The Diagram Gal

NIST Compliance Diagrams

Conmon Spreadsheets in Excel: examples & formulas

FedRamp | GovRamp | SOC 2 | PCI DSS 4.0.1

Welcome to Better Compliance Documentation

Authorization Boundary Diagram Examples

When you have a good Authorization Boundary Diagram developed, you will start to develop questions.

  • How do I know if a service we use has FedRAMP or GovRAMP certifications?
  • What is the cost of upgrading to a FedRAMP authorized external service?
  • Should I bring this element into my boundary?
  • What data is being shared? Does that data belong to a federal, state, tribal or local government or educational institution?
  • Does that data affect the confidentiality, integrity or availability of the system?

FedRAMP Authorization Boundary Diagram Examples for a Cloud Based Application

Example 1: SaaS on Authorized IaaS

A software company provides a Project Management SaaS. They host their application on AWS GovCloud (an authorized IaaS).

  • Inside the Boundary: The application code, the database containing federal project files, the customer-facing web portal, and the CSP’s internal management subnet. 
  • Outside the Boundary: The underlying AWS physical data centers (inherited via FedRAMP), and the customer’s local laptops. 
Example 1 FedRAMP Authorization Boundary Diagram & Discussion 
Right click on the image above to open in a new tab or window for better visibility.

Question 1.1: Can you find any services that may need to be switched for a different provider?

  • The items in the purple box labeled “External Services without FedRAMP authorization all need evaluation. Do they receive Federal Data or affect the Confidentiality, Integrity or Availability of the system? If yes, then yes they will need to be addressed and communicated with your sponsor to determine best path forward.

Question 1.2: Of the 2 items listed as outside the boundary, customer’s local laptops and the underlying physical data centers, which could be considered part of this system’s supply chain and relevant to its authorization?

  • The data centers must have a FedRAMP authorization to be considered an acceptable infrastructure provider in the system’s supply chain. As it stands the certification of the infrastructure is inherited from AWS’s own FedRAMP certification and does not need to be included in the boundary diagram.

Example 2: Interconnected API Services

A CSP uses a third-party service for automated address validation. What details must be true for the 3rd party to be in boundary and acceptable for use?

  • Boundary Inclusion: If the CSP sends federal addresses to the third party for validation, that data flow and the external API must be depicted. 
  • Boundary Exclusion: If the CSP uses a public weather API that does not receive any federal data, it is typically excluded from the boundary as it poses no risk to CIA. Question: does this no-risk service need FedRAMP authorization?
Example 2 FedRAMP Authorization Boundary Interconnected API Services Quandary & Discussion 
Right click on the image above to open in a new tab or window for better visibility.

Question 2.1: What indicates that the external connection must be FedRAMP authorized?

  • In the case of the external connection to the weather service, the value data, the weather data, is entering the boundary rather than leaving the boundary. Therefore the data does not belong to the SaaS system or the sponsoring Federal Agency. The security of the originating system is not in scope, but also poses a low risk.
  • In the case of the external connection to the weather service, the value data, the weather data, is entering the boundary rather than leaving the boundary. Therefore the data does not belong to the SaaS system or the sponsoring Federal Agency. The security of the originating system is not in scope, but also poses a low risk.

Question 2.2: What constitutes a “no-risk” service?

  • Very few things have a zero risk, but we know some data will not affect the CIA of the system and will be very low risk.
  • Ingress Data is generally coming into the system is low risk
  • Some egress data, such as requests for information, may be low risk and should be discussed with your Federal sponsor for approval of the determination.

GovRAMP Authorization Boundary Diagram Examples for a Cloud Based Application

Example 3: Multi-State Educational Platform

An EdTech CSP provides a student portal used by 15 different state universities.

  • The Boundary: Includes the application, student PII databases, and the authentication system (e.g., Okta, Azure Entra). 
  • The Nuance: Because GovRAMP covers a wide range of sensitive non-federal info a.k.a. SLED (like student records), the boundary often includes specific data-sharing interconnections between different state agencies that wouldn’t exist in a federal-only environment.  
Example 3 GovRAMP Authorization Boundary Diagram of Student Platform with Federated Azure Authentication & Discussion 
Right click on the image above to open in a new tab or window for better visibility.

Question 3.1: Public School systems may need to send records to each student’s record stored in the relational database. If the public school systems cannot afford GovRamp certification, will this connection be a roadblock to achieving GovRamp Authorized?

  • The data from the public schools are being sent electronically but records from the platform are not being shared back to the public school system, therefore, as long as no student PII is returned back, their systems are out of scope for the Authorization Boundary.

Question 3.2: Should this example organization start with or make Ready their end goal? How do they make this decision?

  • All external connections should be evaluated, not just the trusted Federated Identity Management. However, in this case the Federated Identity Management connects only University Azure Active Directories which all inherit FedRAMP authorization from Azure.
  • Perhaps the connection to the public high school should not be routed via the Federated Identity Service, but instead have a direct API managed access into isolated storage accounts which then can be integrated individually into the student records by the application. This migration would require an additional time and cost to accomplish. Another option is to have the CSP pay for a snapshot for each of the connected High Schools. A Business Impact Analysis, Risk Assessment, and potentially a significant change request would all need to be documented to support the decision making and the auditing process.

Example 4: Supply Chain “Snapshot” Integration

A GovRAMP SaaS uses a non-authorized logging tool for system health.

Compliance Path: Instead of being blocked (as might happen in FedRAMP), the logging tool provider submits a Security Snapshot. The SaaS provider includes this “Snapshot” in their GovRAMP package, and the Approvals Committee reviews the risk score as part of the boundary.  

Example 4 GovRAMP Authorization Boundary Diagram with Supply Chain Snapshots 
Right click on the image above to open in a new tab or window for better visibility.

Question 4.1: which impact level is right for the example organization? How do they make that decision?

  • In this case, the Universities involved may have to show GovRamp Authorized Compliance per State Law. Investing in a GovRamp snapshot for each external system that processes system data is well worth the cost to receive full authorization status. It will also help identify any external services that should be replaced with a different service provider if they cannot pass the snapshot. It helps to ensure supply chain due diligence.