How can CSPs know that they have included everything within the authorization boundary that is required?

The authorization boundary is important because it defines the system scope that must comply with FedRAMP requirements. Each of the required controls of the appropriate FedRAMP baseline must be applied to all of the components, services, and devices (hereafter referred to as just components) within the authorization boundary – including continuous monitoring and assessment by a 3PAO. Having a clear-defined boundary is critical for ensuring that a common understanding of the scope of the system is shared by all constituencies – the CSP, the authorizing official of the customer agency, and the 3PAO. Although having a properly defined boundary is critical to the FedRAMP process, CSPs have found it quite difficult. The FedRAMP PMO has indicated that defining an appropriate boundary is the most common non-technical challenge faced by CSPs seeking a FedRAMP authorization. By far the most common error is omitting components from the boundary when they should be included.

The FedRAMP PMO published draft guidance on establishing and documenting a proper boundary (see DRAFT FedRAMP Authorization Boundary Guidance). It is unclear when this guidance will be finalized. In the interim, SecureIT compiled for CSPs some guidance based on our dealings with the PMO. Please refer to our FedRAMP Tech Bulletin on the System Boundary.

Update:  The PMO has removed the draft boundary guidance from their website.  However, the PMO continues to enforce most of the requirements that were included in that “disappeared” draft guidance.  The most important of these requirements are captured in our Tech Bulletin.