December 1, 2022

Volume XII, Number 335

Advertisement

December 01, 2022

Subscribe to Latest Legal News and Analysis

November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

Third Time’s The Charm – FedRAMP Releases Draft Authorization Boundary Guidance Version 3 for Public Comment

The FedRAMP Program Management Office is seeking comments on its draft FedRAMP Authorization Boundary Guidance, Version 3.0, released on September 14, 2022. The public comment period currently is open and closes on October 17, 2022.

Defining the authorization boundary is an important step in the FedRAMP authorization process – the boundary encompasses all components of the information system to be authorized and identifies separately authorized systems as well as any connections to external services and systems. In addition to addressing federal data in the cloud, the new Authorization Boundary Guidance provides updated language and definitions to better distinguish the various data produced in systems supporting federal data, and where such data must reside:

  • Direct-impact Data is “data that could have a direct adverse impact on the mission, organizations, or individuals in the event of a loss of confidentiality, integrity, or availability.” This data must reside in a FedRAMP authorized system or in traditional FISMA non-cloud agency authorized systems. Examples of this type of data are vulnerability information, active incident response information and communications, active threat assessments, and penetration test information.

  • Indirect-impact Data is “data that can indirectly impact the CIA of an information system that stores, processes, or transmits Federal Data for the Federal Government, in any medium or form[.]” This data may be authorized to reside in a FedRAMP authorized boundary, a traditional FISMA non-cloud agency system, or a corporate system that can meet the requirements of NIST 800-171. Examples of this type of data include system security plans, contingency plans, and risk management plans.

  • Low and Limited-Impact Data is “data that will have a low or limited impact on the mission, organization, or individuals if there is a loss of confidentiality, integrity, or availability.” This data may reside in a system that meets industry recognized security regimes and has an up-to-date assessment and authorization as applicable. Examples of this type of data include system health data and web and usage metrics.

  • Corporate and Non-Impact Data is “data about processes within the authorization boundary or federal customers that does not contain security sensitive information and/or information that if compromised could be a threat to the systems supporting the processing and storage of federal data or systems supporting federal data or federal personnel data.”[1] There are no FedRAMP compliance requirements for where this data must reside. This type of data includes sales data and marketing materials.

The updated Guidance also provides information relating to interconnections and external services in the cloud, and addresses how to properly document requirements when leveraging external services with an existing FedRAMP authorization. It incorporates additional considerations for authorizations provided by the Joint Authorization Board (JAB) as well as an appendix of frequently asked questions (FAQs).

FedRAMP welcomes all comments prior to the October 17, 2022 deadline, but provides four areas of focus:

  • Does the draft Authorization Boundary Guidance define clear requirements?

  • Does the draft Authorization Boundary Guidance provide sufficient detail to build systems to meet those requirements? Does it provide sufficient detail to test those requirements?

  • Are there any areas where more details would provide clarity on the requirements?

  • Are there any materials or resources that can be provided to enhance the Authorization Boundary Guidance?

Because the authorization boundary serves as the foundation for building security for a cloud service offering, it is important for cloud service providers to share industry perspective as FedRAMP seeks to refine and finalize this Guidance. More information on the comment process can be found on the GSA website.


FOOTNOTES

[1] FedRAMP Authorization Boundary Guidance, Version 3.0,at 3-5.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 271
Advertisement
Advertisement
Advertisement

About this Author

Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm
Associate

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

202-469-4917
Daniel J. Alvarado Government Contract & Trade Attorney Sheppard Mullin Law Firm
Associate

Daniel J. Alvarado is an associate in the Government Contracts, Investigations, and International Trade Practice Group in the firm's Washington, D.C. office.

Areas of Practice

Daniel's practice encompasses all areas of government contracting, with a focus on matters of compliance, investigations, disclosure obligations, transactional due diligence, and bid protest litigation. He assists clients of all sizes in manning complex government regulatory requirements in the areas of schedule contracting,...

202.747.2325
Advertisement
Advertisement
Advertisement