Minimum Assessment Scope¶

Effective Date(s) & Overall Applicability for Rev5

Optional (Wide Release) beginning 2026-01-12.
Rev5 Authorized providers or those seeking FedRAMP authorization MAY adopt this process in place of the traditional FedRAMP boundary after January 12, 2026.
Providers MUST follow the Significant Change Request process (or Significant Change Notification if applicable) to transition from the traditional boundary to the MAS, and this change must be assessed by a FedRAMP recognized assessor.
Providers adopting this process MUST comply with ALL requirements and recommendations, including documentation. Templates are not provided for Rev5 MAS adoption so it is up to the provider to minimize confusion.
Rev5 Authorized providers who switch from a traditional FedRAMP boundary to the MAS MUST notify FedRAMP by sending an email to info@fedramp.gov.
All new Rev5 authorizations in progress that use the MAS must clearly mark all authorization data to indicate adoption of the MAS.
The FedRAMP Marketplace will include a section that indicates if a cloud service offering is following this process.

Application boundaries that are defined too broadly complicate the assessment process by introducing components that are unlikely to have an impact on the confidentiality, integrity or accessibility of the offering. The Minimum Assessment Scope provides guidance for cloud service providers to narrowly define information resource boundaries while still including all necessary components.

Version 25.11C published on 2025-12-01

History:

ID	Published	Description
25.11C	2025-12-01	No material changes to content; replaced references to "standard" with "process" or "documentation" as appropriate.
25.11C	2025-11-26	No material changes to content; underlying JSON replaced the "All" option for "affects" with a breakout of all affected entities.
25.11B	2025-11-24	No material changes to content; updated JSON structure with additional information about Rev5 application added.
25.11A	2025-11-18	Minor updates for the FedRAMP 20x Phase Two pilot and Rev5 Open Beta.
25.10A	2025-10-17	minor updates to improve clarity; switch from federal information to federal customer data; add impact level metadata; no substantive changes.
25.06B	2025-08-24	Minor non-breaking updates to align term definitions and highlighted terms across updated materials (definitions are now in FRD-ALL).
25.06A	2025-06-17	Minor non-breaking updates for clarity and formatting; renamed to Minimum Assessment Scope to avoid confusion with the Scope of FedRAMP as defined by M-24-15;reframed FRR-MAS-01 to explicitly note that this identifies the cloud service offering
25.05A	2025-05-30	Initial release of the Minimum Assessment Scope Standard.

Background & Authority

OMB Circular A-130: Managing Information as a Strategic Resource Section 10 states that an "Authorization boundary" includes "all components of an information system to be authorized for operation by an authorizing official. This excludes separately authorized systems to which the information system is connected." and further adds in footnote 64 that "Agencies have significant flexibility in determining what constitutes an information system and its associated boundary."
NIST SP 800-37 Rev. 2 Chapter 2.4 footnote 36 similarly states that "the term authorization boundary is now used exclusively to refer to the set of system elements comprising the system to be authorized for operation or authorized for use by an authorizing official (i.e., the scope of the authorization)."
FedRAMP Authorization Act (44 USC § 3609 (a) (4)) Requires the General Services Administration to "establish and update guidance on the boundaries of FedRAMP authorization packages to enhance the security and protection of Federal information and promote transparency for agencies and users as to which services are included in the scope of a FedRAMP authorization."

Requirements & Recommendations¶

These requirements apply ALWAYS to ALL FedRAMP authorizations based on the Effective Date(s) and Overall Applicability.

FRR-MAS-01 Cloud Service Offering Identification¶

Providers MUST identify a set of information resources to assess for FedRAMP authorization that includes all information resources that are likely to handle federal customer data or likely to impact the confidentiality, integrity, or availability of federal customer data handled by the cloud service offering.