>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

KSI-AFR-MASMinimum Assessment Scope

LOW
MODERATE

Formerly KSI-AFR-01

>Control Description

Apply the FedRAMP Minimum Assessment Scope (MAS) to identify and document the scope of the cloud service offering to be assessed for FedRAMP authorization and persistently address all related requirements and recommendations.
Defined terms:
Cloud Service Offering
Persistently

>NIST 800-53 Controls

ac-1
ac-21
at-1
au-1
ca-1
cm-1
cp-1
cp-2.1
cp-2.8
cp-4.1
ia-1
ir-1
ma-1
mp-1
pe-1
pl-1
pl-2
pl-4
pl-4.1
ps-1
ra-1
ra-9
sa-1
sc-1
si-1
sr-1
sr-2
sr-3
sr-11

>FRMR Requirements
8

Normative requirements from the FedRAMP Requirements and Recommendations document — 5 mandatory, 1 recommended, 2 optional.

Mandatory5
MUST

Identify Information Resources

Providers MUST identify a set of information resources to assess for FedRAMP authorization that includes all information resources that are likely to handle federal customer data or likely to impact the confidentiality, integrity, or availability of federal customer data handled by the cloud service offering; this set of information resources is the cloud service offering.

MAS-CSO-IIR
Providers

Certain categories of cloud computing products and services are specified as entirely outside the scope of FedRAMP by the Director of the Office of Management and Budget. All such products and services are therefore not included in the cloud service offering for FedRAMP. For more, see https://fedramp.gov/scope.

Software produced by cloud service providers that is delivered separately for installation on agency systems and not operated in a shared responsibility model (typically including agents, application clients, mobile applications, etc. that are not fully managed by the cloud service provider) is not a cloud computing product or service and is entirely outside the scope of FedRAMP under the FedRAMP Authorization Act. All such software is therefore not included in the cloud service offering for FedRAMP. For more, see fedramp.gov/scope.

All aspects of the cloud service offering are determined and maintained by the cloud service provider in accordance with related FedRAMP authorization requirements and documented by the cloud service provider in their assessment and authorization materials.

MUST

Information Flows and Security Objectives

Providers MUST clearly identify, document, and explain information flows and security objectives for ALL information resources or sets of information resources in the cloud service offering.

MAS-CSO-FLO
Providers
MUST

Third-Party Information Resources

Providers MUST address the potential impact to federal customer data from third-party information resources used by the cloud service offering, ONLY IF MAS-CSO-IIR APPLIES, by documenting the following information about each applicable third-party information resource:

MAS-CSO-TPR
Providers
  • General usage and configuration
  • Explanation or justification for use
  • Mitigation measures in place to reduce the potential impact to federal customer data
  • Compensating controls in place to reduce the potential impact to federal customer data
MUST

Metadata Inclusion

Providers MUST include metadata (including metadata about federal customer data) in the Minimum Assessment Scope ONLY IF MAS-CSO-IIR APPLIES.

MAS-CSO-MDI
Providers
MUST

Implementation Summaries

Providers MUST maintain simple high-level summaries of at least the following for each Key Security Indicator:

KSI-CSX-SUM
Providers
  • Goals for how it will be implemented and validated, including clear pass/fail criteria and traceability
  • The consolidated _information resources_ that will be validated (this should include consolidated summaries such as "all employees with privileged access that are members of the Admin group")
  • The machine-based processes for _validation_ and the _persistent_ cycle on which they will be performed (or an explanation of why this doesn't apply)
  • The non-machine-based processes for _validation_ and the _persistent_ cycle on which they will be performed (or an explanation of why this doesn't apply)
  • Current implementation status
  • Any clarifications or responses to the assessment summary
Recommended1
SHOULD

Application within MAS

Providers SHOULD apply ALL Key Security Indicators to ALL aspects of their cloud service offering that are within the FedRAMP Minimum Assessment Scope.

