Agency Use of FedRAMP Certified Cloud Services (Needs Review)¶
The Agency Use rules summarize the many demands made on agencies by the FedRAMP Authorization Act and OMB Memorandum M-24-15 in a simple, clear, easy-to-follow set of FedRAMP-style rules. These rules align agency policies, authorization letters, machine-readable tools, secure configuration review, continuous monitoring, and communication with FedRAMP so certifications can be reused consistently across government.
Rule Sections
General Agency Responsibilities¶
These rules apply to agencies based on the FedRAMP Authorization Act, OMB M-24-15, and related FedRAMP policies.
Agency Internal Policies¶
AGU-AGC-AIP
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies MUST maintain agency-wide policy that aligns with the requirements in OMB Memorandum M-24-15.
Notify FedRAMP After Authorization¶
AGU-AGC-NAL
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
This FRR includes a notification requirement!
- Notify FedRAMP by email using ato-letter@fedramp.gov.
Agencies MUST supply FedRAMP the following information upon authorizing the use of a cloud service within the scope of FedRAMP:
- A copy of the Authorization to Operate letter
- All other supplementary information outlined at https://help.fedramp.gov/ato
Governance, Risk, and Compliance Tools¶
AGU-AGC-GRC
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies MUST ensure that internal governance, risk, compliance, and inventory tools can produce and ingest machine-readable artifacts using formats identified by FedRAMP, including at least:
- Open Security Controls Assessment Language (OSCAL)
- JSON
Terms: Artifacts, Machine-Readable
No Additional Security Requirements¶
AGU-AGC-NAR
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies MUST NOT require additional information or materials from FedRAMP Certified cloud service offerings beyond those required by FedRAMP UNLESS the head of the agency or an authorized delegate determines there is a demonstrable need; this does not apply to seeking clarification or asking general questions about FedRAMP Certification Data.
Note: This is related to the Presumption of Adequacy for a FedRAMP Certification.
Terms: Certification Data, Cloud Service Offering, FedRAMP Certified
Notify Additional Information Requests¶
AGU-AGC-NAI
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
This FRR includes a notification requirement!
- Notify FedRAMP by email using info@fedramp.gov.
Agencies MUST notify FedRAMP after requesting any additional information or materials from a FedRAMP Certified cloud service offering beyond those FedRAMP requires.
Note: Agencies are expected to notify FedRAMP under OMB Memorandum M-24-15 section IV (a).
FedRAMP Working Groups¶
AGU-AGC-WKG
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies SHOULD participate in FedRAMP working groups, communities of practice, and stakeholder engagements to supply feedback and align practices across government.
Agency Liaison Program¶
AGU-AGC-LIA
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies SHOULD assign at least 1 federal employee to be an active participant in the FedRAMP Agency Liaison program.
Reference: Agency Liaison Program
Shared FedRAMP Inbox¶
AGU-AGC-SIN
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies SHOULD establish and maintain a dedicated shared FedRAMP agency inbox to serve as the official point of contact for communications between FedRAMP and the agency.
Note: A shared FedRAMP agency inbox may follow an agency-specific format such as agency-fedramp@agency.gov.
Use of FedRAMP Certifications¶
These rules apply when agencies use FedRAMP Certifications to make agency authorization decisions.
Authorization Before Use¶
AGU-USE-ABU
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies MUST complete the Authorization to Operate process for federal information systems that use FedRAMP Certified cloud service offerings.
Note: FedRAMP provides technical assistance to help agencies navigate this process.
Reference: Using a FedRAMP Certified Cloud Service Offering
Resolve Certification Package Conflicts¶
AGU-USE-RCF
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies MUST collaborate with FedRAMP when discrepancies or conflicts arise between agency-specific security determinations and the baseline FedRAMP Certification package.
Terms: Certification Package
Review Secure Configuration Guides¶
AGU-USE-RSG
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies MUST review the Secure Configuration Guides supplied by Providers and configure relevant security settings.
Accept FedRAMP Rules¶
AGU-USE-AFR
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies MUST allow FedRAMP Certified cloud service offerings to follow FedRAMP rules.
Review Ongoing Authorization Reports¶
AGU-USE-ROR
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies SHOULD review each Ongoing Authorization Report to understand how changes to the cloud service offering may impact the risk tolerance documented in the agency Authorization to Operate for the federal information system that includes the cloud service offering in its boundary.
Note: This agency review supports agency responsibilities under 44 USC ยง 35, OMB Circular A-130, FIPS-200, and OMB Memorandum M-24-15.
Terms: Cloud Service Offering
Notify FedRAMP of Concerns¶
AGU-USE-NFC
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
This FRR includes a notification requirement!
- Notify FedRAMP by email using info@fedramp.gov.
Agencies MUST notify FedRAMP if information presented in an Ongoing Authorization Report, Quarterly Review, or other FedRAMP Certification Data causes significant concerns for the authorizing official that would likely result in rescission of their Authorization to Operate.
Note: Agencies are expected to notify FedRAMP under OMB Memorandum M-24-15 section IV (a).
Terms: Certification Data, Likely, Quarterly Review
Designate Senior Official¶
AGU-USE-DSO
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies SHOULD designate a federal senior information security official to review Ongoing Authorization Reports and represent the agency at Quarterly Reviews for cloud service offerings included in agency information systems.
Notify Provider of Concerns¶
AGU-USE-NPC
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
This FRR includes a notification requirement!
- Notify Provider by email using Provider security contact.
Agencies SHOULD formally notify the Provider if information presented in an Ongoing Authorization Report, Quarterly Review, or other FedRAMP Certification Data causes significant concerns for the authorizing official that would likely result in rescission of their Authorization to Operate.
Terms: Certification Data, Likely, Quarterly Review
Review All Information Resources¶
AGU-USE-RIR
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies SHOULD consider third-party information resources used by the cloud service offering during initial and ongoing authorization activities.
Terms: Cloud Service Offering, Information Resource, Third-Party Information Resource
Agency Sponsored Certifications¶
These rules apply when an agency sponsors a FedRAMP Rev5 Certification after completing an agency authorization.
Most Recent Consolidated Rules¶
AGU-SPN-MRC
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies MUST follow the most recent FedRAMP Consolidated Rules when initiating agency-sponsored FedRAMP Certification.