Demystification of the FedRAMP Authorization Boundary Diagrams (with Template)

External services according to the federal definition and FedRAMP guidance.

Federal Definition (NIST SP 800-53):

  • What Are External Services?: These are services that are used by an organization but are outside its control boundary. Think of them as tools or services that an organization uses but doesn't own or directly control, especially when it comes to security and privacy measures.

FedRAMP Guidance:

  • How Cloud Technologies Can Use External Services: Cloud Service Providers (CSPs) can use these external services to enhance or support their functionality, even though they don't directly control them.

What CSPs Must Do

  • Document Everything: CSPs need to write down details about these external services, including how data flows, what security measures are in place, and how federal information might be affected.
  • Include in Authorization Boundary: If these services carry federal data or metadata, they must be part of the Cloud Service Offering's (CSO's) authorization boundary, and they must meet specific data requirements.
  • Reflect in FedRAMP Authorization Package: All this information must be included in the CSP's official documents like the System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR), etc.
  • Get Approval from Authorizing Official (AO): The AO must review and approve these external systems as part of the CSP's authorization boundary before giving the green light to operate.

Item of Note

  • Pre-existing FedRAMP Authorization: External services might or might not already have FedRAMP Authorization, but if they impact the Confidentiality, Integrity, or Availability (CIA) of federal information, they must be included within the CSO's authorization boundary or another authorized boundary.

External services according to the federal definition and FedRAMP guidance.

Federal Definition (NIST SP 800-53):

  • What Are External Services?: These are services that are used by an organization but are outside its control boundary. Think of them as tools or services that an organization uses but doesn't own or directly control, especially when it comes to security and privacy measures.

FedRAMP Guidance:

  • How Cloud Technologies Can Use External Services: Cloud Service Providers (CSPs) can use these external services to enhance or support their functionality, even though they don't directly control them.

What CSPs Must Do

  • Document Everything: CSPs need to write down details about these external services, including how data flows, what security measures are in place, and how federal information might be affected.
  • Include in Authorization Boundary: If these services carry federal data or metadata, they must be part of the Cloud Service Offering's (CSO's) authorization boundary, and they must meet specific data requirements.
  • Reflect in FedRAMP Authorization Package: All this information must be included in the CSP's official documents like the System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR), etc.
  • Get Approval from Authorizing Official (AO): The AO must review and approve these external systems as part of the CSP's authorization boundary before giving the green light to operate.

Item of Note

  • Pre-existing FedRAMP Authorization: External services might or might not already have FedRAMP Authorization, but if they impact the Confidentiality, Integrity, or Availability (CIA) of federal information, they must be included within the CSO's authorization boundary or another authorized boundary.

External services according to the federal definition and FedRAMP guidance.

Federal Definition (NIST SP 800-53):

  • What Are External Services?: These are services that are used by an organization but are outside its control boundary. Think of them as tools or services that an organization uses but doesn't own or directly control, especially when it comes to security and privacy measures.

FedRAMP Guidance:

  • How Cloud Technologies Can Use External Services: Cloud Service Providers (CSPs) can use these external services to enhance or support their functionality, even though they don't directly control them.

What CSPs Must Do

  • Document Everything: CSPs need to write down details about these external services, including how data flows, what security measures are in place, and how federal information might be affected.
  • Include in Authorization Boundary: If these services carry federal data or metadata, they must be part of the Cloud Service Offering's (CSO's) authorization boundary, and they must meet specific data requirements.
  • Reflect in FedRAMP Authorization Package: All this information must be included in the CSP's official documents like the System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR), etc.
  • Get Approval from Authorizing Official (AO): The AO must review and approve these external systems as part of the CSP's authorization boundary before giving the green light to operate.

Item of Note

  • Pre-existing FedRAMP Authorization: External services might or might not already have FedRAMP Authorization, but if they impact the Confidentiality, Integrity, or Availability (CIA) of federal information, they must be included within the CSO's authorization boundary or another authorized boundary.

External services according to the federal definition and FedRAMP guidance.

Federal Definition (NIST SP 800-53):

  • What Are External Services?: These are services that are used by an organization but are outside its control boundary. Think of them as tools or services that an organization uses but doesn't own or directly control, especially when it comes to security and privacy measures.

FedRAMP Guidance:

  • How Cloud Technologies Can Use External Services: Cloud Service Providers (CSPs) can use these external services to enhance or support their functionality, even though they don't directly control them.

