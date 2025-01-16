Advertisement
Subscribe to our daily newsletter.
Subscribe

FedRAMP looks to tighten necessary authorizations in policy draft

In a boundary policy posted on GitHub, FedRAMP details how it could slim down its scope for external authorizations to systems that interact with federal information.

By

Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
FedRAMP website
(FedScoop)

The FedRAMP program is looking to narrow the scope of what cloud service providers need for authorization, according to a policy draft published Wednesday on GitHub

The document from the General Services Administration’s FedRAMP office establishes that cloud service offerings that handle federal information and directly impact the “confidentiality, integrity or availability of federal information” fall within the FedRAMP boundary. The draft states that supplemental services that pose indirect or insignificant risks to federal information should remain outside of the program’s boundary. 

The GitHub page states that the inclusion of ancillary services that are not a clear risk to federal information creates a burden on CSPs. “This increased burden may result in reduced effective security as effort is spread across disparate systems that pose negligible risk; effort should instead be focused explicitly on the aspects of a cloud service offering that pose meaningful risk.”

The draft policy lists requirements and recommendations for CSPs that include updating boundary documentation “as architectures evolve and as protections or data flows change.” The report also states that providers would need to communicate updates promptly in a plan of action and milestones, continuous monitoring reports and system security plans, alongside additional recommendations.

Advertisement

CSPs would also not be permitted to reuse federal information for shared purposes under this draft of the boundary policy unless the government tenant opted in to sharing or grants access to information. Providers would also be responsible for ensuring that external services are configured to meet this requirement if they’re handling federal information. This requirement also applies to machine-learning models trained on federal information. 

Systems outside of the FedRAMP boundary are not allowed to directly access federal information or make changes to FedRAMP boundary security without approval from the owners of the federal information. 

Independent assessors or third-party authenticators would be asked to test all components within the FedRAMP boundary and evaluate connections to systems outside of the boundary as documented by CSPs. 

Assessors would also be required to review data flows between the environment of operations and the FedRAMP boundary, and are required to “validate the impact categorization of the data in those services, the presence of appropriate certification” as well as ensure that they have “no direct security impact or privileged access to the federal information.

Caroline Nihill

Written by Caroline Nihill

Caroline Nihill is a reporter for FedScoop in Washington, D.C., covering federal IT. Her reporting has included the tracking of artificial intelligence governance from the White House and Congress, as well as modernization efforts across the federal government. Caroline was previously an editorial fellow for Scoop News Group, writing for FedScoop, StateScoop, CyberScoop, EdScoop and DefenseScoop. She earned her bachelor’s in media and journalism from the University of North Carolina at Chapel Hill after transferring from the University of Mississippi.

In This Story

Advertisement
Advertisement

More Like This

Advertisement

Top Stories

Advertisement

More Scoops

Latest Podcasts

White House finalizes OPEN Government Data Act guidance, restarts CDO Council; Biden’s final stab at cyber policy is officially here

Modern HR management systems are pivotal to boosting the agility of federal workforce

Biden takes a final stab at AI policy with EO focused on infrastructure; Melvin Brown II named OPM CIO

Part 2 of FedScoop’s exit interview with USDS leader Mina Hsiang

Tech

Defense

Cyber

FedScoop TV