Minimum Assessment Scope¶

Effective Date(s) & Overall Applicability for 20x

Required (Phase 2 Pilot)
Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.
Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review.

Application boundaries that are defined too broadly complicate the assessment process by introducing components that are unlikely to have an impact on the confidentiality, integrity or accessibility of the offering. The Minimum Assessment Scope provides guidance for cloud service providers to narrowly define information resource boundaries while still including all necessary components.

Version 25.11C published on 2025-12-01

History:

ID	Published	Description
25.11C	2025-12-01	No material changes to content; replaced references to "standard" with "process" or "documentation" as appropriate.
25.11C	2025-11-26	No material changes to content; underlying JSON replaced the "All" option for "affects" with a breakout of all affected entities.
25.11B	2025-11-24	No material changes to content; updated JSON structure with additional information about Rev5 application added.
25.11A	2025-11-18	Minor updates for the FedRAMP 20x Phase Two pilot and Rev5 Open Beta.
25.10A	2025-10-17	minor updates to improve clarity; switch from federal information to federal customer data; add impact level metadata; no substantive changes.
25.06B	2025-08-24	Minor non-breaking updates to align term definitions and highlighted terms across updated materials (definitions are now in FRD-ALL).
25.06A	2025-06-17	Minor non-breaking updates for clarity and formatting; renamed to Minimum Assessment Scope to avoid confusion with the Scope of FedRAMP as defined by M-24-15;reframed FRR-MAS-01 to explicitly note that this identifies the cloud service offering
25.05A	2025-05-30	Initial release of the Minimum Assessment Scope Standard.

Background & Authority

OMB Circular A-130: Managing Information as a Strategic Resource Section 10 states that an "Authorization boundary" includes "all components of an information system to be authorized for operation by an authorizing official. This excludes separately authorized systems to which the information system is connected." and further adds in footnote 64 that "Agencies have significant flexibility in determining what constitutes an information system and its associated boundary."
NIST SP 800-37 Rev. 2 Chapter 2.4 footnote 36 similarly states that "the term authorization boundary is now used exclusively to refer to the set of system elements comprising the system to be authorized for operation or authorized for use by an authorizing official (i.e., the scope of the authorization)."
FedRAMP Authorization Act (44 USC § 3609 (a) (4)) Requires the General Services Administration to "establish and update guidance on the boundaries of FedRAMP authorization packages to enhance the security and protection of Federal information and promote transparency for agencies and users as to which services are included in the scope of a FedRAMP authorization."

Requirements & Recommendations¶

These requirements apply ALWAYS to ALL FedRAMP authorizations based on the Effective Date(s) and Overall Applicability.

FRR-MAS-01 Cloud Service Offering Identification¶

Providers MUST identify a set of information resources to assess for FedRAMP authorization that includes all information resources that are likely to handle federal customer data or likely to impact the confidentiality, integrity, or availability of federal customer data handled by the cloud service offering.