FedRAMP 20x – Update on Significant Change Process and Assessment Scope Standards
Friday, May 2, 2025
Print Mail Download info_icon_img/>i

Last month, the federal government announced a major overhaul of the Federal Risk and Authorization Management Program (“FedRAMP”) called “FedRAMP 20x” (we discussed the initiative here). FedRAMP 20x is moving forward fast – with new authorizations, community engagement efforts, standards documents, and the Phase One pilot program. (More information about the Phase One pilot program is available here.)

Of particular note, there are two draft standards for public comment: (1) the Significant Change Notification Standard, which will replace the current standard with a new process that allows cloud service providers to make changes without prior approval from the government; and (2) the Minimum Assessment Scope Standard, which will replace the current Authorization Boundary guidance materials (previously summarized here). The public comment period for both standards currently is open until May 25, 2025.

Significant Change Notification Standard

Currently, the significant change process requires cloud service providers (“CSPs”) to provide 30 days’ notice to the authorizing official requesting approval prior to implementing a “significant change.” Examples of a “significant change” in current FedRAMP guidance include adding new technology or external services, removing system components or service offerings, and adding or removing security controls, among others. If a CSP fails to submit the required significant change request to the authorizing agency official for review and approval, the authorizing agency can suspend or revoke the authorization.

The draft Significant Change Notification Standard acknowledges the burden and inefficiencies associated with the existing process and will permit CSPs to implement certain changes that are in the best interest of agency customers without obtaining prior approval. Below are key points from the updated Significant Change Notification Standard:

  • Tiered Notification Framework: The Standard introduces a tiered framework with new definitions describing the types of changes a CSP may make to its FedRAMP environment.
    • Adaptive change” means any significant change that adjusts existing components or functionality of the cloud service offering. The Standard notes this is the least impactful type of significant change. Adaptive changes, which are characterized as significant but routine, may be made as appropriate without consultation with the CSP’s federal agency customers.
    • Transformative change” means any significant change that adds, replaces, or removes major components and functionality of the cloud service offering. Transformative changes, which are characterized as major functionality changes, require the CSP to consult with agency customers in advance. The Standard provides proposed time frames for this consultation (e.g., CSP must provide notice to agency customers at least 14 calendar days in advance of the monthly monitoring meeting to first discuss planned transformative changes).
    • Impact categorization change” means any significant change that is likely to increase or decrease the impact level rating for the cloud service (e.g., from Low to Moderate or from High to Moderate). Impact categorization changes require reauthorization and are the most impactful type of significant change.
  • Notification Information: The updated standard provides a list of required information to be submitted by the CSP depending on the type of significant change. For Adaptive changes, CSPs must submit the date of the change, a summary of the steps taken to verify and assess controls after implementation, and a summary of any new risks identified and any Plan of Action or Milestones (“POA&Ms”) that resulted from the change. The required information for Transformative changes expands on this list and requires information regarding whether the planned change is “opt in” and how to opt in if applicable, details on service components and controls affected, and a copy of the security assessment plan.

Comments may be submitted using the discussion thread, the public comment form, or by emailing pete@fedramp.gov with the subject “RFC-0007 Feedback.”

Minimum Assessment Scope Standard

The draft Minimum Assessment Scope Standard will take the place of the current FedRAMP Boundary Policy / Boundary Guidance. The Minimum Assessment Scope Standard seeks to replace the current FedRAMP authorization boundary approach with “a simple and reasonable test” for determining the information and resources to be included in the FedRAMP assessment. By removing unnecessary detail or specifics, the new approach aims to help FedRAMP move from compliance-based decision making to security-based decision making and assessment.

The streamlined approach provides that the Minimum Assessment Scope includes all information resources managed by a CSP and its cloud service offering that: (1) handle federal information; and/or (2) likely impact confidentiality, integrity, or availability of federal information. The Minimum Assessment Scope standard provides six clarifications on how to apply the Minimum Assessment Scope:

  • Information resources and metadata that do not meet condition (1) or (2) are outside the Minimum Assessment Scope.
  • If the cloud service uses information resources from other FedRAMP authorized or certified services then only the configuration and usage of those information resources is included in the Minimum Assessment Scope.
  • If the cloud service uses information resources from other services that are not FedRAMP authorized or certified then all aspects of those services where (1) or (2) applies are included in the Minimum Assessment Scope.
  • Software and other such products (including agents and clients) that are installed, managed, and operated on agency information systems are outside the scope of FedRAMP. Any information resources in the cloud service that control or communicate with such products are within the Minimum Assessment Scope if (1) or (2) applies.
  • Information resources of the service offering may vary by impact level as appropriate to the level of information handled or impacted by the information resource so long as this is clearly identified and documented.
  • Stakeholders should review best practices and technical assistance provided separately by FedRAMP for help with applying the Minimum Assessment Scope as needed.

