Your Guide to FedRAMP Diagrams
Your organization is looking to sell your service or product and you need to be authorized by the Federal Risk and Authorization Management Program (FedRAMP) . One of the first critical steps is to develop diagrams to be reviewed illustrating that your network and its boundary are FedRAMP ready. Government agencies want to know that federal information is properly secured and stored and that the Confidentiality, Integrity and Availability of federal information is maintained. The FedRAMP Project Management Office (PMO), Third-Party Assessment Organizations (3PAO), and agency assessors will be at a minimum looking for three diagrams. These diagrams include the Authorization Boundary, Data Flow, and the Network Diagram. These diagrams should be created as early as possible in the FedRAMP process because they are necessary for developing the System Security Plan (SSP), agency authorization kick-off, and Security Assessment Report (SAR). Remember, the government expects you, as a Cloud Service Provider (CSP), to do your due diligence when illustrating the FedRAMP boundary.
Creating & Storing Diagrams
When creating your diagrams, choose software that is either host-based or FedRAMP authorized at a level that is compatible with your (projected) FedRAMP level (Low, Moderate, or High). Store your diagrams in a secure and encrypted area that aligns with the specific FedRAMP level that you are trying to achieve. FedRAMP authorized tools can be found and accessed via the FedRAMP Marketplace.
Clarity is Key
Diagrams should be clear and concise. Use proper alignment, spacing, and imagery to provide diagrams that are easy to digest. As always, include a legend that clearly identifies the components of your diagrams and use proper labeling within your diagram when necessary. Company-specific icons can usually be downloaded from their website to use in multiple programs. These icons need to be labeled accordingly and/or included in the legend.
Authorization Boundary Diagram
Authorization boundary diagrams must illustrate how your information system connects with external services and systems. Authorization boundary diagrams should also show components or services that are controlled by your customer or those leveraged as an external service. The authorization boundary diagram is a living document that is updated and reviewed regularly for accuracy.
What to Include in the Authorization Boundary Diagram (from FedRAMP):
- Be sure to align with the key concepts and principles outlined by FedRAMP
- Always include a legend
- Include a prominent RED border drawn around all system components and services included in the authorization boundary
- Depict all services and components within the boundary, including security services used to manage and operate the system (e.g., SIEM, Vulnerability Scanning, System Health Monitoring, Ticketing)
- Depict all services leveraged from the underlying Infrastructure as a Service (IaaS) / Platform as a Service (PaaS)
- Depict all ingress / egress points and external entities that access the system (e.g., Agency users, CSP admins)
- Depict cloud components deployed in the customer's environment such as an endpoint application/agent
- Include all areas containing federal data and metadata such as:
- dev/test environment
- alternate processing site
- all backups
- Depict connections to external systems and services that provide functionality to the system, are used to manage and operate the system, or provide updates such as OS and antivirus updates
- This includes system interconnections, APIs, external cloud services, and Corporate Shared Services
- Be sure to use the legend to differentiate between external services that are FedRAMP-authorized and those that are not. Agency sponsors will need to understand and accept the risk associated with external services that process / store / transmit federal data or sensitive system information (for example: system log files, vulnerability scan data)
Example Authorization Boundary Diagram
Data Flow Diagram
Data flow diagrams illustrate how data moves through the information system as well as the type of encryption while it is in transit or at rest. FedRAMP requires a data flow diagram that delineates how data comes into and out of the authorization boundary, including data transmitted to / from all external systems and services. Data flow includes federal customer user authentication logical data flow, administrative and support personnel user authentication data flow, and system application data flow. The data flow diagram is a living document that is updated and reviewed regularly for accuracy.
Data Flow Diagrams should (from FedRAMP):
- Identify anywhere federal data is processed, stored, or transmitted
- Depict how data at rest and data in transit is protected
- All data at rest must be protected with FIPS 140-2 validated encryption
- All data in transit, internal and external to the boundary, must be protected with FIPS 140-2 validated encryption. This includes federal data and metadata as well as system data (such as audit logs).
NOTE: FIPS 140-2 applies to NIST tested and validated cryptographic modules that use approved algorithms
- Depict how CSP personnel as well as Agency customers access the system
- Be sure to include authentication methods used and differentiate between privileged and non-privileged access
- Depict all ports and protocols for inbound and outbound traffic. (Several diagrams can be utilized if needed)
Example Data Flow Diagram
The network diagram should illustrate logical network separation and communication within your network devices such as routers, firewalls, nodes and other hardware (both virtual and physical) located within your environment. The network diagram is a living document that is updated and reviewed regularly for accuracy.
- What to Include in the Diagram
- All network devices
- A legend
- All connections to Network devices
- Communications between network devices
- Specific Subnets utilized within the information system
Example Network Diagram
As Always, InfusionPoints’ FedRAMP Consultants are Here to Help
Whether it’s governing, developing, or deploying your cloud solutions, InfusionPoints provides FedRAMP expertise and workforce so that you can stay focused on your core mission -- by infusing security at every point in the lifecycle of your cloud environment from concept to operations.
For more Information, check out our Cloud & FedRAMP Solution Page HERE