The Rev5 FedRAMP Boundary¶
There are 4 applicable rulesets with 45 total applicable rules.
| Ruleset | Summary |
|---|---|
| Certification Data Sharing (CDS) | The Certification Data Sharing rules allow providers to store and share FedRAMP certification information through the platform they choose as long as it follows FedRAMP rules for access, accuracy, and transparency. This helps customers and the public review consistent, current security and compliance information while recognizing that the information usually remains the provider's intellectual property and is not federal information. Applicable Rules: 20 |
| Cryptographic Module Use (CMU) | The Cryptographic Module Use rules clarify how providers should select and use cryptographic modules. These rules allow risk-based decisions for some services while still encouraging validated cryptographic modules whenever they are technically feasible and reasonable. Applicable Rules: 3 |
| Minimum Assessment Scope (MAS) | The Minimum Assessment Scope rules help providers define assessment boundaries narrowly enough to avoid unnecessary review of components that do not affect the offering's security. These rules still ensure the assessment includes the resources and connections needed to understand the offering's confidentiality, integrity, and availability. Applicable Rules: 5 |
| Vulnerability Detection and Response (VDR) | The Vulnerability Detection and Response rules require providers to continuously identify, analyze, prioritize, mitigate, and remediate vulnerabilities and related exposures through automated systems. These rules give providers flexibility in implementation while ensuring agencies receive the information needed to support ongoing authorization decisions. Applicable Rules: 17 |