FedRAMP Clarifies Scope of Control Between Agencies, Cloud Providers

The Federal Risk and Authorization Management Program (FedRAMP) has released new guidance to help cloud service providers (CSP) better delineate the authority and responsibility shared between providers and government agencies.

The new how-to guidance was released May 10, and aims to help CSPs better articulate their cloud authorization boundaries.

“A cloud authorization boundary illustrates a CSP’s scope of control over the system as well as any system components or services that are leveraged from external services or controlled by the customer,” the guidance says.

In essence, the cloud authorization boundary provides a theoretical line in the sand, showing where the CSP has jurisdiction and responsibility over agency data and network assets, and where the agencies maintain control over them.

“FedRAMP qualifies a system’s boundary according to wherever Federal data and/or information is stored, processed, transmitted, or used,” officials explained in a March FedRAMP blog announcing the forthcoming guidance. “The flow of data in and out of a system provides a frame of reference for understanding how to define the boundary.”

But in light of an increasing degree of specialization and tailored vendor offerings in the cloud marketplace, FedRAMP acknowledged that articulating these boundaries can be tricky for providers. The guidance aims to remedy that situation, and in the process, allow providers a better chance at securing FedRAMP authorization.

“Over the past year, the FedRAMP PMO has recognized that it is difficult for cloud service providers to frame their cloud service offerings from a FISMA [Federal Information Security Management Act] perspective, especially as cloud services become more complex and the use of external services to augment systems continues to increase,” FedRAMP officials said in the release statement.

The document was produced in collaboration with the National Institute of Standards and Technology, the Office of Management and Budget, the Joint Authorization Board, and industry collaborators. It includes seven key concepts for CSPs to consider, and a deeper explanation of what is in and out of boundary.

FedRAMP noted that the guidance is a “living document,” and the program is currently accepting comments from government and industry partners until June 8 to help draft the next iteration of the document.

Recent