Boundary Guidance Breaks Traditional Barriers

To achieve GovRAMP Authorization, providers must demonstrate their product meets minimum security criteria, which aligns with the best practices of National Institute of Standards & Technology (NIST) Special Publication 800-53. This includes providing a defined boundary for their cloud product and identifying underlying technologies.  

For a product to satisfy GovRAMP's Authorization requirements, the underlying technologies must have demonstrated minimum security compliance. For many providers, this can be a challenge if they rely on technologies that are not yet GovRAMP or FedRAMP Authorized.   

In May 2023, the Standards and Technical Committee approved updated Boundary Guidance that allows for GovRAMP Provisionally Authorized status for cloud offerings that rely on solutions which have not yet achieved a GovRAMP or FedRAMP Authorization, so long as the suppliers complete a GovRAMP Security Snapshot for the solution to make visible the strengths and risks of the cyber posture.   

Granting products Provisionally Authorized status allows providers to extend the timeframe for working on their third-party solution, whether it involves achieving GovRAMP Authorization, migrating to a new solution, or hosting the solution inside their own boundary. 

A product’s Provisionally Authorized letter will include the tools that are not FedRAMP or GovRAMP Authorized along with their Snapshot scores. The governments can then make risk-based determinations based on the Security Snapshot scores.  

“A cloud offering’s boundary is important when considering cybersecurity, because it provides visibility into the IT supply chain that can be a weak spot for bad actors to infiltrate,” explained Noah Brown, GovRAMP PMO Director. “GovRAMP's Boundary Guidance is a novel approach to solving the costly challenge of the ‘chicken or the egg’ question that providers face today when considering their suppliers.”  

The new GovRAMP Authorization Boundary Guidance supports the cybersecurity ecosystem by removing third-party barriers and allowing products to come through the process with tools that may not be FedRAMP or GovRAMP Authorized yet. Service providers can use more suppliers from the marketplace and continue to do business with states and local governments. By expanding the market, costs may be reduced.  

To learn more about GovRAMP's Authorization Boundary guidance, please visit here.