Knowledgebase Article: Clarify the process for developing diagrams for a a FedRAMP Authorized (or seeking authorization) Cloud Service Offering (CSO) (Part 1, Part, Part 3)

[austinsonger]

This would probably be 3 parts:

Clarify the process for developing diagrams for a a FedRAMP Authorized (or seeking authorization) Cloud Service Offering (CSO) - Part 1: Authorization Boundary Diagram

Purpose:

Illustrate the scope of the CSO, defining the boundaries and identifying all components within the authorization boundary.

Clarifications:

• Identify and document all physical and logical components that constitute the CSO.
• Highlight the interfaces and connections between components within the boundary.
• Include any external systems or services that interact with the CSO, clearly marking them as outside the boundary.
• Ensure that all data flows, entry and exit points, and control mechanisms are depicted accurately.
• Elements that must be included in Authorization Boundary Diagram but are not required on the other diagrams

Recommendations

List of items that the FedRAMP like to see, but not required.

Examples

• Example 1
• Example 2
• Example 3

Clarify the process for developing diagrams for a a FedRAMP Authorized (or seeking authorization) Cloud Service Offering (CSO) - Part 2: Network Diagrams

Purpose:

Provide a detailed view of the network architecture, showing how the various components within the authorization boundary are interconnected.

Clarifications:

• Map out all network components, including firewalls, routers, switches, load balancers, and other critical infrastructure.
• Clearly differentiate between internal and external networks.
• Include details on segmentation, subnets, and network zones.
• Highlight security controls such as intrusion detection/prevention systems (IDS/IPS) and any encryption mechanisms in place.
• Elements that must be included in Network Diagrams but are not required on the other diagrams

Recommendations

List of items that the FedRAMP like to see, but not required.

Examples

• Example 1
• Example 2
• Example 3

Clarify the process for developing diagrams for a a FedRAMP Authorized (or seeking authorization) Cloud Service Offering (CSO) - Part 3: Data Flow Diagrams

Purpose:

Visualize the flow of data within the CSO, illustrating how data is processed, stored, and transmitted.

Clarifications:

• Identify and document all data inputs and outputs, including sources and destinations.
• Map the pathways that data follows through the system, including all processing and storage points.
• Include details on data classification and sensitivity levels.
• Highlight security measures such as data encryption, access controls, and data integrity checks.
• Elements that must be included in Data Flow Diagrams but are not required on the other diagrams

Recommendations

List of items that the FedRAMP like to see, but not required.

Examples

• Example 1
• Example 2
• Example 3

[audreamichellewhite]

FedRAMP is currently updating its authorization boundary guidance. This KBA will need to be written once that is finalized.