FedRAMP looks to tighten necessary authorizations in policy draft
The FedRAMP program is looking to narrow the scope of what cloud service providers need for authorization, according to a policy draft published Wednesday on GitHub.
The document from the General Services Administration’s FedRAMP office establishes that cloud service offerings that handle federal information and directly impact the “confidentiality, integrity or availability of federal information” fall within the FedRAMP boundary. The draft states that supplemental services that pose indirect or insignificant risks to federal information should remain outside of the program’s boundary.
The GitHub page states that the inclusion of ancillary services that are not a clear risk to federal information creates a burden on CSPs. “This increased burden may result in reduced effective security as effort is spread across disparate systems that pose negligible risk; effort should instead be focused explicitly on the aspects of a cloud service offering that pose meaningful risk.”
The draft policy lists requirements and recommendations for CSPs that include updating boundary documentation “as architectures evolve and as protections or data flows change.” The report also states that providers would need to communicate updates promptly in a plan of action and milestones, continuous monitoring reports and system security plans, alongside additional recommendations.
CSPs would also not be permitted to reuse federal information for shared purposes under this draft of the boundary policy unless the government tenant opted in to sharing or grants access to information. Providers would also be responsible for ensuring that external services are configured to meet this requirement if they’re handling federal information. This requirement also applies to machine-learning models trained on federal information.
Systems outside of the FedRAMP boundary are not allowed to directly access federal information or make changes to FedRAMP boundary security without approval from the owners of the federal information.
Independent assessors or third-party authenticators would be asked to test all components within the FedRAMP boundary and evaluate connections to systems outside of the boundary as documented by CSPs.
Assessors would also be required to review data flows between the environment of operations and the FedRAMP boundary, and are required to “validate the impact categorization of the data in those services, the presence of appropriate certification” as well as ensure that they have “no direct security impact or privileged access to the federal information.
