FedRAMP in 5 - Draft Boundary Guidance
Your Guide to FedRAMP Diagrams (UPDATED)
What is the purpose of this guidance?
The FedRAMP Authorization Boundary guidance provides a roadmap for developing, maintaining, and pursuing FedRAMP authorization. It provides expectations for clearly defining a Cloud Service Offering’s (CSOs) FedRAMP boundary.
What’s new with the recently released FedRAMP Authorization Boundary Guidance Draft:
- More in-depth look into Federal cloud metadata
- Clarifying authorization boundary and data requirements
- Highlighting the impacts on cloud security
- Expanding on protection and hosting guidance for federal metadata on corporate systems and cloud services
Let's take a look
Your organization is looking to sell your service or product and you need to be authorized by the Federal Risk and Authorization Management Program (FedRAMP). One of the first critical steps is to develop diagrams to be reviewed illustrating that your network and its boundary are FedRAMP ready. Government agencies want to know that federal information is properly secured and stored, and that confidentiality, integrity and availability of federal information is maintained. The FedRAMP Project Management Office (PMO), Third-Party Assessment Organizations (3PAO), and agency assessors will be looking for three types of diagrams. These diagrams include the Authorization Boundary Diagram (ABD), Data Flow Diagram (DFD), and the Network Diagram. These diagrams should be created as early as possible in the FedRAMP process because they are necessary for developing the System Security Plan (SSP), agency authorization kick-off, and Security Assessment Report (SAR). Remember, the government expects you, as a Cloud Service Provider (CSP), to do your due diligence when illustrating the FedRAMP boundary.
Creating & Storing Diagrams
Due to the potential for Federal Metadata residing in the diagrams, you want to leverage software that is either host-based or FedRAMP authorized at a level that is compatible with your (projected) FedRAMP level (Low, Moderate, or High) during the diagram development process. The Metadata should also be protected once the diagrams are completed by storing them in a secure and encrypted area that also aligns with the specific FedRAMP level you are trying to achieve or within your FedRAMP boundary. Appendix C of the draft FedRAMP Authorization Boundary Guidance provides an easily digestible table on what FedRAMP considers to be appropriate protection levels for different data types. FedRAMP authorized tools can be found and accessed via the FedRAMP Marketplace.
Clarity is Key
Diagrams should be clear and concise. Use proper alignment, spacing, and imagery to provide diagrams that are easy to digest. Create each diagram with the same orientation so it is clear to anyone viewing that it is the same system, and transition between diagrams, for comparison is easier. As always, include a legend that clearly identifies the components of your diagrams and use proper labeling within your diagram when necessary. Company-specific icons can usually be downloaded from their website to use in multiple programs. These icons need to be labeled accordingly and/or included in the legend.
Authorization Boundary Diagram
What is it?
The Authorization Boundary Diagram is a visual representation of the components that make up the authorization boundary by defining the authorization boundary for the CSO. This diagram must illustrate external system/services, system interconnections, every tool, system component and service that is mentioned in the SSP, displaying how your information system connects with external services and systems. The authorization boundary diagram is a living document that is updated and reviewed regularly for accuracy by the Authorizing Official (AO) and/or the Joint Authorization Board (JAB).
What to include in the Authorization Boundary Diagram:
- Be sure to align with the key concepts and principles outlined by FedRAMP
- Always include a legend
- Include a prominent RED border drawn around all system components included in the authorization boundary
- Depict all services leveraged from the underlying Infrastructure as a Service (IaaS) / Platform as a Service (PaaS) / Software as a Service (SaaS) and identify any services that are not FedRAMP authorized
- Depict all ingress / egress points
- Depict how CSP administrators and agency customers access the cloud service and external entities that access the system. If applicable, depict components provided by the CSP, and installed on customer devices, as inside the authorization boundary
- Depict all interconnected systems and external services, including corporate shared services, identify any systems/services that are not FedRAMP authorized
- Depict every tool, service or component mentioned in the SSP narrative and controls, identifying as either external or internal to the boundary. This includes security services used to manage and operate the system (e.g., Security Information and Event Management (SIEM), Vulnerability Scanning, System Health Monitoring, Ticketing)
- Include all areas containing federal data and metadata such as:
- development/test environment (if contains federal medadata)
- alternate processing site
- all backups
- Show all connections and components within the boundary and to/from external services as well as the separation and security between the boundary and external services and access
- Show updated services (e.g., malware signatures and OS updates) outside the boundary
- This includes system interconnections, Application Programming Interfaces (APIs), external cloud services, and Corporate Shared Services
- Be sure to use the legend to differentiate between external services that are FedRAMP-authorized and those that are not. Agency sponsors will need to understand and accept the risk associated with external services that process / store / transmit federal data or sensitive system information (for example: system log files, vulnerability scan data)
Example Authorization Boundary Diagram
Data Flow Diagram
What is it?
Data flow diagrams illustrate how data moves through the information system as well as the type of encryption while it is in transit or at rest. FedRAMP requires a data flow diagram that should address all components reflected in the ABD, that also delineates how data comes into and out of the authorization boundary, including data transmitted to / from all external systems and services. Data flow includes federal customer user authentication logical data flow, administrative and support personnel user authentication data flow, and system application data flow. The data flow diagram is a living document that is updated and reviewed regularly for accuracy by the AO and/or JAB.
Data Flow Diagrams should include:
- Identify everywhere (internal & external) federal data and metadata at rest and in transit is not protected through encryption. Likewise, identify everywhere data is protected through encryption and whether the encryption is using Federal Information Processing Standards (FIPS)-validated cryptographic modules.
- NOTE: FIPS validation applies to cryptographic modules, not protocols (e.g. TLS). The cryptographic module that sets up the TLS tunnel must be FIPS validated
- All data at rest must be protected with FIPS 140-2 validated encryption
- All data in transit, internal and external to the boundary, must be protected with FIPS 140-2 validated encryption. This includes federal data and metadata as well as system data (such as audit logs).
- NOTE: FIPS 140-2 applies to National Institute of Standards and Technology (NIST) tested and validated cryptographic modules that use approved algorithms
- All data flow diagrams should address all components reflected in the ABD
- Depict how CSP personnel as well as agency customers access the system
- Be sure to include authentication methods used and differentiate between privileged and non-privileged access
- Depict all ports and protocols for inbound and outbound traffic. (Several diagrams can be utilized if needed)
- A legend
Example Data Flow Diagram
What is it?
The network diagram should illustrate logical network separation and communication within your network devices such as routers, firewalls, nodes and other hardware (both virtual and physical) located within your environment. The network diagram is a living document that is updated and reviewed regularly for accuracy by the AO and/or JAB.
Network Diagrams should include:
- A legend
- All network devices
- All connections to network devices
- Communications between network devices
- Specific Subnets utilized within the information system
- Depict location of DNS servers:
- Including external authoritative servers used by customers to access the CSO
- Internal recursive servers used to access domains outside the boundary
Example Network Diagram
As Always, InfusionPoints’ FedRAMP Consultants are here to help......
Whether it’s governing, developing, or deploying your cloud solutions, InfusionPoints provides FedRAMP expertise and workforce so that you can stay focused on your core mission -- by infusing security at every point in the lifecycle of your cloud environment from concept to operations.
For more Information, check out our Cloud & FedRAMP Solution Page HERE
Determining Your FedRAMP Boundary Definition