The FedRAMP PMO recently worked with the Joint Authorization Board (JAB) and the Office of Management & Budget (OMB) to update the FedRAMP Authorization Boundary Guidance and is requesting public comment from stakeholders.
The FedRAMP Authorization Boundary Guidance was initially created in collaboration with both internal and external stakeholders and the JAB. The purpose is to help Cloud Service Providers (CSPs) understand the security and compliance requirements for the processing, storage, and transmission of data types, and how to accurately describe and illustrate their Cloud Service Offerings’ (CSO’s) authorization boundary.
Changes to the FedRAMP Authorization Boundary Guidance include:
- Updated language and definitions to better describe the different data types and processes.
- Updated definitions to align with new requirements that allow for the leveraging of cloud offerings that adhere to different compliance regimes. These regimes can include: 1) leveraging of FedRAMP Agency Authorizations and Traditional Agency Authorizations at an equal or higher FIPS 199 impact level, 2) Third-Party Compliance Regimes, or 3) no authorizations at all for a narrow set of external services that pose little to no risk, based on data categorization.
- Guidance on review requirements for leveraged cloud offerings along with their data types and the appropriate leveraging requirements.
Based on the changes listed above, we want your feedback. Below are potential areas of focus, but all comments are encouraged:
- Does the draft Authorization Boundary Guidance define clear requirements?
- Does the draft Authorization Boundary Guidance provide sufficient detail to build systems to meet those requirements? Does it provide sufficient detail to test those requirements?
- Are there any areas where more details would provide clarity on the requirements?
- Are there any materials or resources that can be provided to enhance the Authorization Boundary Guidance ?
Please submit your comments on this draft of the FedRAMP Authorization Boundary Guidance document to firstname.lastname@example.org by October 17, 2022, with the subject line: Public Comment – Authorization Boundary Guidance.
Once the public comment period closes, FedRAMP will adjudicate all feedback and release communications when the updated guidance is finalized.