Skip to main content

FedRAMP Scope

Understanding FedRAMP Scope (OMB M-24-15)

This page outlines the scope of the Federal Risk and Authorization Management Program (FedRAMP) as defined in OMB Memorandum M-24-15 and provides context for its application.

Background

OMB Memorandum M-24-15, “Modernizing the Federal Risk and Authorization Management Program (FedRAMP),” updated FedRAMP’s scope, defining categories or characteristics of cloud computing products and services that are subject to FedRAMP authorization reproduced below. M-24-15 also mandated clarifying guidance (see draft details below) to help agencies interpret the categories and exclusions to facilitate FedRAMP applicability determinations.

Scope of FedRAMP (from OMB M-24-15, Section 3)

The Act charges OMB with specifying the categories or characteristics of cloud computing products and services that receive authorizations through FedRAMP.5 Agencies must obtain and maintain a FedRAMP authorization when the cloud product or service falls within the scope of this section.

FedRAMP’s goal is to ensure that Federal information systems and Federal information continue to be protected, even when the agency that owns those systems and information does not have complete control over them. FedRAMP does not apply to every use of an internet- based service by a Federal agency.

The scope of FedRAMP is cloud computing products and services (such as IaaS, Platform-as-a-Service (PaaS), and SaaS) that create, collect, process, store, or maintain Federal information on behalf of a Federal agency, and that are not otherwise specified as out of scope below.6

The following categories of cloud computing products and services are specified as outside the scope of FedRAMP, subject to exceptions made by the FedRAMP Director with the approval of OMB:

1) Information systems that are only used for a single agency’s operations, hosted on cloud infrastructure or platform, and are not offered as a shared service or do not operate with a shared responsibility model;

2) Social media and communications platforms used in accordance with agency social media policies;

3) Search engines;

4) Widely available services that provide commercially available information to agencies, but do not collect Federal information;

5) Ancillary services whose compromise would pose a negligible risk to Federal information or information systems, such as systems that make external measurements or only ingest information from other publicly available services; and

6) Any other categories of products or services identified for exclusion by the FedRAMP Board, with the concurrence of the Federal CIO.

  1. 44 U.S.C. § 3614(1)(A).
  2. This scope applies only to information systems that process unclassified information and are not national security systems as defined in 44 U.S.C. § 3552.

Further Guidance (RFC-0010)

For more detailed interpretive technical assistance on the FedRAMP scope, including illustrative examples for the exclusion categories defined in M-24-15, we are seeking input on the following following Request for Comment (RFC): RFC-0010: FedRAMP Scope Interpretation Technical Assistance. The comment period is open until June 15, 2025.

GSA logo

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov