FedRAMP 20x – Update on Significant Change Process and Assessment Scope Standards
Friday, May 2, 2025
Print Mail Download info_icon_img/>i

Last month, the federal government announced a major overhaul of the Federal Risk and Authorization Management Program (“FedRAMP”) called “FedRAMP 20x” (we discussed the initiative here). FedRAMP 20x is moving forward fast – with new authorizations, community engagement efforts, standards documents, and the Phase One pilot program. (More information about the Phase One pilot program is available here.)

Of particular note, there are two draft standards for public comment: (1) the Significant Change Notification Standard, which will replace the current standard with a new process that allows cloud service providers to make changes without prior approval from the government; and (2) the Minimum Assessment Scope Standard, which will replace the current Authorization Boundary guidance materials (previously summarized here). The public comment period for both standards currently is open until May 25, 2025.

Significant Change Notification Standard

Currently, the significant change process requires cloud service providers (“CSPs”) to provide 30 days’ notice to the authorizing official requesting approval prior to implementing a “significant change.” Examples of a “significant change” in current FedRAMP guidance include adding new technology or external services, removing system components or service offerings, and adding or removing security controls, among others. If a CSP fails to submit the required significant change request to the authorizing agency official for review and approval, the authorizing agency can suspend or revoke the authorization.

The draft Significant Change Notification Standard acknowledges the burden and inefficiencies associated with the existing process and will permit CSPs to implement certain changes that are in the best interest of agency customers without obtaining prior approval. Below are key points from the updated Significant Change Notification Standard:

  • Tiered Notification Framework: The Standard introduces a tiered framework with new definitions describing the types of changes a CSP may make to its FedRAMP environment.
    • Adaptive change” means any significant change that adjusts existing components or functionality of the cloud service offering. The Standard notes this is the least impactful type of significant change. Adaptive changes, which are characterized as significant but routine, may be made as appropriate without consultation with the CSP’s federal agency customers.
    • Transformative change” means any significant change that adds, replaces, or removes major components and functionality of the cloud service offering. Transformative changes, which are characterized as major functionality changes, require the CSP to consult with agency customers in advance. The Standard provides proposed time frames for this consultation (e.g., CSP must provide notice to agency customers at least 14 calendar days in advance of the monthly monitoring meeting to first discuss planned transformative changes).
    • Impact categorization change” means any significant change that is likely to increase or decrease the impact level rating for the cloud service (e.g., from Low to Moderate or from High to Moderate). Impact categorization changes require reauthorization and are the most impactful type of significant change.
  • Notification Information: The updated standard provides a list of required information to be submitted by the CSP depending on the type of significant change. For Adaptive changes, CSPs must submit the date of the change, a summary of the steps taken to verify and assess controls after implementation, and a summary of any new risks identified and any Plan of Action or Milestones (“POA&Ms”) that resulted from the change. The required information for Transformative changes expands on this list and requires information regarding whether the planned change is “opt in” and how to opt in if applicable, details on service components and controls affected, and a copy of the security assessment plan.

Comments may be submitted using the discussion thread, the public comment form, or by emailing pete@fedramp.gov with the subject “RFC-0007 Feedback.”

Minimum Assessment Scope Standard

The draft Minimum Assessment Scope Standard will take the place of the current FedRAMP Boundary Policy / Boundary Guidance. The Minimum Assessment Scope Standard seeks to replace the current FedRAMP authorization boundary approach with “a simple and reasonable test” for determining the information and resources to be included in the FedRAMP assessment. By removing unnecessary detail or specifics, the new approach aims to help FedRAMP move from compliance-based decision making to security-based decision making and assessment.

The streamlined approach provides that the Minimum Assessment Scope includes all information resources managed by a CSP and its cloud service offering that: (1) handle federal information; and/or (2) likely impact confidentiality, integrity, or availability of federal information. The Minimum Assessment Scope standard provides six clarifications on how to apply the Minimum Assessment Scope:

  • Information resources and metadata that do not meet condition (1) or (2) are outside the Minimum Assessment Scope.
  • If the cloud service uses information resources from other FedRAMP authorized or certified services then only the configuration and usage of those information resources is included in the Minimum Assessment Scope.
  • If the cloud service uses information resources from other services that are not FedRAMP authorized or certified then all aspects of those services where (1) or (2) applies are included in the Minimum Assessment Scope.
  • Software and other such products (including agents and clients) that are installed, managed, and operated on agency information systems are outside the scope of FedRAMP. Any information resources in the cloud service that control or communicate with such products are within the Minimum Assessment Scope if (1) or (2) applies.
  • Information resources of the service offering may vary by impact level as appropriate to the level of information handled or impacted by the information resource so long as this is clearly identified and documented.
  • Stakeholders should review best practices and technical assistance provided separately by FedRAMP for help with applying the Minimum Assessment Scope as needed.

