Skip to content

Minimum Assessment Scope

Application boundaries that are defined too broadly complicate the assessment process by introducing components that are unlikely to have an impact on the confidentiality, integrity or accessibility of the offering. The Minimum Assessment Scope provides guidance for cloud service providers to narrowly define information resource boundaries while still including all necessary components.

Effective Date(s) & Overall Applicability
  • Release: 25.11A
  • Published: 2025-11-18
  • Designator: MAS
  • Description: Minor updates for the FedRAMP 20x Phase Two pilot and Rev5 Open Beta.
  • FedRAMP 20x:
    • This release is effective 2025-11-18 for 20x.
    • These Key Security Indicators apply to all FedRAMP 20x authorizations.
    • Phase One Pilot participants have one year from authorization to fully address these Key Security Indicators but must demonstrate continuous quarterly progress.
    • Phase Two Pilot participants must address all of these Key Security Indicators prior to submission for authorization review.
  • FedRAMP Rev5:
    • This release is effective 2025-12-01 for Rev5 Open Beta.
    • This set of requirements and recommendations may be adopted by Rev5 cloud service providers in place of legacy FedRAMP boundary requirements. Providers MUST contact rev5@fedramp.gov to coordinate adoption of these requirements for Rev5 authorizations during the Open Beta.
Background & Authority
  • OMB Circular A-130: Managing Information as a Strategic Resource Section 10 states that an "Authorization boundary" includes "all components of an information system to be authorized for operation by an authorizing official. This excludes separately authorized systems to which the information system is connected." and further adds in footnote 64 that "Agencies have significant flexibility in determining what constitutes an information system and its associated boundary."
  • NIST SP 800-37 Rev. 2 Chapter 2.4 footnote 36 similarly states that "the term authorization boundary is now used exclusively to refer to the set of system elements comprising the system to be authorized for operation or authorized for use by an authorizing official (i.e., the scope of the authorization)."
  • FedRAMP Authorization Act (44 USC ยง 3609 (a) (4)) Requires the General Services Administration to "establish and update guidance on the boundaries of FedRAMP authorization packages to enhance the security and protection of Federal information and promote transparency for agencies and users as to which services are included in the scope of a FedRAMP authorization."

Requirements & Recommendations

These requirements apply ALWAYS to ALL FedRAMP authorizations based on the Effective Date(s) and Overall Applicability.

FRR-MAS-01 Cloud Service Offering Identification

Providers MUST identify a set of information resources to assess for FedRAMP authorization that includes all information resources that are likely to handle federal customer data or likely to impact the confidentiality, integrity, or availability of federal customer data handled by the cloud service offering.

Applies to: Low, Moderate, High

FRR-MAS-02 Third-Party Information Resources

Providers MUST include the configuration and usage of third-party information resources, ONLY IF FRR-MAS-01 APPLIES.

Applies to: Low, Moderate, High

FRR-MAS-03 Non-FedRAMP Authorized Third-Party Information Resources

Providers MUST clearly identify and document the justification, mitigation measures, compensating controls, and potential impact to federal customer data from the configuration and usage of non-FedRAMP authorized third-party information resources, ONLY IF FRR-MAS-01 APPLIES.

Applies to: Low, Moderate, High

FRR-MAS-04 Metadata Inclusion

Providers MUST include metadata (including metadata about federal customer data), ONLY IF FRR-MAS-01 APPLIES.

Applies to: Low, Moderate, High

FRR-MAS-05 Information Flows and Impact Levels

Providers MUST clearly identify, document, and explain information flows and impact levels for ALL information resources, ONLY IF FRR-MAS-01 APPLIES.

Applies to: Low, Moderate, High

Application

This section provides general guidance on the application of this standard.

FRR-MAS-AY-01 Scope of FedRAMP

Certain categories of cloud computing products and services are specified as entirely outside the scope of FedRAMP by the Director of the Office of Management and Budget. All such products and services are therefore not included in the cloud service offering for FedRAMP. For more, see https://fedramp.gov/scope.

Applies to: Low, Moderate, High

FRR-MAS-AY-02 Non-Cloud-Based Software

Software produced by cloud service providers that is delivered separately for installation on agency systems and not operated in a shared responsibility model (typically including agents, application clients, mobile applications, etc. that are not fully managed by the cloud service provider) is not a cloud computing product or service and is entirely outside the scope of FedRAMP under the FedRAMP Authorization Act. All such software is therefore not included in the cloud service offering for FedRAMP. For more, see fedramp.gov/scope.

Applies to: Low, Moderate, High

FRR-MAS-AY-03 Exclusion of Non-Impacting Information Resources

Information resources (including third-party information resources) that do not meet the conditions in FRR-MAS-01 are not included in the cloud service offering for FedRAMP (FRR-MAS-02).

Applies to: Low, Moderate, High

FRR-MAS-AY-04 Impact Level Variations

Information resources (including third-party information resources) MAY vary by impact level as appropriate to the level of information handled or impacted by the information resource (FRR-MAS-05).

Applies to: Low, Moderate, High

FRR-MAS-AY-05 Review of Best Practices

All parties SHOULD review best practices and technical assistance provided separately by FedRAMP for help with applying the Minimum Assessment Scope as needed.

Applies to: Low, Moderate, High

FRR-MAS-AY-06 Cloud Service Offering Determination

All aspects of the cloud service offering are determined and maintained by the cloud service provider in accordance with related FedRAMP authorization requirements and documented by the cloud service provider in their assessment and authorization materials.

Applies to: Low, Moderate, High

Exceptions

These exceptions MAY override some or all of the FedRAMP requirements for this standard.

FRR-MAS-EX-01 Supplemental Information

Providers MAY include documentation of information resources beyond the cloud service offering, or even entirely outside the scope of FedRAMP, in a FedRAMP assessment and authorization package supplement; these resources will not be FedRAMP authorized and MUST be clearly marked and separated from the cloud service offering.

Applies to: Low, Moderate, High