FR
MASboundarystable

Minimum Assessment Scope

The Minimum Assessment Scope rules help providers define assessment boundaries narrowly enough to avoid unnecessary review of components that do not affect the offering's security. These rules still ensure the assessment includes the resources and connections needed to understand the offering's confidentiality, integrity, and availability.

General Provider ResponsibilitiesCSO

5 rules

These rules apply to providers for any type of FedRAMP Certification.

Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsProviders
MAS-CSO-FLO

Information Flows and Security Categories

MUST

Providers MUST clearly identify, document, and explain information flows and security categories for ALL information resources or sets of information resources in the cloud service offering.

Information resources (including third-party information resources) MAY vary by security category as appropriate to the type of information handled by or impacted by the information resource.

Required Artifacts

  • A machine readable output containing all required data of the permitted connections between components of the cloud service offering that are likely to handle federal customer data or likely to impact the confidentiality, integrity, or availability of federal customer data handled by the cloud service offering.
  • A human readable explanation of how the machine readable output is derived.
  • The code for the automated process used to generate the machine readable output.
TermsCloud Service OfferingHandleInformation ResourceProviderSecurity CategoryThird-Party Information Resource
MAS-CSO-IIR

Identify Information Resources

MUST

Providers MUST identify a set of information resources to assess for FedRAMP Certification that includes all information resources that are likely to handle federal customer data or likely to impact the confidentiality, integrity, or availability of federal customer data handled by the cloud service offering; this set of information resources is the cloud service offering.

  • Certain categories of cloud computing products and services are specified as entirely outside the scope of FedRAMP by the Director of the Office of Management and Budget. All such products and services are therefore not included in the cloud service offering for FedRAMP. For more, see https://fedramp.gov/scope.
  • Software produced by cloud service providers that is delivered separately for installation on agency systems and not operated in a shared responsibility model (typically including agents, application clients, mobile applications, etc. that are not fully managed by the cloud service provider) is not a cloud computing product or service and is entirely outside the scope of FedRAMP under the FedRAMP Certification Act. All such software is therefore not included in the cloud service offering for FedRAMP. For more, see https://fedramp.gov/scope.
  • All aspects of the cloud service offering are determined and maintained by the cloud service provider in accordance with related FedRAMP Certification rules and documented by the cloud service provider in their FedRAMP Certification Package.

Required Artifacts

  • A machine readable output containing all required data of the components of the cloud service offering that are likely to handle federal customer data or likely to impact the confidentiality, integrity, or availability of federal customer data handled by the cloud service offering.
  • A human readable explanation of how the machine readable output is derived.
  • The code for the automated process used to generate the machine readable output.
TermsAgencyCertification PackageCloud Service OfferingFederal Customer DataHandleInformation ResourceLikelyProvider
MAS-CSO-MDI

Metadata Inclusion

MUST

Providers MUST include metadata (including metadata about federal customer data) in the Minimum Assessment Scope ONLY IF MAS-CSO-IIR (Identify Information Resources) APPLIES.

Required Artifacts

  • A machine readable output containing all required data of the metadata collected or maintained by the cloud service offering that are likely to handle federal customer data or likely to impact the confidentiality, integrity, or availability of federal customer data handled by the cloud service offering.
  • A human readable explanation of how the machine readable output is derived.
  • The code for the automated process used to generate the machine readable output.
RelatedMAS-CSO-IIR
TermsFederal Customer DataInformation ResourceInitial Incident Report (IIR)Provider
MAS-CSO-SUP

Supplemental Information

MAY

Providers MAY include additional materials about other information resources that are not part of the cloud service offering in a FedRAMP Certification Package supplement; these resources will not be FedRAMP Certified and MUST be clearly marked and separated from the cloud service offering.

This is intended to allow inclusion of things like security materials for apps, supplemental marketing collateral, and other information that is not part of the cloud service offering but may be useful to agencies.
TermsAgencyCertification PackageCloud Service OfferingFedRAMP CertifiedInformation ResourceProvider
MAS-CSO-TPR

Third-Party Information Resources

MUST

Providers MUST address the potential impact to federal customer data from third-party information resources used by the cloud service offering, ONLY IF MAS-CSO-IIR (Identify Information Resources) APPLIES, by documenting the following information about each applicable third-party information resource:

  • General usage and configuration
  • Explanation or justification for use
  • Mitigation measures in place to reduce the potential impact to federal customer data
  • Compensating controls in place to reduce the potential impact to federal customer data

Required Artifacts

  • A machine readable output containing all required data of the third-party information resources of the cloud service offering that are likely to handle federal customer data or likely to impact the confidentiality, integrity, or availability of federal customer data handled by the cloud service offering.
  • A human readable explanation of how the machine readable output is derived.
  • The code for the automated process used to generate the machine readable output.

References

FedRAMP Certification Overview Package (FRC-CSO-PKG)
RelatedMAS-CSO-IIR
TermsCloud Service OfferingFederal Customer DataInformation ResourceInitial Incident Report (IIR)ProviderThird-Party Information Resource