director, in consultation with the Administrator.

(c) Qualifications.—Members of the FedRAMP Board appointed under subsection (b) shall have technical expertise in domains relevant to FedRAMP, such as—

(1) cloud computing;

(2) cybersecurity;

(3) privacy;

(4) risk management; and

(5) other competencies identified by the Director to support the secure authorization of cloud services and products.

(d) Duties.—The FedRAMP Board shall—

(1) in consultation with the Administrator, serve as a resource for best practices to accelerate the process for obtaining a FedRAMP authorization;

(2) establish and regularly update requirements and guidelines for security authorizations of cloud computing products and services, consistent with standards and guidelines established by the Director of the National Institute of Standards and Technology, to be used in the determination of FedRAMP authorizations;

(3) monitor and oversee, to the greatest extent practicable, the processes and procedures by which agencies determine and validate requirements for a FedRAMP authorization, including periodic review of the agency determinations described in section 3613(b);

(4) ensure consistency and transparency between agencies and cloud service providers in a manner that minimizes confusion and engenders trust; and

(5) perform such other roles and responsibilities as the Director may assign, with concurrence from the Administrator.

(e) Determinations of Demand for Cloud Computing Products and Services.—The FedRAMP Board may consult with the Chief Information Officers Council to establish a process, which may be made available on the website maintained under section 3609(b), for prioritizing and accepting the cloud computing products and services to be granted a FedRAMP authorization.

(Added Pub. L. 117–263, div. E, title LIX, §5921(b), Dec. 23, 2022, 136 Stat. 3452.)

Repeal of Section

For repeal of section by section 5921(d)(1) of Pub. L. 117–263, see Effective Date of Repeal note below.

Statutory Notes and Related Subsidiaries

Effective Date of Repeal

Pub. L. 117–263, div. E, title LIX, §5921(d)(1), Dec. 23, 2022, 136 Stat. 3458, provided that the repeal of this section is effective on the date that is 5 years after Dec. 23, 2022.

Construction

For rule of construction regarding section 5921 of Pub. L. 117–263, see section 5921(e) of Pub. L. 117–263, set out as a note under section 3607 of this title.

§3611. Independent assessment

The Administrator may determine whether FedRAMP may use an independent assessment service to analyze, validate, and attest to the quality and compliance of security assessment materials provided by cloud service providers during the course of a determination of whether to use a cloud computing product or service.

(Added Pub. L. 117–263, div. E, title LIX, §5921(b), Dec. 23, 2022, 136 Stat. 3453.)

Repeal of Section

For repeal of section by section 5921(d)(1) of Pub. L. 117–263, see Effective Date of Repeal note below.

Statutory Notes and Related Subsidiaries

Effective Date of Repeal

Pub. L. 117–263, div. E, title LIX, §5921(d)(1), Dec. 23, 2022, 136 Stat. 3458, provided that the repeal of this section is effective on the date that is 5 years after Dec. 23, 2022.

Construction

For rule of construction regarding section 5921 of Pub. L. 117–263, see section 5921(e) of Pub. L. 117–263, set out as a note under section 3607 of this title.

§3612. Declaration of foreign interests

(a) In General.—An independent assessment service that performs services described in section 3611 shall annually submit to the Administrator information relating to any foreign interest, foreign influence, or foreign control of the independent assessment service.

(b) Updates.—Not later than 48 hours after there is a change in foreign ownership or control of an independent assessment service that performs services described in section 3611, the independent assessment service shall submit to the Administrator an update to the information submitted under subsection (a).

(c) Certification.—The Administrator may require a representative of an independent assessment service to certify the accuracy and completeness of any information submitted under this section.

(Added Pub. L. 117–263, div. E, title LIX, §5921(b), Dec. 23, 2022, 136 Stat. 3453.)

Repeal of Section

For repeal of section by section 5921(d)(1) of Pub. L. 117–263, see Effective Date of Repeal note below.

Statutory Notes and Related Subsidiaries

Effective Date of Repeal

Pub. L. 117–263, div. E, title LIX, §5921(d)(1), Dec. 23, 2022, 136 Stat. 3458, provided that the repeal of this section is effective on the date that is 5 years after Dec. 23, 2022.

Construction

For rule of construction regarding section 5921 of Pub. L. 117–263, see section 5921(e) of Pub. L. 117–263, set out as a note under section 3607 of this title.

