Skip to main content

FedRAMP 20x guidance

Engage on FedRAMP 20x

The FedRAMP 20x initiative, including this guidance, is an evolving effort. We encourage your participation and feedback.

Join the conversation and contribute by engaging with our 20x community group.

Visit Working Groups

 

FedRAMP 20x Low Guidance

This explorer provides definitions and rules applicable to the FedRAMP 20x Low Authorization. Use the filters to refine your results.

Refine Your Results

Content Type

Category


Definitions

FRD-KSI-01: Regularly

performing the activity on a consistent, predictable, and repeated basis, at set intervals, automatically if possible, following a documented plan. These intervals may vary as appropriate between different requirements.

FRD-MAS-01: Federal information

has the meaning from OMB Circular A-130 and any successor documents. As of Apr 2025, this means “information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the federal government, in any medium or form.”

Note: This typically does not include information that a cloud service provider produces outside of a government contract or agreement. Review FedRAMP’s Technical Assistance on Federal Information and consult qualified legal experts for additional assistance identifying federal information.

FRD-MAS-02: Information resources

has the meaning from 44 USC § 3502 (6): “information and related resources, such as personnel, equipment, funds, and information technology.”

Note: This applies to any aspect of the cloud service offering, both technical and managerial, including everything that makes up the business of the offering from organizational policies and procedures to hardware, software, and code.

FRD-MAS-03: Handle

has the plain language meaning inclusive of any possible action taken with information, such as access, collect, control, create, display, disclose, disseminate, dispose, maintain, manipulate, process, receive, review, store, transmit, use… etc.

FRD-MAS-04: Likely

means a reasonable degree of probability based on context.

FRD-MAS-05: Third-party information resource

means any information resource that is not entirely included in the FedRAMP Minimum Assessment Scope for the cloud service offering seeking authorization.

Rules

FRR-KSI-01

Cloud service providers MUST apply ALL Key Security Indicators to ALL aspects of their cloud service offering that are within the FedRAMP Minimum Assessment Scope.

FRR-MAS-01

Providers MUST establish a FedRAMP Minimum Assessment Scope that includes all information resources that are likely to handle federal information or likely to impact the confidentiality, integrity, or availability of federal information.

FRR-MAS-02

Providers MUST include the configuration and usage of third-party information resources, ONLY IF FRR-MAS-01 applies.

FRR-MAS-03

Providers MUST clearly identify and document the justification, mitigation measures, compensating controls, and potential impact to federal information from the configuration and usage of non-FedRAMP authorized third-party information resources, ONLY IF FRR-MAS-01 applies.

FRR-MAS-04

Providers MUST include metadata (including metadata about federal information), ONLY IF FRR-MAS-01 applies.

FRR-MAS-05

Providers MUST clearly identify, document, and explain information flows and impact levels for ALL information resources.

FRR-KSI-AY-01

All parties SHOULD follow FedRAMP’s best practices and technical assistance on assessing Key Security Indicators where applicable.

FRR-KSI-AY-02

(INTERIM RULE) All parties SHOULD continuously monitor and review materials in the FedRAMP 20x Phase One (20xP1) pilot requirements and the 20x Community Working Group. Additional details, interim best practices and technical assistance, answers to common questions, and more will be provided asynchronously during 20xP1.

FRR-MAS-AY-01

Certain categories of cloud computing products and services are specified as entirely outside the scope of FedRAMP by the Director of the Office of Management and Budget. All such products and services are therefore also outside the Minimum Assessment Scope. For more, see fedramp.gov/scope.

FRR-MAS-AY-02

Software produced by cloud service providers that is delivered separately for installation on agency systems and not operated in a shared responsibility model (typically including agents, application clients, mobile applications, etc. that are not fully managed by the cloud service provider) is not a cloud computing product or service and is entirely outside the scope of FedRAMP under the FedRAMP Authorization Act. All such software is therefore outside the Minimum Assessment Scope. For more, see fedramp.gov/scope.

FRR-MAS-AY-03

Information resources (including third-party information resources) that do not meet the conditions in FRR-MAS-01 are outside the Minimum Assessment Scope (FRR-MAS-02).

FRR-MAS-AY-04

Information resources (including third-party information resources) MAY vary by impact level as appropriate to the level of information handled or impacted by the information resource (FRR-MAS-05).

FRR-MAS-AY-05

All parties SHOULD review best practices and technical assistance provided separately by FedRAMP for help with applying the Minimum Assessment Scope as needed.

FRR-MAS-EX-01

Providers MAY include documentation of information resources beyond the Minimum Assessment Scope, or even entirely outside the scope of FedRAMP, in a FedRAMP assessment and authorization package supplement; these resources will not be FedRAMP authorized and MUST be clearly marked and separated from the Minimum Assessment Scope.

GSA logo

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov