Skip to content

M-24-15 Section III. Scope of FedRAMP

The Act charges OMB with specifying the categories or characteristics of cloud computing products and services that receive authorizations through FedRAMP.1 Agencies must obtain and maintain a FedRAMP authorization when the cloud product or service falls within the scope of this section.

FedRAMP's goal is to ensure that Federal information systems and Federal information continue to be protected, even when the agency that owns those systems and information does not have complete control over them. FedRAMP does not apply to every use of an internet- based service by a Federal agency.

The Scope of FedRAMP

The scope of FedRAMP is cloud computing products and services (such as IaaS, Platform-as-a-Service (PaaS), and SaaS) that create, collect, process, store, or maintain Federal information on behalf of a Federal agency, and that are not otherwise specified as out of scope below.2

Outside the Scope of FedRAMP

The following categories of cloud computing products and services are specified as outside the scope of FedRAMP, subject to exceptions made by the FedRAMP Director with the approval of OMB:

  1. Information systems that are only used for a single agency's operations, hosted on cloud infrastructure or platform, and are not offered as a shared service or do not operate with a shared responsibility model;

  2. Social media and communications platforms used in accordance with agency social media policies;

  3. Search engines;

  4. Widely available services that provide commercially available information to agencies, but do not collect Federal information;

  5. Ancillary services whose compromise would pose a negligible risk to Federal information or information systems, such as systems that make external measurements or only ingest information from other publicly available services; and

  6. Any other categories of products or services identified for exclusion by the FedRAMP Board, with the concurrence of the Federal CIO.

Guidelines and Examples

New types of cloud products and services are frequently introduced in the cloud marketplace. As this landscape continues to grow and change, FedRAMP should adapt with it. FedRAMP, in consultation with OMB, will publish guidelines for interpreting the categories above, with supporting examples that clearly illustrate what types of services are in and out of scope.

Guidelines and Examples for the Scope of FedRAMP

The guidelines and examples regarding the Scope of FedRAMP are available at fedramp.gov/docs/authority/scope.

  1. 44 U.S.C. § 3614(1)(A). 

  2. This scope applies only to information systems that process unclassified information and are not national security systems as defined in 44 U.S.C. § 3552.