What is an Authorization Boundary?
In diagram terms, it is the scope. In security terms, it is the most important.
You know, in my professional life, I’ve received dozens of compliments that stick out in memory. One I received in the past year was given to my team at my company by GovRAMP about the diagrams I made for 7 products we applied for and acheived GovRAMP Ready. And one we had applied for FedRAMP authorized, which is still pending.
Someone at GovRAMP told my team, mine, were the best diagrams they’ve ever seen.
*blush*
But what did I do to deserve this compliment? How did I design the diagrams that stood out from the rest? It really just took understanding the FedRAMP and GovRAMP Authorization Boundary Guidance, and applying it to internal systems diagrams.
While I literally cannot show you what I created for my old company (security, ownership and data privacy issues), I can tell you some tips to make your diagrams shine.
First, what is an Authorization Boundary Diagram and why is it so important?
Three years ago I was asking this question to myself. Our company was planning to seek those aforementioned certs. and I had never made one. First step. Look it up. I went to NIST’s definition:
All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected.
https://csrc.nist.gov/glossary/term/authorization_boundary
And reading that definition 3 times over still confused….
I found FedRAMP’s instructions, as GovRAMPwas still writing the documents for their own guidance. There were…pages (and pdfs.)
Does it ever feel like you just aren’t speaking the same language?? “But what does it meeean?” kept popping up in my head. FedRAMP is currently working hard to improve understanding of the Authorization Boundary diagram, but until they produce more documentation…you have me.
So let me sum it up:
ABDs = scope.
Authorization Boundary Diagrams are what certifying officials (RampQuest’s PMOs or FedRAMPs AOs) and third party auditors (3PAOs) use to determine what to certify. They also do more, before you ever get to application for FedRAMP, GovRAMP, TX-RAMP, AzRAMP(transitioning to GovRAMP) or COV Ramp (VITA) certification, the practice of drawing an Authorization Boundary Diagram is essential to understanding your system and its adherence to best security practices. By drawing this diagram, you find out what you are doing right and what you need to fix. It should be the first step when seeking any compliance certs. You need to know what you have in scope.
Scope isn’t as simple as it sounds. It is nuanced. In short, everything inside the boundary is what you control and are seeking certification on, everything outside is either not yours to control or not part of what you are seeking certification on. But are we also thinking about the supply chain?
Because scope is a complex issue parading as a short business word. I’m going to break it up in a series of posts. 3 main scope considerations:
Hi! I’m the Diagram Gal 🙂
Trying to make sense of it all.
How a humorous customer exchange started me thinking…”But what does it mean?”
Key Differences between FedRAMP and GovRAMP Certifications
FedRAMP Authorization Boundary Examples & Decision Questions
Example 1: SaaS on Authorized IaaS
A software company provides a Project Management SaaS. They host their application on AWS GovCloud (an authorized IaaS).
- Inside the Boundary: The application code, the database containing federal project files, the customer-facing web portal, and the CSP’s internal management subnet.
- Outside the Boundary: The underlying AWS physical data centers (inherited via FedRAMP), and the customer’s local laptops.
Example 1 FedRAMP Authorization Boundary Diagram & Discussion
Right click on the image above to open in a new tab or window for better visibility.Question 1.1: Can you find any services that may need to be switched for a different provider?
- The items in the purple box labeled “External Services without FedRAMP authorization all need evaluation. Do they receive Federal Data or affect the Confidentiality, Integrity or Availability of the system? If yes, then yes they will need to be addressed and communicated with your sponsor to determine best path forward.
Question 1.2: Of the 2 items listed as outside the boundary, customer’s local laptops and the underlying physical data centers, which could be considered part of this system’s supply chain and relevant to its authorization?
- The data centers must have a FedRAMP authorization to be considered an acceptable infrastructure provider in the system’s supply chain. As it stands the certification of the infrastructure is inherited from AWS’s own FedRAMP certification and does not need to be included in the boundary diagram.
Example 2: Interconnected API Services
A CSP uses a third-party service for automated address validation. What details must be true for the 3rd party to be in boundary and acceptable for use?
- Boundary Inclusion: If the CSP sends federal addresses to the third party for validation, that data flow and the external API must be depicted.
- Boundary Exclusion: If the CSP uses a public weather API that does not receive any federal data, it is typically excluded from the boundary as it poses no risk to CIA. Question: does this no-risk service need FedRAMP authorization?
Example 2 FedRAMP Authorization Boundary Interconnected API Services Quandary & Discussion
Right click on the image above to open in a new tab or window for better visibility.Question 2.1: What indicates that the external connection must be FedRAMP authorized?