The new standard represents a marked change in approach, particularly it seems with respect to metadata or indirect data, which we expect may be a hot topic during the comment period. Comments may be submitted using the discussion thread, the public comment form, or by emailing pete@fedramp.gov with the subject “RFC-0005 Feedback.”

Listen to this post

Copyright © 2025, Sheppard Mullin Richter & Hampton LLP.

Current Public Notices

Post Your Public Notice Today!

PUBLIC NOTICE OF AUCTION OF ASSETS: Rustic Crust, Inc
Published: 2 May, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: CCP Mezzanine Nashville I, LLC
Published: 24 April, 2025
PUBLIC NOTICE OF ASSIGNEE SALE: Starved Rock Wood Products LLC
Published: 24 April, 2025
PUBLIC NOTICE OF AUCTION OF ASSETS: BOKKSU INC. AND JAPAN CRATE ACQUISITION LLC
Published: 21 April, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: LQD LOANS TWO, LCC
Published: 7 April, 2025
PUBLIC NOTICE OF RECEIVERS SALE: Gladstone Food Products
Published: 7 April, 2025
PUBLIC NOTICE OF CHAPTER 11 SALE: S&G Hospitality, INC
Published: 1 April, 2025
PUBLIC NOTICE OF RECEIVER’S SALE: LANDSCAPING SUBCONTRACTOR
Published: 31 March, 2025
PUBLIC NOTICE OF 363 SALE: Elmer Buchta Trucking
Published: 31 March, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: PHILLIPS AMSTERDAM II LLC
Published: 31 March, 2025
Discover more public notices

Current Legal Analysis

More from Sheppard, Mullin, Richter & Hampton LLP

All American AI: New OMB Memos Set Priorities for Federal AI Use and Acquisition
by: Townsend L. Bourne
CFPB Late Fee Rule Vacated by Texas Federal Court
by: A.J. S. Dhaliwal , Mehul N. Madia
FDIC Orders Bank to Pay $1.225 Billion for Alleged Interchange Fee Misclassification
by: A.J. S. Dhaliwal , Mehul N. Madia
Texas Legislature Proposes Disclosure Rules for Commercial Sales-Based Financing
by: A.J. S. Dhaliwal , Mehul N. Madia
Colorado Overhauls Money Transmission Law to Align with Multistate Licensing Standards
by: A.J. S. Dhaliwal , Mehul N. Madia
D.C. Circuit Reinstates Injunction Blocking CFPB’s Mass Layoffs
by: A.J. S. Dhaliwal , Mehul N. Madia
CFPB Dismisses Two Actions Against Student Loan Trusts and Subprime Auto Lender
by: A.J. S. Dhaliwal , Mehul N. Madia
Breaking Down the Bifurcated PTAB Review Process: What the USPTO’s Recent FAQ Drop Reveals
by: Daniel N. Yannuzzi
Have Employees in Wyoming? Start Preparing for the Non-Compete Ban
by: Shawn D. Fabian , Mikayla Brody
Inferential Leaps and Conclusory Kickback Allegations Remain Verboten in False Claims Act Complaints
by: David T. Fischer , Madeline Townsley
Ninth Circuit En Banc Reverses Panel Decision and Holds Non-Resident Corporation Providing Web-Based Payment Processing Platform Is Subject to Specific Personal Jurisdiction in California
by: John P. Stigi III , Tori D. Kutzner
Lessons from the FTC: The Cleo AI Settlement
by: Liisa M. Thomas , Kathryn Smith
Navigating Nasdaq and NYSE: Essential Insights for Companies
by: Nazia J. Khan

Upcoming Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up for any (or all) of our 25+ Newsletters.

 

Sign Up for any (or all) of our 25+ Newsletters