To print this article, all you need is to be registered or login on Mondaq.com.
The FedRAMP Program Management Office is seeking comments on its
draft FedRAMP Authorization Boundary Guidance, Version
3.0, released on September 14, 2022. The public comment period
currently is open and closes on October 17, 2022.
Defining the authorization boundary is an important step in the
FedRAMP authorization process – the boundary encompasses all
components of the information system to be authorized and
identifies separately authorized systems as well as any connections
to external services and systems. In addition to addressing federal
data in the cloud, the new Authorization Boundary Guidance provides
updated language and definitions to better distinguish the various
data produced in systems supporting federal data, and where such
data must reside:
- Direct-impact Data is “data that could
have a direct adverse impact on the mission, organizations, or
individuals in the event of a loss of confidentiality, integrity,
or availability.” This data must reside in a FedRAMP
authorized system or in traditional FISMA non-cloud agency
authorized systems. Examples of this type of data are vulnerability
information, active incident response information and
communications, active threat assessments, and penetration test
information.
- Indirect-impact Data is “data that can
indirectly impact the CIA of an information system that stores,
processes, or transmits Federal Data for the Federal Government, in
any medium or form[.]” This data may be authorized to reside
in a FedRAMP authorized boundary, a traditional FISMA non-cloud
agency system, or a corporate system that can meet the requirements
of NIST 800-171. Examples of this type of data include system
security plans, contingency plans, and risk management plans.
- Low and Limited-Impact Data is “data that
will have a low or limited impact on the mission, organization, or
individuals if there is a loss of confidentiality, integrity, or
availability.” This data may reside in a system that meets
industry recognized security regimes and has an up-to-date
assessment and authorization as applicable. Examples of this type
of data include system health data and web and usage metrics.
- Corporate and Non-Impact Data is “data
about processes within the authorization boundary or federal
customers that does not contain security sensitive information
and/or information that if compromised could be a threat to the
systems supporting the processing and storage of federal data or
systems supporting federal data or federal personnel data.”
1 There are no FedRAMP compliance requirements for where
this data must reside. This type of data includes sales data and
marketing materials.
The updated Guidance also provides information relating to
interconnections and external services in the cloud, and addresses
how to properly document requirements when leveraging external
services with an existing FedRAMP authorization. It incorporates
additional considerations for authorizations provided by the Joint
Authorization Board (JAB) as well as an appendix of frequently
asked questions (FAQs).
FedRAMP welcomes all comments prior to the October 17, 2022
deadline, but provides four areas of focus:
- Does the draft Authorization Boundary Guidance define clear
requirements? - Does the draft Authorization Boundary Guidance provide
sufficient detail to build systems to meet those requirements? Does
it provide sufficient detail to test those requirements? - Are there any areas where more details would provide clarity on
the requirements? - Are there any materials or resources that can be provided to
enhance the Authorization Boundary Guidance?
Because the authorization boundary serves as the foundation for
building security for a cloud service offering, it is important for
cloud service providers to share industry perspective as FedRAMP
seeks to refine and finalize this Guidance. More information on the
comment process can be found on the GSA website.
Footnote
1 FedRAMP Authorization Boundary Guidance, Version 3.0,at
3-5.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Government, Public Sector from United States
