United States: Watch your limits – FedRAMP publishes draft guide on licensing limits for public consultation
To print this article, simply register or connect to Mondaq.com.
The FedRAMP Program Management Office is seeking comments on its Draft FedRAMP Authorization Limits Guide, Version 2.0, released July 13, 2021. The public comment period is currently open and ends September 13, 2021.
An authorization limit is defined in the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-37, Risk management framework for information systems and organizations, as “all the components of an information system that must be authorized to operate by an authorizing officer and excludes the separately authorized systems to which the information system is connected”. Simply put, an authorization limit is the “foundation upon which the rest of a system security plan is built.”1
The Guide to FedRAMP Authorization Limits (the “Council”) provides cloud service providers who pursue or hold a FedRAMP authorization with guidance on developing and maintaining an authorization limit. Cloud service providers should clearly define the authorization limit for their cloud service offering to help the government understand what is secure, tested, and authorized when issuing a FedRAMP authorization.
The guide was originally published to help cloud service providers identify the authorization limit of their cloud service offering to support their FedRAMP authorization package. Version 2.0 is designed to provide additional details on how to describe and illustrate the cloud service offering authorization limit, data flow diagrams, and network interconnections.
The proposed guide for version 2.0 provides an overview of the main definitions and requirements described in NIST SP 800-37, NIST SP 800-53, Security and privacy controls for information systems and organizations, and Office of Management and Budget Circular A-130, as well as an overview of the following concepts:
- Set your authorization limit in the cloud: Cloud service providers should describe data types, data flows, processing of federal data and federal metadata, and external systems processing, transmitting or storing federal data and federal metadata on behalf of the provider’s system cloud services.
- Federal data in the cloud: Guide for mapping types of information and information systems to security categories.
- Federal metadata in the cloud: Cloud service providers should consider (1) federal metadata and (2) enterprise metadata, each with their own security considerations and requirements.
- Cloud interconnections: Must be reviewed by an agency authorization agent to ensure that all federal data and metadata residing in or leaving the cloud service provider’s system is properly protected.
- External services in the cloud: While cloud service providers are allowed to augment or support their systems using external services, cloud service providers should clearly document and describe these external services within their scope of authorization.
- Leverage external services with FedRAMP authorization: The guide describes how a cloud service offering can leverage an underlying service from a FedRAMP approved cloud service provider.
- Business services: These enterprise services exist outside the authorization limit and must not contain any federal data or unauthorized metadata, unless the cloud service provider owns and operates the system and certifies that the enterprise system is responsive. the safety requirements described in NIST SP 800-171, Protect unclassified information controlled in non-federal systems and organizations, or be in a Cloud Service Offering at the same level of security.
The guide also includes data requirements, agency-specific security requirements, and an appendix focused on developing authorization, network, and data flow limits diagrams.
Note that Section 3 of the Biden Administration’s May 2021 Executive Order on Improving the Nation’s Cyber Security (# 14028), which we have already covered (here), directs the federal government to “take action key to modernizing its approach to cybersecurity ”to include“ modernizing FedRAMP ”and“ accelerating the movement towards secure cloud services ”. While the guide does not specifically refer to the May 2021 Executive Decree, the guide aims to further clarify the existing guide on authorization limits to enable cloud service providers to obtain authorization more quickly and securely. FedRAMP, which corresponds perfectly to the objective of the executive decree.
With the comment period for this guide ending September 12, 2021, it is important for cloud service providers who wish to obtain or maintain FedRAMP authorization to provide an industry perspective as FedRAMP seeks to provide details and clarification. existing boards. Additionally, cloud service providers should become familiar with the evolving federal information security and cloud computing technology requirements relevant to FedRAMP. More information on the feedback process is available on the GSA website.
1. FedRAMP Authorization Boundary Guidance, Version 2.0, on page 10.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR ARTICLES ON: US Government, Public Sector