The FedRAMP Program Management Office is seeking comments on its draft FedRAMP Authorization Boundary Guidance, Version 3.0, released on September 14, 2022. The public comment period currently is open and closes on October 17, 2022.
Defining the authorization boundary is an important step in the FedRAMP authorization process – the boundary encompasses all components of the information system to be authorized and identifies separately authorized systems as well as any connections to external services and systems. In addition to addressing federal data in the cloud, the new Authorization Boundary Guidance provides updated language and definitions to better distinguish the various data produced in systems supporting federal data, and where such data must reside:
- Direct-impact Data is “data that could have a direct adverse impact on the mission, organizations, or individuals in the event of a loss of confidentiality, integrity, or availability.” This data must reside in a FedRAMP authorized system or in traditional FISMA non-cloud agency authorized systems. Examples of this type of data are vulnerability information, active incident response information and communications, active threat assessments, and penetration test information.
- Indirect-impact Data is “data that can indirectly impact the CIA of an information system that stores, processes, or transmits Federal Data for the Federal Government, in any medium or form[.]” This data may be authorized to reside in a FedRAMP authorized boundary, a traditional FISMA non-cloud agency system, or a corporate system that can meet the requirements of NIST 800-171. Examples of this type of data include system security plans, contingency plans, and risk management plans.
- Low and Limited-Impact Data is “data that will have a low or limited impact on the mission, organization, or individuals if there is a loss of confidentiality, integrity, or availability.” This data may reside in a system that meets industry recognized security regimes and has an up-to-date assessment and authorization as applicable. Examples of this type of data include system health data and web and usage metrics.
- Corporate and Non-Impact Data is “data about processes within the authorization boundary or federal customers that does not contain security sensitive information and/or information that if compromised could be a threat to the systems supporting the processing and storage of federal data or systems supporting federal data or federal personnel data.”[1] There are no FedRAMP compliance requirements for where this data must reside. This type of data includes sales data and marketing materials.
The updated Guidance also provides information relating to interconnections and external services in the cloud, and addresses how to properly document requirements when leveraging external services with an existing FedRAMP authorization. It incorporates additional considerations for authorizations provided by the Joint Authorization Board (JAB) as well as an appendix of frequently asked questions (FAQs).
FedRAMP welcomes all comments prior to the October 17, 2022 deadline, but provides four areas of focus:
- Does the draft Authorization Boundary Guidance define clear requirements?
- Does the draft Authorization Boundary Guidance provide sufficient detail to build systems to meet those requirements? Does it provide sufficient detail to test those requirements?
- Are there any areas where more details would provide clarity on the requirements?
- Are there any materials or resources that can be provided to enhance the Authorization Boundary Guidance?
Because the authorization boundary serves as the foundation for building security for a cloud service offering, it is important for cloud service providers to share industry perspective as FedRAMP seeks to refine and finalize this Guidance. More information on the comment process can be found on the GSA website.
FOOTNOTES
[1] FedRAMP Authorization Boundary Guidance, Version 3.0,at 3-5.