FedRAMP Authorization Boundary Guidance Released
Over the past year, the FedRAMP PMO has recognized that it is difficult for Cloud Service Providers (CSPs) to frame their cloud service offerings from a FISMA perspective, especially as cloud services become more complex and the use of external services to augment systems continues to increase. As a core component of any FedRAMP System Security Plan (SSP), it is imperative that CSPs understand how to accurately describe and illustrate their cloud system’s authorization boundaries.
In partnership with the National Institute of Standards and Technology (NIST), the Office of Management and Budget, the Joint Authorization Board (JAB), and trusted industry partners, the FedRAMP PMO has released guidance describing key considerations for CSPs when defining their cloud authorization boundaries.
In releasing this guidance, we hope to inform the design of CSPs’ cloud authorization boundaries and also the review and approval of those systems by Agencies and independent assessors. This guidance is considered a living document and will be updated and expanded to reflect feedback from our partners as well as with the continued evolution of cloud services.
This guidance should provide immediate utility to all FedRAMP stakeholders by providing clarity on the expectations of all systems that go through FedRAMP. Additionally, we continue to encourage CSPs, Agencies, and assessors to engage the PMO early and often when generating SSP documentation and scoping their authorization boundary appropriately.
Although this guidance is out for immediate use, the PMO is accepting comments from our industry and government partners on possible improvements. Comments can be sent to firstname.lastname@example.org and will be considered for the next iteration of this document through Friday, June 8th.