- In the case of the external connection to the weather service, the value data, the weather data, is entering the boundary rather than leaving the boundary. Therefore the data does not belong to the SaaS system or the sponsoring Federal Agency. The security of the originating system is not in scope, but also poses a low risk.
- In the case of the external connection to the weather service, the value data, the weather data, is entering the boundary rather than leaving the boundary. Therefore the data does not belong to the SaaS system or the sponsoring Federal Agency. The security of the originating system is not in scope, but also poses a low risk.
Question 2.2: What constitutes a “no-risk” service?
- Very few things have a zero risk, but we know some data will not affect the CIA of the system and will be very low risk.
- Ingress Data is generally coming into the system is low risk
- Some egress data, such as requests for information, may be low risk and should be discussed with your Federal sponsor for approval of the determination.
GovRAMP Authorization Boundary Requirements and Compliance
In early 2025, StateRAMP transitioned to GovRAMP to better reflect its growing role across state, local, tribal, and territorial (SLTT) governments. While it mirrors FedRAMP’s reliance on NIST 800-53, GovRAMP introduces unique mechanisms for boundary management.
The “Security Snapshot” Requirement
GovRAMP is famously flexible regarding the “chicken and the egg” problem of third-party suppliers. The program is fairly new, therefore, impossibly difficult to fully mimic the FedRAMP process of ensuring external data connections must be already GovRAMP certified. Under GovRAMP Boundary Guidance:
- CSPs can use third-party tools that are not yet authorized if those tools complete a GovRAMP Security Snapshot.
- This allows a CSP to achieve Provisionally Authorized status while their supply chain works toward full compliance.
Compliance Statuses
- Ready: The boundary is defined and the 3PAO (Third-Party Assessment Organization) confirms the system meets minimum requirements.
- Authorized: The highest level, requiring full compliance with all controls by impact level (Low, Moderate, or High).
GovRAMP Authorization Boundary Examples
Example 3: Multi-State Educational Platform
An EdTech CSP provides a student portal used by 15 different state universities.
- The Boundary: Includes the application, student PII databases, and the authentication system (e.g., Okta, Azure Entra).
- The Nuance: Because GovRAMP covers a wide range of sensitive non-federal info a.k.a. SLED (like student records), the boundary often includes specific data-sharing interconnections between different state agencies that wouldn’t exist in a federal-only environment.
Example 3 GovRAMP Authorization Boundary Diagram of Student Platform with Federated Azure Authentication & Discussion
Right click on the image above to open in a new tab or window for better visibility.Question 3.1: Public School systems may need to send records to each student’s record stored in the relational database. If the public school systems cannot afford GovRamp certification, will this connection be a roadblock to achieving GovRamp Authorized?
- The data from the public schools are being sent electronically but records from the platform are not being shared back to the public school system, therefore, as long as no student PII is returned back, their systems are out of scope for the Authorization Boundary.
Question 3.2: Should this example organization start with or make Ready their end goal? How do they make this decision?
- All external connections should be evaluated, not just the trusted Federated Identity Management. However, in this case the Federated Identity Management connects only University Azure Active Directories which all inherit FedRAMP authorization from Azure.
- Perhaps the connection to the public high school should not be routed via the Federated Identity Service, but instead have a direct API managed access into isolated storage accounts which then can be integrated individually into the student records by the application. This migration would require an additional time and cost to accomplish. Another option is to have the CSP pay for a snapshot for each of the connected High Schools. A Business Impact Analysis, Risk Assessment, and potentially a significant change request would all need to be documented to support the decision making and the auditing process.
Example 4: Supply Chain “Snapshot” Integration
A GovRAMP SaaS uses a non-authorized logging tool for system health.
Compliance Path: Instead of being blocked (as might happen in FedRAMP), the logging tool provider submits a Security Snapshot. The SaaS provider includes this “Snapshot” in their GovRAMP package, and the Approvals Committee reviews the risk score as part of the boundary.
Example 4 GovRAMP Authorization Boundary Diagram with Supply Chain Snapshots
Right click on the image above to open in a new tab or window for better visibility.Question 4.1: which impact level is right for the example organization? How do they make that decision?
- In this case, the Universities involved may have to show GovRamp Authorized Compliance per State Law. Investing in a GovRamp snapshot for each external system that processes system data is well worth the cost to receive full authorization status. It will also help identify any external services that should be replaced with a different service provider if they cannot pass the snapshot. It helps to ensure supply chain due diligence.