FedRAMP Boundary Guidance - Industry Response & Webinar
In May 2018, the FedRAMP PMO released guidance describing the “rules of thumb” Cloud Service Providers (CSPs) should consider when developing the FedRAMP authorization boundary for their cloud service offering(s). Following its release, the PMO received comments from industry partners requesting greater clarity on the purpose and drivers for the PMO’s release of guidance. We are providing that clarity below, and will be hosting two webinars where we provide in-depth information about what we heard from industry’s comments.
Why FedRAMP Released Authorization Boundary Guidance - What We Saw
As cloud services have evolved, so has FedRAMP’s understanding of the uniqueness cloud presents to the government’s security authorization processes. As services seeking FedRAMP authorization continue shifting from IaaS/PaaS to predominately SaaS services, the PMO has seen an increase in the use of third-party external services. This shift can lead to issues with CSPs defining their authorization boundaries, obscuring the flow of federal data among a cloud offering’s system, components, and services, and potentially calling the security of the third-party services into question.
An increase in complex cloud environments led to the following issues with authorization boundaries:
1) A lack of transparency into:
- The number and type of external services CSPs leverage
- Where and how federal information and metadata is processed, stored, or transmitted within a system and between the system and external services
2) Inaccurate or incomplete system descriptions
3) Incomplete assessment scopes that do not fully account for:
- How federal information is processed, stored, or transmitted
- How the confidentiality, integrity, or availability of federal information can be impacted by external services
Purpose of the Guidance: Encouraging Transparency, Accountability, Due Diligence, and Responsibility
The PMO recognizes that cloud services will continue to become more complex and interrelated. We developed boundary guidance to inform industry on key considerations - “rules of thumb” - to inform their boundary definition efforts.
As a government-wide program office, FedRAMP’s mission is to ensure the protection of federal information in the cloud. However, our recently released guidance does not broaden NIST’s definition of federal data, or change how industry systems are evaluated. Instead, we are asking more insightful questions and requesting transparency from CSPs when developing authorization boundaries.
This is critical in order to enable Agency Authorizing Officials (AOs) to more fully understand the risk to any federal information they place in a cloud environment. Where external services are in place to support a cloud system, AOs need as much transparency as possible into those services in order to understand the impact to a system’s risk posture. Because AOs are able to accept risk for their respective Agencies, this transparency into the use and impact of external services is key. FedRAMP encourages such transparency for all Agency authorizations by asking AOs to explicitly state the external services that are risk accepted for use in a system’s Authority to Operate (ATO) letter.
We are proud to have authorized 100+ cloud services for secure use across government over the last six years, and recognize the importance of having an engaged FedRAMP community of Agencies and industry partners. With respect to the released guidance, our commitment to that community is as follows:
When developing guidance, we do our best to be consistent with existing terminology for IT systems, services, and components, while also providing appropriate guidance on the application of federal security requirements to the cloud. We understand that our use of existing terminology in the authorization boundary guidance may create some confusion, especially around the definition and interpretation of federal information and metadata. We encourage CSPs to engage the PMO to more fully understand how to accurately account for all services where federal information and metadata is stored, processed, and transmitted.
Agency Authorization Stewardship
Agency AOs are responsible for understanding the risk posture of systems in use at their Agency. To ensure AOs have a complete picture of a system’s risk, FedRAMP is committed to:
- Supporting Agencies in their review of system security documentation
- Continuing to offer support and guidance for Agency authorization processes
- Performing the due diligence in our review of cloud services in process for authorization
Clarifying the Difference Between FISMA / FedRAMP, ISO 27001, and SOC 2
FedRAMP recognizes that ISO 27001 and SOC 2 are both respected security regimes within industry, and compliance can indicate that CSPs have security in place. However, it is important to understand that the Federal Information Security Modernization Act (FISMA) - and by extension, FedRAMP - views security through a different lens than these security regimes. FedRAMP’s assessment is focused on the security of data within a system, and what can impact the security of that data. ISO and SOC generally focus on how a vendor handles security, and validate whether they follow their stated policies and procedures. FedRAMP’s risk assessment and authorization decision is contingent on the ability of a CSP to adequately scope their authorization boundary to account for the secure management of data within their system. We recognize this is a shift in how industry may be used to working, and we are committed to supporting CSPs in understanding how to view security from this vantage point and fully understand their authorization boundaries in the context of FISMA.
Industry Engagement and Outreach
Cloud services will continue to evolve as industry innovates. FedRAMP will continue to engage with industry to ensure vendors and assessors can understand and translate federal requirements for their systems to the benefit of all.
Webinars on Authorization Boundary Guidance
We’re hosting two webinars to further discuss the authorization boundary guidance and our response to industry’s comments:
- July 17th Webinar Registration (3:00pm - 3:45pm EDT)
- July 25th Webinar Registration (3:00pm - 3:45pm EDT)
If you have any questions or feedback, please reach out to firstname.lastname@example.org.