FedRAMP Discusses Boundary Guidance, Responds to Industry Comments

Matt Goodrich addresses MeriTalk's Cloud Computing Brainstorm on June 7, 2017, at the Newseum in Washington, D.C. (Photo: David Keith for MeriTalk)

Matt Goodrich, FedRAMP director, and Ashley Mahan, FedRAMP evangelist, addressed industry feedback to FedRAMP’s recently released authorization boundary guidance during a webinar today.

In May of this year, FedRAMP Project Management Office (PMO) released guidance for Cloud Service Providers (CSPs) to consider when developing the FedRAMP authorization boundary for their cloud service offerings intended for “immediate use.” As cloud services evolve, they become more complex. With increased complexity, FedRAMP noticed issues with defining authorization boundaries. An authorization boundary, according to FedRAMP, provides a diagrammatic illustration of a CSP’s internal services, components, and other devices along with connections to external services and systems.

In its guidance released in May, FedRAMP offered four “rules of thumb” that CSPs should keep in mind. First, Federal information that is processed, stored, or transmitted by or for the Federal government, in any medium or form falls inside the authorization boundary. Second, External services that impact the confidentiality, integrity, or availability (CIA) of Federal information are included within the authorization boundary. Third, corporate services that do not affect the CIA of Federal information fall outside the authorization boundary. Fourth, development environments that do not process, store, or transmit Federal information are also outside the authorization boundary.

Goodrich kicked off the webinar by acknowledging that defining an authorization boundary is no easy task. “We recognize that this is the hardest nontechnical component of a security package,” he said.

After briefly reviewing the May guidance, Goodrich and Mahan dove into three concerns they’ve heard most frequently in the last month.

  1. FedRAMP is broadening the scope of an authorization boundary and diluting existing security control environments by including metadata.
  2. It is unclear how to treat certain common types of interconnections per the released guidance.
  3. It is unclear what immediate use entails for industry adoption of guidance.

Regarding concerns over broadening the scope of an authorization boundary to include metadata, Mahan said FedRAMP’s true goal was transparency.

“We are trying to get an understanding of what particular Federal data elements could go into external services or any of these applications or tools that are outside of the boundary,” she explained. “So if there is truly Federal information data elements that can affect the confidentiality, integrity, or availability of Federal information, we need to make sure the appropriate security measures are being met to protect that data.”

Goodrich said he sees how some would view this as FedRAMP broadening the scope of the authorization boundary, that’s not necessarily the case. Rather, FedRAMP PMO is just asking better, more direct questions of CSPs.

With the next concern–regarding how to treat common types of interconnections–both Mahan and Goodrich drove home the importance of transparency.

“The word of the moment is transparency, transparency, transparency,” Goodrich said. “We are asking to understand how the system functionally operates and handles Federal information. Authorizing officials have the ability to make risk-based decisions regarding interconnections, but they need transparency to do that.”

Goodrich stressed that FedRAMP is a partnership between agencies and CSPs, and transparency is an essential component of the transparency. “Without transparency into how a cloud provider system is built and the risks associated with it, there is no ability to truly be partners.”

Finally, Goodrich and Mahan addressed concerns over what “immediate use” meant for CSPs.

“We recognize that we cannot have every vendor meet our guidance the second it is out,” Goodrich said. He explained that for FedRAMP immediate use meant “this is the way that we are beginning to analyze and will have a common way that we look at systems as they come in.” Furthermore, Goodrich called the guidance “a living document” and said, “it will evolve as industry and cloud services change.”

For those unable to attend today’s webinar, FedRAMP is holding another on Wednesday, July 25 at 3 p.m. where attendees will be able to ask questions following the presentation.

Recent