Skip to main content

FedRAMP 20x Minimum Assessment Scope

Other Formats:

FedRAMP Minimum Assessment Standard

  • Release: 25.06A
  • Published: 2025-06-17
  • Designator: MAS
  • Description: Minor non-breaking updates for clarity and formatting; renamed to Minimum Assessment Standard to avoid confusion with the Scope of FedRAMP as defined by M-24-15;reframed FRR-MAS-01 to explicitly note that this identifies the cloud service offering

Front Matter

Effective Date(s) & Overall Applicability

  • FedRAMP 20x:
    • This release is effective 2025-06-17 for 20xP1.
    • These requirements apply to all participants in the FedRAMP 20x Phase One pilot.
    • Minimum Assessment Standard is primarily documented and validated in KSI-PIY and KSI-TPR.
  • FedRAMP Rev5:
    • This release is effective 2025-07-30 for R5.MAS.B1 (tentatively).
    • These requirements will be initially tested and evaluated for Rev5 in the MAS Closed Beta (B1).
    • Providers MUST participate in the FedRAMP R5.MAS.B1 closed beta to transition from the Rev 5 legacy boundary until a final transition path is announced. Providers should participate in the FedRAMP Rev5 Community Working Group at https://www.fedramp.gov/community/ to follow this process.

Background & Authority

  • OMB Circular A-130: Managing Information as a Strategic Resource Section 10 states that an "Authorization boundary" includes "all components of an information system to be authorized for operation by an authorizing official. This excludes separately authorized systems to which the information system is connected." and further adds in footnote 64 that "Agencies have significant flexibility in determining what constitutes an information system and its associated boundary."
  • NIST SP 800-37 Rev. 2 Chapter 2.4 footnote 36 similarly states that "the term authorization boundary is now used exclusively to refer to the set of system elements comprising the system to be authorized for operation or authorized for use by an authorizing official (i.e., the scope of the authorization)."

  • FedRAMP Authorization Act (44 USC § 3609 (a) (4)) Requires the General Services Administration to "establish and update guidance on the boundaries of FedRAMP authorization packages to enhance the security and protection of Federal information and promote transparency for agencies and users as to which services are included in the scope of a FedRAMP authorization."

    (This responsibility is delegated to the FedRAMP Director)

Purpose

Application boundaries that are defined too broadly complicate the assessment process by introducing components that are unlikely to have an impact on the confidentiality, integrity or accessibility of the offering. The Minimum Assessment Standard provides guidance for cloud service providers to narrowly define information resource boundaries while still including all necessary components.

Expected Outcomes

  • Boundaries will include the minimum number of components to make authorization and assessment easier
  • Cloud service providers will define clear boundaries for security and assessment of offerings based on the direct risk to federal information
  • Third-party independent assessors will have a simple well documented approach to assess security and implementation decisions
  • Federal agencies will be able to easily, quickly, and effectively review and consume security information about the service to make informed risk-based Authorization to Operate decisions based on their planned use case

Definitions

FRD-MAS-01

Federal Information: Has the meaning from OMB Circular A-130 and any successor documents. As of Apr 2025, this means "information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the federal government, in any medium or form."

Note: This typically does not include information that a cloud service provider produces outside of a government contract or agreement. Review FedRAMP's Technical Assistance and consult qualified legal experts for additional assistance identifying federal information.

Reference: OMB Circular A-130

FRD-MAS-02

Information Resource: Has the meaning from 44 USC § 3502 (6): "information and related resources, such as personnel, equipment, funds, and information technology."

Note: This applies to any aspect of the _cloud service offering, both technical and managerial, including everything that makes up the business of the offering from organizational policies and procedures to hardware, software, and code._

Reference: 44 USC § 3502 (6)

FRD-MAS-03

Handle: Has the plain language meaning inclusive of any possible action taken with information, such as access, collect, control, create, display, disclose, disseminate, dispose, maintain, manipulate, process, receive, review, store, transmit, use… etc.

FRD-MAS-04

Likely: A reasonable degree of probability based on context.

FRD-MAS-05

Third-party Information Resource: Any information resource that is not entirely included in the assessment for the cloud service offering seeking authorization.

FRD-MAS-06

Cloud Service Offering: A specific, packaged cloud computing product or service provided by a cloud service provider that can be used by a customer. FedRAMP assessment and authorization of the cloud computing product or service is based on the Minimum Assessment Standard.

Requirements

FRR-MAS

These requirements apply ALWAYS to ALL FedRAMP authorizations based on the Effective Date(s) and Overall Applicability.

FRR-MAS-01

Providers MUST identify a set of information resources to assess for FedRAMP authorization that includes all information resources that are likely to handle federal information or likely to impact the confidentiality, integrity, or availability of federal information handled by the cloud service offering.

FRR-MAS-02

Providers MUST include the configuration and usage of third-party information resources, ONLY IF FRR-MAS-01 APPLIES.

FRR-MAS-03

Providers MUST clearly identify and document the justification, mitigation measures, compensating controls, and potential impact to federal information from the configuration and usage of non-FedRAMP authorized third-party information resources, ONLY IF FRR-MAS-01 APPLIES.

FRR-MAS-04

Providers MUST include metadata (including metadata about federal information), ONLY IF FRR-MAS-01 APPLIES.

FRR-MAS-05

Providers MUST clearly identify, document, and explain information flows and impact levels for ALL information resources, ONLY IF FRR-MAS-01 APPLIES.

FRR-MAS-EX

These exceptions MAY override some or all of the FedRAMP requirements for this standard.

FRR-MAS-EX-01

Providers MAY include documentation of information resources beyond the cloud service offering, or even entirely outside the scope of FedRAMP, in a FedRAMP assessment and authorization package supplement; these resources will not be FedRAMP authorized and MUST be clearly marked and separated from the _cloud service offering.

FRR-MAS-AY

These rules provide general guidance on the application of this standard.

FRR-MAS-AY-01

Certain categories of cloud computing products and services are specified as entirely outside the scope of FedRAMP by the Director of the Office of Management and Budget. All such products and services are therefore not included in the cloud service offering for FedRAMP. For more, see fedramp.gov/scope.

FRR-MAS-AY-02

Software produced by cloud service providers that is delivered separately for installation on agency systems and not operated in a shared responsibility model (typically including agents, application clients, mobile applications, etc. that are not fully managed by the cloud service provider) is not a cloud computing product or service and is entirely outside the scope of FedRAMP under the FedRAMP Authorization Act. All such software is therefore not included in the cloud service offering for FedRAMP. For more, see fedramp.gov/scope.

FRR-MAS-AY-03

Information resources (including third-party information resources) that do not meet the conditions in FRR-MAS-01 are not included in the cloud service offering for FedRAMP(FRR-MAS-02).

FRR-MAS-AY-04

Information resources (including third-party information resources+) MAY vary by impact level as appropriate to the level of information _handled or impacted by the information resource (FRR-MAS-05).

FRR-MAS-AY-05

All parties SHOULD review best practices and technical assistance provided separately by FedRAMP for help with applying the Minimum Assessment Standard as needed.

FRR-MAS-AY-06

All aspects of the cloud service offering are determined and maintained by the cloud service provider in accordance with related FedRAMP authorization requirements and documented by the cloud service provider in their assessment and authorization materials.

GSA logo

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov