
An Update to FedRAMP’s High Baseline SA-9(5) Control
July 30, 2020
The Federal Risk and Authorization Management Program (FedRAMP) provides standardized security requirements for the authorization and ongoing cybersecurity of cloud services. Cloud technology and the security landscape are dynamic and change over time. As a result, it’s important that the program reviews and regularly updates the FedRAMP security authorization requirements in order to keep pace with technology advancements and new security threats.
Per the FedRAMP Policy Memo, the Joint Authorization Board (JAB) is required to “Define and regularly update the FedRAMP security authorization requirements in accordance with the Federal Information Security Management Act of 2002 (FISMA) and DHS guidance.” The JAB recently updated the SA-9(5) - External Information System Services | Processing, Storage, and Service Location control parameters, within the High Baseline only, specifying the following:
- The organization restricts the location of [FedRAMP Selection: information processing, information data, AND information services] to [FedRAMP Assignment: U.S./U.S. Territories or geographic locations where there is U.S. jurisdiction] based on [FedRAMP Assignment: all High Impact Data, Systems, or Services].