Skip to main content


An Update to FedRAMP’s High Baseline SA-9(5) Control

July 31 | 2020

An Update to FedRAMP’s High Baseline SA-9(5) Control

The Federal Risk and Authorization Management Program (FedRAMP) provides standardized security requirements for the authorization and ongoing cybersecurity of cloud services. Cloud technology and the security landscape are dynamic and change over time. As a result, it’s important that the program reviews and regularly updates the FedRAMP security authorization requirements in order to keep pace with technology advancements and new security threats.

Per the FedRAMP Policy Memo, the Joint Authorization Board (JAB) is required to “Define and regularly update the FedRAMP security authorization requirements in accordance with the Federal Information Security Management Act of 2002 (FISMA) and DHS guidance.” The JAB recently updated the SA-9(5) - External Information System Services | Processing, Storage, and Service Location control parameters, within the High Baseline only, specifying the following:

The organization restricts the location of [FedRAMP Selection: information processing, information data, AND information services] to [FedRAMP Assignment: U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction] based on [FedRAMP Assignment: all High Impact Data, Systems, or Services].

This update is effective immediately and applies to all cloud products and services that are authorized or in-process of achieving a FedRAMP Authorization at the FedRAMP High Baseline. All applicable forms and templates have been updated to reflect this change. As always, we appreciate your partnership and if there are any questions or comments, please contact us at For media inquiries, please email

Back to Blogs