In plain terms. This 2022 law wrote the government's cloud-security program, FedRAMP, into permanent federal law instead of leaving it as agency policy. FedRAMP is the standardized way agencies vet and approve cloud services that handle unclassified government data.
Who it applies to. Cloud service providers selling to federal agencies, and the agencies that buy from them. If you resell or build on a cloud platform for federal customers, your provider's FedRAMP status flows down to you.
What it requires.
- Agencies must reuse an existing FedRAMP authorization rather than re-testing the same cloud service ("do once, use many times").
- It established a FedRAMP Board to recommend assessment requirements and guidelines for cloud providers.
- It established a Federal Secure Cloud Advisory Committee to coordinate how agencies adopt, authorize, monitor, acquire, and secure cloud services.
Why it matters. Codifying FedRAMP makes a single cloud authorization portable across agencies, lowering cost and time-to-award — but it also makes FedRAMP authorization a hard gate for selling cloud services to the government.
Citation. Pub. L. 117-263 (Dec. 23, 2022); 44 U.S.C. ch. 36.
OMB M-24-15; GSA FedRAMP Consolidated Rules (2026); FedRAMP 20x technical standards; the FedRAMP Board (replacing the Joint Authorization Board).