The new standard represents a marked change in approach, particularly it seems with respect to metadata or indirect data, which we expect may be a hot topic during the comment period. Comments may be submitted using the discussion thread, the public comment form, or by emailing pete@fedramp.gov with the subject “RFC-0005 Feedback.”

Listen to this post

Copyright © 2025, Sheppard Mullin Richter & Hampton LLP.

Current Public Notices

Post Your Public Notice Today!

PUBLIC NOTICE OF UCC SALE: Industrial Systems Technology Company
Published: 28 May, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: CCP Mezzanine Nashville I, LLC
Published: 28 May, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Spartan Group Holdings & Affiliated Companies
Published: 28 May, 2025
PUBLIC NOTICE OF DISPOSTITON OF COLLATERAL: 1800 -1818 N. 4th LLC
Published: 23 May, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: TrueNorth Projects, LLC
Published: 22 May, 2025
PUBLIC NOTICE OF DISPOSITON OF COLLATERAL: Barber Directory, Inc
Published: 19 May, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Veil Global Technologies, Inc
Published: 6 May, 2025
PUBLIC NOTICE OF 363 SALE: Elmer Buchta Trucking
Published: 31 March, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: PHILLIPS AMSTERDAM II LLC
Published: 31 March, 2025
Discover more public notices

Current Legal Analysis

More from Sheppard, Mullin, Richter & Hampton LLP

Proposed Rule on Medicaid Tax Waivers: CMS Moves to Close a Loophole Shifting Costs to the Federal Government
by: Margia Corner , Adam Herbst
California Regulator Releases Updated Draft Regulations, Scales Back Proposed AI Privacy Rules
by: Brittany Walter
Big State, Big Scrutiny: Texas Steps into the Foreign Investment Review Arena
by: Reid Whitten , Bill Mateja
Michigan AG Sues Roku Over Alleged Privacy Violations
by: Liisa M. Thomas , Snehal Desai
Biopharmaceutical Patent Litigation: Regeneron’s Defense Against Biosimilar Launches
by: Joshua Weisenfeld
Montana Amends Law to Cover Collection and Use of Neural Data
by: Liisa M. Thomas
Umbrella Insurer’s “Business Decision” to Pick Up an Insured’s Defense Leads to a Multi-Million Dollar Fraudulent Concealment Claim
by: Jared K. LeBeau
Supreme Court Decides Against Reinstating Wilcox to NLRB as They Rule on Her Termination – NLRB Remains Without a Quorum
by: Matthew J. Netti , Keahn N. Morris
Unpacking EPA’s PFAS Announcement: Addressing Contamination with Ambiguity Ahead
by: Louise Dyble , Sheldon M. Kline
CFPB Reduces Civil Penalty in Settled Remittance Enforcement Action
by: A.J. S. Dhaliwal , Mehul N. Madia
Senate Advances Stablecoin Bill
by: A.J. S. Dhaliwal , Mehul N. Madia
CFPB Proposes to Rescind Risk-Based Supervision Rulemaking
by: A.J. S. Dhaliwal , Mehul N. Madia
CMS Administrator Outlines His Vision for CMS at NFP Healthcare Investors Conference
by: Eric A. Klein , John D. Carroll
No Credit Where It Isn’t Due: The Importance of Preemption and Inventorship in Patent Law
by: Luciano Alvarado
FDIC Rescinds 2024 Merger Guidelines; House Votes to Repeal OCC Rule Under CRA
by: A.J. S. Dhaliwal , Mehul N. Madia

Upcoming Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up for any (or all) of our 25+ Newsletters.

 

Sign Up for any (or all) of our 25+ Newsletters