§3613. Roles and responsibilities of agencies

(a) In General.—In implementing the requirements of FedRAMP, the head of each agency shall, consistent with guidance issued by the Director pursuant to section 3614—

(1) promote the use of cloud computing products and services that meet FedRAMP security requirements and other risk-based performance requirements as determined by the Director, in consultation with the Secretary;

(2) confirm whether there is a FedRAMP authorization in the secure mechanism provided under section 3609(a)(8) before beginning the process of granting a FedRAMP authorization for a cloud computing product or service;

(3) to the extent practicable, for any cloud computing product or service the agency seeks to authorize that has received a FedRAMP authorization, use the existing assessments of security controls and materials within any FedRAMP authorization package for that cloud computing product or service; and

(4) provide to the Director data and information required by the Director pursuant to section 3614 to determine how agencies are meeting metrics established by the Administrator.

(b) Attestation.—Upon completing an assessment or authorization activity with respect to a particular cloud computing product or service, if an agency determines that the information and data the agency has reviewed under paragraph (2) or (3) of subsection (a) is wholly or substantially deficient for the purposes of performing an authorization of the cloud computing product or service, the head of the agency shall document as part of the resulting FedRAMP authorization package the reasons for this determination.

(c) Submission of Authorizations to Operate Required.—Upon issuance of an agency authorization to operate based on a FedRAMP authorization, the head of the agency shall provide a copy of its authorization to operate letter and any supplementary information required pursuant to section 3609(a) to the Administrator.

(d) Submission of Policies Required.—Not later than 180 days after the date on which the Director issues guidance in accordance with section 3614(1), the head of each agency, acting through the chief information officer of the agency, shall submit to the Director all agency policies relating to the authorization of cloud computing products and services.

(e) Presumption of Adequacy.—

(1) In general.—The assessment of security controls and materials within the authorization package for a FedRAMP authorization shall be presumed adequate for use in an agency authorization to operate cloud computing products and services.

(2) Information security requirements.—The presumption under paragraph (1) does not modify or alter—

(A) the responsibility of any agency to ensure compliance with subchapter II of chapter 35 for any cloud computing product or service used by the agency; or

(B) the authority of the head of any agency to make a determination that there is a demonstrable need for additional security requirements beyond the security requirements included in a FedRAMP authorization for a particular control implementation.

(Added Pub. L. 117–263, div. E, title LIX, §5921(b), Dec. 23, 2022, 136 Stat. 3453.)

Repeal of Section

For repeal of section by section 5921(d)(1) of Pub. L. 117–263, see Effective Date of Repeal note below.

Statutory Notes and Related Subsidiaries

Effective Date of Repeal

Pub. L. 117–263, div. E, title LIX, §5921(d)(1), Dec. 23, 2022, 136 Stat. 3458, provided that the repeal of this section is effective on the date that is 5 years after Dec. 23, 2022.

Construction

For rule of construction regarding section 5921 of Pub. L. 117–263, see section 5921(e) of Pub. L. 117–263, set out as a note under section 3607 of this title.

§3614. Roles and responsibilities of the Office of Management and Budget

The Director shall—

(1) in consultation with the Administrator and the Secretary, issue guidance that—

(A) specifies the categories or characteristics of cloud computing products and services that are within the scope of FedRAMP;

(B) includes requirements for agencies to obtain a FedRAMP authorization when operating a cloud computing product or service described in subparagraph (A) as a Federal information system; and

(C) encompasses, to the greatest extent practicable, all necessary and appropriate cloud computing products and services;

(2) issue guidance describing additional responsibilities of FedRAMP and the FedRAMP Board to accelerate the adoption of secure cloud computing products and services by the Federal Government;

(3) in consultation with the Administrator, establish a process to periodically review FedRAMP authorization packages to support the secure authorization and reuse of secure cloud products and services;

(4) oversee the effectiveness of FedRAMP and the FedRAMP Board, including the compliance by the FedRAMP Board with the duties described in section 3610(d); and

(5) to the greatest extent practicable, encourage and promote consistency of the assessment, authorization, adoption, and use of secure cloud computing products and services within and across agencies.

(Added Pub. L. 117–263, div. E, title LIX, §5921(b), Dec. 23, 2022, 136 Stat. 3454.)

Repeal of Section

For repeal of section by section 5921(d)(1) of Pub. L. 117–263, see Effective Date of Repeal note below.

Statutory Notes and Related Subsidiaries

Effective Date of Repeal

Pub. L. 117–263, div. E, title LIX, §5921(d)(1), Dec. 23, 2022, 136 Stat. 3458, provided that the repeal of this section is effective on the date that is 5 years after Dec. 23, 2022.