What CSPs Must Do

  • Document Everything: CSPs need to write down details about these external services, including how data flows, what security measures are in place, and how federal information might be affected.
  • Include in Authorization Boundary: If these services carry federal data or metadata, they must be part of the Cloud Service Offering's (CSO's) authorization boundary, and they must meet specific data requirements.
  • Reflect in FedRAMP Authorization Package: All this information must be included in the CSP's official documents like the System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR), etc.
  • Get Approval from Authorizing Official (AO): The AO must review and approve these external systems as part of the CSP's authorization boundary before giving the green light to operate.

Item of Note

  • Pre-existing FedRAMP Authorization: External services might or might not already have FedRAMP Authorization, but if they impact the Confidentiality, Integrity, or Availability (CIA) of federal information, they must be included within the CSO's authorization boundary or another authorized boundary.

Leveraging underlying services within a Cloud Service Offering (CSO)

Federal Definition:

  • Leveraging Other Services: If a CSO is using underlying services like Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS), those services must have FedRAMP Authorization.
  • Compliance Requirements: The Cloud Service Provider (CSP) that's using these services must show that they meet all FedRAMP security and privacy rules.
  • Documentation: This relationship must be documented in the FedRAMP Authorization Package, which includes things like the System Security Plan (SSP) and Control Implementation Summary (CIS).
  • Customer Requirements: The CSP must also make sure they're meeting all the specific requirements that are outlined for customers in the leveraged customer responsibility matrix.

Item of Note:

  • Leveraged Services as a Subcategory: These leveraged services are considered a type of external service (as described earlier) and must already have FedRAMP Authorization at the same or higher security level (FIPS-199 impact level).
  • Special Rule for JAB Authorizations: If it's a Joint Authorization Board (JAB) Authorization, all external and leveraged services must have JAB Authorization at the same or higher security level as the CSO.

FedRAMP guidance regarding corporate services used by Cloud Service Providers (CSPs)

  1. What Are Corporate Services?: These are the tools or services that a CSP uses to run its everyday business operations. They're outside the authorization boundary of the Cloud Service Offering (CSO), meaning they're separate from the specific services provided to federal customers.
  2. Rules About Federal Data: Corporate services shouldn't contain any federal data or unauthorized metadata. If they do contain federal metadata (information about federal data), they must meet specific security requirements.

If Corporate Services Handle Federal Metadata:

  • Ownership and Operation: The CSP must own and operate the system that's handling this metadata.
  • Security Requirements: The system must meet the security standards outlined in NIST SP 800-171, or it must be part of a CSO that's at the same security level.

Handling federal data and metadata

Federal Data:

  • What It Is: Any data processed, stored, or transmitted by or for the federal government.
  • Requirements: Must be included in the authorization boundary and be in a system authorized to the same level as the Cloud Service Offering (CSO) being authorized.
  • JAB Specific Requirement: JAB systems must only use other JAB systems at the same security level (FIPS-199 impact level) for handling federal data.

Federal Metadata (Direct Impact):

  • What It Is: Metadata that can directly affect the Confidentiality, Integrity, or Availability (CIA) of a system handling federal data.
  • Requirements: Must be within the authorization boundary or in a system authorized to the same level as the CSO.
  • JAB Specific Requirement: JAB systems must only use other JAB-authorized systems at the same security level to handle dynamic federal metadata.

Federal Metadata (Indirect Impact):

  • What It Is: Metadata that can indirectly affect the CIA of a system handling federal data.
  • Requirements: Must be within the authorization boundary, in a system authorized to the same level as the CSO, or in a corporate system wholly owned and operated by the CSO.
  • JAB Specific Requirement: JAB systems must only use other JAB systems at the same security level or corporate systems owned and operated by the CSO to handle static authorized federal metadata.

Corporate Meta:

  • What It Is: Data about processes within the authorization boundary or federal customers that doesn't contain sensitive personal information or pose a threat to systems handling federal data or personnel data.

Defining the authorization boundary for a Cloud Service Offering (CSO)

Defining the Authorization Boundary:

  • What It Is: The authorization boundary is like a virtual fence that defines what's included in the CSO and what's not. It's the foundation for the System Security Plan (SSP).
  • Validation: It's checked against the inventory during an assessment by a third-party assessment organization (3PA0).

