FedRAMP 20x Low Definitions and Rules
Intro
The FedRAMP 20x Low guidance is built upon a set of core standards, currently the Minimum Assessment Scope (MAS) and the Key Security Indicators (KSI). These standards are essential for understanding and implementing the FedRAMP 20x Low requirements.
For detailed information, the standards documentation can be accessed as follows:
- Individual Standards:
- Consolidated Resources & Tools:
To understand the unique identifiers used within these documents, learn more about our Documentation Identifiers here.
The content below, starting with the Definitions and Rules sections, captures a consolidated view of these currently published standards for FedRAMP 20x Low.
Definitions
FRD-KSI-01: “Regularly” means performing the activity on a consistent, predictable, and repeated basis, at set intervals, automatically if possible, following a documented plan. These intervals may vary as appropriate between different requirements.
FRD-MAS-01: “Federal information” has the meaning from OMB Circular A-130 and any successor documents. As of Apr 2025, this means “information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the federal government, in any medium or form.”
This typically does not include information that a cloud service provider produces outside of a government contract or agreement. Review FedRAMP’s Technical Assistance on Federal Information and consult qualified legal experts for additional assistance identifying federal information.
FRD-MAS-02: “Information resources” has the meaning from 44 USC § 3502 (6): “information and related resources, such as personnel, equipment, funds, and information technology.”
This applies to any aspect of the cloud service offering, both technical and managerial, including everything that makes up the business of the offering from organizational policies and procedures to hardware, software, and code.
FRD-MAS-03: “Handle” has the plain language meaning inclusive of any possible action taken with information, such as access, collect, control, create, display, disclose, disseminate, dispose, maintain, manipulate, process, receive, review, store, transmit, use… etc.
FRD-MAS-04: “Likely” means a reasonable degree of probability based on context.
FRD-MAS-05: “Third-party information resource” means any information resource that is not entirely included in the FedRAMP Minimum Assessment Scope for the cloud service offering seeking authorization.
Rules
FRR-KSI-01: Cloud service providers MUST apply ALL Key Security Indicators to ALL aspects of their cloud service offering that are within the FedRAMP Minimum Assessment Scope.
FRR-MAS-01: Providers MUST establish a FedRAMP Minimum Assessment Scope that includes all information resources that are likely to handle federal information or likely to impact the confidentiality, integrity, or availability of federal information.
FRR-MAS-02: Providers MUST include the configuration and usage of third-party information resources, ONLY IF FRR-MAS-01 applies.
FRR-MAS-03: Providers MUST clearly identify and document the justification, mitigation measures, compensating controls, and potential impact to federal information from the configuration and usage of non-FedRAMP authorized third-party information resources, ONLY IF FRR-MAS-01 applies.
FRR-MAS-04: Providers MUST include metadata (including metadata about federal information), ONLY IF FRR-MAS-01 applies.
FRR-MAS-05: Providers MUST clearly identify, document, and explain information flows and impact levels for ALL information resources.
FRR-KSI-AY-01: All parties SHOULD follow FedRAMP’s best practices and technical assistance on assessing Key Security Indicators where applicable.
FRR-KSI-AY-02: (INTERIM RULE) All parties SHOULD continuously monitor and review materials in the FedRAMP 20x Phase One (20xP1) pilot requirements and the 20x Community Working Group. Additional details, interim best practices and technical assistance, answers to common questions, and more will be provided asynchronously during 20xP1.
FRR-MAS-AY-01: Certain categories of cloud computing products and services are specified as entirely outside the scope of FedRAMP by the Director of the Office of Management and Budget. All such products and services are therefore also outside the Minimum Assessment Scope. For more, see fedramp.gov/scope.
FRR-MAS-AY-02: Software produced by cloud service providers that is delivered separately for installation on agency systems and not operated in a shared responsibility model (typically including agents, application clients, mobile applications, etc. that are not fully managed by the cloud service provider) is not a cloud computing product or service and is entirely outside the scope of FedRAMP under the FedRAMP Authorization Act. All such software is therefore outside the Minimum Assessment Scope. For more, see fedramp.gov/scope.
FRR-MAS-AY-03: Information resources (including third-party information resources) that do not meet the conditions in FRR-MAS-01 are outside the Minimum Assessment Scope (FRR-MAS-02).
FRR-MAS-AY-04: Information resources (including third-party information resources) MAY vary by impact level as appropriate to the level of information handled or impacted by the information resource (FRR-MAS-05).
FRR-MAS-AY-05: All parties SHOULD review best practices and technical assistance provided separately by FedRAMP for help with applying the Minimum Assessment Scope as needed.
FRR-MAS-EX-01: Providers MAY include documentation of information resources beyond the Minimum Assessment Scope, or even entirely outside the scope of FedRAMP, in a FedRAMP assessment and authorization package supplement; these resources will not be FedRAMP authorized and MUST be clearly marked and separated from the Minimum Assessment Scope.