Construction

For rule of construction regarding section 5921 of Pub. L. 117–263, see section 5921(e) of Pub. L. 117–263, set out as a note under section 3607 of this title.

§3615. Reports to Congress; GAO report

(a) Reports to Congress.—Not later than 1 year after the date of enactment of this section, and annually thereafter, the Director shall submit to the appropriate congressional committees a report that includes the following:

(1) During the preceding year, the status, efficiency, and effectiveness of the General Services Administration under section 3609 and agencies under section 3613 and in supporting the speed, effectiveness, sharing, reuse, and security of authorizations to operate for secure cloud computing products and services.

(2) Progress towards meeting the metrics required under section 3609(d).

(3) Data on FedRAMP authorizations.

(4) The average length of time to issue FedRAMP authorizations.

(5) The number of FedRAMP authorizations submitted, issued, and denied for the preceding year.

(6) A review of progress made during the preceding year in advancing automation techniques to securely automate FedRAMP processes and to accelerate reporting under this section.

(7) The number and characteristics of authorized cloud computing products and services in use at each agency consistent with guidance provided by the Director under section 3614.

(8) A review of FedRAMP measures to ensure the security of data stored or processed by cloud service providers, which may include—

(A) geolocation restrictions for provided products or services;

(B) disclosures of foreign elements of supply chains of acquired products or services;

(D) encryption for data processed, stored, or transmitted by cloud service providers.

(b) GAO Report.—Not later than 180 days after the date of enactment of this section, the Comptroller General of the United States shall report to the appropriate congressional committees an assessment of the following:

(1) The costs incurred by agencies and cloud service providers relating to the issuance of FedRAMP authorizations.

(2) The extent to which agencies have processes in place to continuously monitor the implementation of cloud computing products and services operating as Federal information systems.

(3) How often and for which categories of products and services agencies use FedRAMP authorizations.

(4) The unique costs and potential burdens incurred by cloud computing companies that are small business concerns (as defined in section 3(a) of the Small Business Act (15 U.S.C. 632(a)) as a part of the FedRAMP authorization process.

(Added Pub. L. 117–263, div. E, title LIX, §5921(b), Dec. 23, 2022, 136 Stat. 3455.)

Repeal of Section

For repeal of section by section 5921(d)(1) of Pub. L. 117–263, see Effective Date of Repeal note below.

Editorial Notes

References in Text

The date of enactment of this section, referred to in text, is the date of enactment of Pub. L. 117–263, which was approved Dec. 23, 2022.

Statutory Notes and Related Subsidiaries

Effective Date of Repeal

Pub. L. 117–263, div. E, title LIX, §5921(d)(1), Dec. 23, 2022, 136 Stat. 3458, provided that the repeal of this section is effective on the date that is 5 years after Dec. 23, 2022.

Construction

For rule of construction regarding section 5921 of Pub. L. 117–263, see section 5921(e) of Pub. L. 117–263, set out as a note under section 3607 of this title.

§3616. Federal Secure Cloud Advisory Committee

(a) Establishment, Purposes, and Duties.—

(1) Establishment.—There is established a Federal Secure Cloud Advisory Committee (referred to in this section as the "Committee") to ensure effective and ongoing coordination of agency adoption, use, authorization, monitoring, acquisition, and security of cloud computing products and services to enable agency mission and administrative priorities.

(2) Purposes.—The purposes of the Committee are the following:

(A) To examine the operations of FedRAMP and determine ways that authorization processes can continuously be improved, including the following:

(i) Measures to increase agency reuse of FedRAMP authorizations.

(ii) Proposed actions that can be adopted to reduce the burden, confusion, and cost associated with FedRAMP authorizations for cloud service providers.

(iii) Measures to increase the number of FedRAMP authorizations for cloud computing products and services offered by small businesses concerns (as defined by section 3(a) of the Small Business Act (15 U.S.C. 632(a)).

(iv) Proposed actions that can be adopted to reduce the burden and cost of FedRAMP authorizations for agencies.

(B) Collect information and feedback on agency compliance with and implementation of FedRAMP requirements.

(3) Duties.—The duties of the Committee include providing advice and recommendations to the Administrator, the FedRAMP Board, and agencies on technical, financial, programmatic, and operational matters regarding secure adoption of cloud computing products and services.

(b) Members.—

(1) Composition.—The Committee shall be comprised of not more than 15 members who are qualified representatives from the public and private sectors, appointed by the Administrator, in consultation with the Director, as follows:

(A) The Administrator or the Administrator's designee, who shall be the Chair of the Committee.