Authorization Boundary Diagram (ABD):

  • What It Is: A visual map that shows all the parts that make up the authorization boundary.
  • Purpose: Helps the Authorizing Official (AO) and/or the Joint Authorization Board (JAB) understand exactly what's being secured, tested, and authorized.

What the ABD Should Show:

  • External Systems/Services: Anything outside the CSO that helps it function or is used to manage it, like underlying IaaS/PaaS/SaaS offerings, interconnections, APIs, etc.

In-Boundary or Out-of-Boundary Components: Things in the customer's environment that might be inside or outside the boundary.

  • Out-of-Boundary Example: An agency-provided Identity Provider (IdP) used for authentication.
  • In-Boundary Example: Components like data collectors or agents that run in the customer's environment but are part of the CSO.

In Short:

  • Everything in the SSP Must Be on the ABD: If it's mentioned in the SSP, it should be on the diagram.
  • All CSP-Provided Components Must Be Tested: Anything provided by the Cloud Service Provider (CSP) should be tested by the 3PA0 and shown as in-boundary.

AO's Responsibility:

  • Review the Boundary: AOs must look closely at the authorization boundary to understand where they might need to accept risks and where the agency is responsible for handling security controls.

Authorization Boundary Diagram (ABD) according to FedRAMP's requirements

Create an Easy-to-Read Diagram:

  • Include a legend.
  • Make sure it's readable without enlarging.
  • It's okay to provide the ABD as a separate attachment.

Include a RED Border:

  • Draw a prominent red border around everything inside the authorization boundary.

Show Ingress/Egress Points:

  • Depict all entry and exit points.

Identify Underlying Services:

  • Show services from IaaS/PaaS/SaaS.
  • Identify any services that aren't FedRAMP authorized (color-coding or call-out boxes can be used).

Show Interconnected Systems and External Services:

  • Include corporate shared services.
  • Identify any that aren't FedRAMP authorized.

Include Every Tool, Service, or Component from the SSP:

  • Include things like SIEM, Vulnerability Scanning, System Health Monitoring, Ticketing.
  • Identify them as either internal or external to the boundary.

Show How Admins and Customers Access the Service:

  • Include authentication methods.
  • This information is also required on the boundary diagram, not just in data flow diagrams.

If Applicable, Show CSP-Provided Components Inside the Boundary:

  • Include things like data collectors in customer data centers if they affect the Confidentiality, Integrity, or Availability (CIA) of the CSO.

Show Connections Between Components:

  • Include connections within the boundary and to/from external services.
  • Show separation and security measures.

Include Specific Flows and Connections:

  • For example, connections from load balancers to servers.

Depict Dev/Test Environment and Backup Locations:

  • Include connections and security mechanisms.
  • Include the dev/test environment within the boundary if federal data is used or if federal personnel have access.

Show Update Services Outside the Boundary:

  • Include things like malware signatures and OS updates.

Network Diagrams and Data Flow Diagrams (DFDs) that align with the Authorization Boundary Diagram (ABD)

Network Diagram

The Network Diagram should include all components from the ABD and specifically:

Subnetting: Show the division of the network into subnets.

Location of DNS Servers Include details about:

  • External Authoritative Servers: Used by customers to access the Cloud Service Offering (CSO).
  • Internal Recursive Servers: Used to access domains outside the boundary.
  • DNSSEC Support: Both types of servers should support DNS Security Extensions (DNSSEC).

Data Flow Diagrams (DFD)

DFDs should also reflect all components in the ABD and include diagrams for specific logical data flows:

  1. Customer User and Admin Authentication: Include the type of Multifactor Authentication (MFA).
  2. CSP Administrative and Support Personnel Authentication: Include the type of MFA.
  3. System Application Data Flow within the Boundary.

System Application Data Flow to/from

  • External Services, including corporate shared services.
  • Interconnected Systems.
  • Alternate Processing Sites and Backup Storage.
  • Dev/Test environment.

Each DFD must explicitly identify:

  • Encryption Status: Where federal data and metadata at rest and in transit are not protected through encryption, and where they are protected.
  • FIPS-Validation: Whether the encryption uses FIPS-validated cryptographic modules (applies to modules, not protocols like TLS).

Security Controls:

  • SC-28: Protect data at rest.
  • SC-8(1): Protect data in transit.
  • SC-13: Use FIPS-validated cryptography.