(B) At least 1 representative each from the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology.

(C) At least 2 officials who serve as the Chief Information Security Officer within an agency, who shall be required to maintain such a position throughout the duration of their service on the Committee.

(D) At least 1 official serving as Chief Procurement Officer (or equivalent) in an agency, who shall be required to maintain such a position throughout the duration of their service on the Committee.

(E) At least 1 individual representing an independent assessment service.

(F) At least 5 representatives from unique businesses that primarily provide cloud computing services or products, including at least 2 representatives from a small business concern (as defined by section 3(a) of the Small Business Act (15 U.S.C. 632(a))).

(G) At least 2 other representatives of the Federal Government as the Administrator determines necessary to provide sufficient balance, insights, or expertise to the Committee.

(2) Deadline for appointment.—Each member of the Committee shall be appointed not later than 90 days after the date of enactment of this section.

(3) Period of appointment; vacancies.—

(A) In general.—Each non-Federal member of the Committee shall be appointed for a term of 3 years, except that the initial terms for members may be staggered 1-, 2-, or 3-year terms to establish a rotation in which one-third of the members are selected each year. Any such member may be appointed for not more than 2 consecutive terms.

(B) Vacancies.—Any vacancy in the Committee shall not affect its powers, but shall be filled in the same manner in which the original appointment was made. Any member appointed to fill a vacancy occurring before the expiration of the term for which the member's predecessor was appointed shall be appointed only for the remainder of that term. A member may serve after the expiration of that member's term until a successor has taken office.

(1) Meetings.—The Committee shall hold not fewer than 3 meetings in a calendar year, at such time and place as determined by the Chair.

(2) Initial meeting.—Not later than 120 days after the date of enactment of this section, the Committee shall meet and begin the operations of the Committee.

(3) Rules of procedure.—The Committee may establish rules for the conduct of the business of the Committee if such rules are not inconsistent with this section or other applicable law.

(d) Employee Status.—

(1) In general.—A member of the Committee (other than a member who is appointed to the Committee in connection with another Federal appointment) shall not be considered an employee of the Federal Government by reason of any service as such a member, except for the purposes of section 5703 of title 5, relating to travel expenses.

(2) Pay not permitted.—A member of the Committee covered by paragraph (1) may not receive pay by reason of service on the Committee.

(e) Applicability to the Federal Advisory Committee Act.—Section 14 of the Federal Advisory Committee Act (5 U.S.C. App.) ¹ shall not apply to the Committee.

(f) Detail of Employees.—Any Federal Government employee may be detailed to the Committee without reimbursement from the Committee, and such detailee shall retain the rights, status, and privileges of his or her regular employment without interruption.

(g) Postal Services.—The Committee may use the United States mails in the same manner and under the same conditions as agencies.

(h) Reports.—

(1) Interim reports.—The Committee may submit to the Administrator and Congress interim reports containing such findings, conclusions, and recommendations as have been agreed to by the Committee.

(2) Annual reports.—Not later than 540 days after the date of enactment of this section, and annually thereafter, the Committee shall submit to the Administrator and Congress a report containing such findings, conclusions, and recommendations as have been agreed to by the Committee.

(Added Pub. L. 117–263, div. E, title LIX, §5921(b), Dec. 23, 2022, 136 Stat. 3456.)

Repeal of Section

For repeal of section by section 5921(d)(1) of Pub. L. 117–263, see Effective Date of Repeal note below.

Editorial Notes

References in Text

The date of enactment of this section, referred to in subsecs. (b)(2), (c)(2), and (h)(2), is the date of enactment of Pub. L. 117–263, which was approved Dec. 23, 2022.

Section 14 of the Federal Advisory Committee Act, referred to in subsec. (e), is section 14 of Pub. L. 92–463, which was set out in the Appendix to Title 5, Government Organization and Employees, and was repealed and restated as section 1013 of Title 5 by Pub. L. 117–286, §§3(a), 7, Dec. 27, 2022, 136 Stat. 4204, 4361.

Statutory Notes and Related Subsidiaries

Effective Date of Repeal

Pub. L. 117–263, div. E, title LIX, §5921(d)(1), Dec. 23, 2022, 136 Stat. 3458, provided that the repeal of this section is effective on the date that is 5 years after Dec. 23, 2022.

Construction

For rule of construction regarding section 5921 of Pub. L. 117–263, see section 5921(e) of Pub. L. 117–263, set out as a note under section 3607 of this title.

¹ See References in Text note below.