Common Quality Issues:

  • Missing depiction of all access by parties (e.g., admins, customers).
  • Missing indication of MFA tool and protocol (e.g., OTP, push).
  • Lacking port and protocol information.
  • Failing to indicate encryption of data in transit and at rest.
  • Not indicating the use of FIPS-validated cryptography.
  • Omitting internal flows (e.g., to data stores, within microservices).
  • Not addressing replication of data to alternate sites or backup storage.
  • Lacking a legend.

Templates

FAQ

What is an Authorization Boundary?

An authorization boundary is essentially the "fence" that defines what's included within a system to be authorized for operation. It's the foundation of a system security plan (SSP) and includes all the components, services, and devices that make up the Cloud Service Offering (CSO).

Why is it Important?

  1. Clarity and Security: It provides a clear understanding of what is being secured, tested, and authorized. This helps in identifying areas that may require risk acceptance or areas where the agency has responsibility.
  2. Compliance with Standards: Historically, NIST has used the term "authorization boundary" to refer to the scope of the authorization, and it's now standardized terminology (NIST SP 800-37r2 pl5).
  3. Visual Representation: The Authorization Boundary Diagram (ABD) visually represents the components within the boundary, helping the Authorizing Official (AO) and the Joint Authorization Board (JAB) to understand what is being secured.
  4. Inclusion of External Systems: If a system stores or processes federal data but is not directly connected to the boundary, it still needs to be identified as an external system or service. This includes tools, services, or components mentioned in the SSP.
  5. Corporate Services Definition: Corporate services are a subset of external services operated by the CSP to support daily business operations. They exist outside the CSO authorization boundary and must be depicted on authorization boundary and data flow diagrams.
  6. Guidance for 3PAOs: Third-Party Assessment Organizations (3PAOs) must confirm that the CSP has properly identified all components and should identify external systems that are leveraged but not authorized.
  7. Agency Collaboration: Agencies play a critical role in defining the authorization boundary, understanding risks, data flows, third-party external services, testing status, and CSP-provided components.

Does a system that stores or processes federal data/metadata or sensitive system data, but is not directly connected to the boundary, need to be identified as an external system and/or service?

Yes, it does.

  1. Inclusion in Authorization Boundary: Even if a system is not directly connected to the boundary but processes or stores federal data/metadata or sensitive data, it must be included in the authorization boundary diagram. This includes any external system or service related to the Cloud Service Offering (CSO).
  2. Evaluation as External Service: Every tool, service, or component mentioned in the system security plan that's excluded from testing should be evaluated as an external service. For instance, an external ticketing system capturing system vulnerabilities may not be directly connected but still contains sensitive data impacting the confidentiality, integrity, and availability (CIA) of the CSO.
  3. Disclosure to Authorizing Official: These types of external systems and services must be disclosed to the Authorizing Official (AO) and depicted in the authorization boundary diagram. They should also be described in the authorization package deliverables like the System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR), or Readiness Assessment Report if pursuing a FedRAMP Ready designation.

Agency Collaboration: Agencies work closely with Cloud Service Providers (CSPs) to define the authorization boundary. They must understand various aspects, including:

  • The risk accepted by prior agencies.
  • Components within and excluded from the boundary.
  • Data flows and associated federal information.
  • Third-party external services.
  • Testing status of components in the CSP’s corporate environment.
  • CSP-provided components installed in the customer environment.

What is Corporate Services?

FedRAMP defines "corporate" services

Definition of "Corporate" Services:

  • Subset of External Services: Corporate services fall under the category of external services.
  • Operated by the CSP: They are operated and managed by the Cloud Service Provider (CSP) itself.
  • Support Business Operations: These services are used to support the daily business operations of the CSP.
  • Outside the CSO Boundary: Corporate services exist outside the authorization boundary of the Cloud Service Offering (CSO).
  • No Impact on CIA: They don't contain any information that would impact the confidentiality, integrity, or availability (CIA) of the CSO or any federal data.
  • Not Fully Controlled Cloud Services: If cloud services are used to support the corporate environment but are not under the full control of the CSP, they are considered external cloud services, not "corporate" services.

Requirements for Corporate Services:

  • Depiction on Diagrams: Corporate services must be shown on authorization boundary and data flow diagrams.
  • Description in SSP: They should be described in the System Security Plan (SSP) as external systems or services.
  • Risk Assessment: Any risks associated with connections to corporate systems or services should be described in the 3PA0 assessment results, such as the Security Assessment Report (SAR) or Readiness Assessment Report (RAR).