KSI-CSX-MAS
Providers
2 optional guidance (MAY)
Optional Guidance2
MAY

Supplemental Information

Providers MAY include additional materials about other information resources that are not part of the cloud service offering in a FedRAMP assessment and authorization package supplement; these resources will not be FedRAMP authorized and MUST be clearly marked and separated from the cloud service offering.

MAS-CSO-SUP
Providers
MAY

AFR Order of Criticality

Providers MAY use the following order of criticality for approaching Authorization by FedRAMP Key Security Indicators for an initial authorization package:

KSI-CSX-ORD
Providers
  • Minimum Assessment Scope (MAS)
  • Authorization Data Sharing (ADS)
  • Using Cryptographic Modules (UCM)
  • Vulnerability Detection and Response (VDR)
  • Significant Change Notifications (SCN)
  • Persistent Validation and Assessment (PVA)
  • Secure Configuration Guide (RSC)
  • Collaborative Continuous Monitoring (CCM)
  • FedRAMP Security Inbox (FSI)
  • Incident Communications Procedures (ICP)

>Trust Center Components
3

Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.

From the field: Mature implementations express authorization boundaries as machine-readable inventories — IaC-defined boundaries synced to OSCAL system descriptions, auto-discovered asset inventories overlaid on architecture diagrams, and boundary change detection triggering 3PAO re-assessment workflows. The boundary becomes a living, verified artifact rather than an annual PDF.

System Boundary Diagram

Architecture & Diagrams

Architecture expressing all components within the authorization boundary — zone-based with CIA impact ratings and asset categorization

Manual: 3PAO reviews boundary documentation against live infrastructure inventory

Assessment Scope Documentation

Documents & Reports

Scope of third-party assessments including system boundaries, components, and services covered

3PAO Assessment Reports

Evidence Artifacts

Summary of 3PAO assessment findings and scope — demonstrates external validation of the boundary

>Programmatic Queries

Beta
Cloud

CLI Commands

Verify configuration recorder is active
aws configservice describe-configuration-recorder-status --query "ConfigurationRecordersStatus[].{Name:name,Recording:recording,LastStatus:lastStatus}" --output table
List discovered resources by type
aws configservice get-discovered-resource-counts --query "resourceCounts[].{Type:resourceType,Count:count}" --output table
AWS Config Documentation

>20x Assessment Focus Areas

Aligned with FedRAMP 20x Phase Two assessment methodology

Completeness & Coverage:

  • Does your documented authorization boundary include all interconnected systems, inherited services, and external APIs, or are there components not yet accounted for?
  • How do you confirm that every deployed resource (compute, storage, networking, SaaS dependencies) is reflected in the assessment scope?
  • What process catches scope changes introduced by engineering teams deploying new services or regions before the next assessment cycle?
  • Are there any components you consider out of scope that handle, process, or transmit federal customer data — and how is that exclusion justified?

Automation & Validation:

  • What automated discovery tools continuously compare deployed infrastructure against your documented authorization boundary, and what fires when a mismatch is found?
  • How do you validate that network diagrams and data flow diagrams match actual traffic patterns — do you use flow logs or network mapping tools?
  • What happens if a new cloud account, subscription, or VPC is created outside the documented scope — is it automatically flagged?
  • How do you test that boundary enforcement controls (firewalls, network policies) actually restrict traffic to the documented scope?

Inventory & Integration:

  • How does your CMDB or asset inventory tool integrate with cloud provider APIs to produce a real-time view of in-scope resources?
  • Are inherited service boundaries (e.g., IaaS provider shared responsibility) tracked in the same inventory system, or maintained separately?
  • How do you track interconnections and data flows between your CSO and external systems, and is this tracking automated or manual?
  • What tools reconcile your documented scope against actual deployment artifacts (Terraform state, CloudFormation stacks, Kubernetes namespaces)?

Continuous Evidence & Schedules:

  • How often is the authorization boundary formally reviewed, and how do you demonstrate that every review was completed on schedule?
  • Is scope documentation maintained as machine-readable artifacts (e.g., IaC, structured JSON), or only as static diagrams and Word documents?
  • How do you detect scope drift — resources entering or leaving the boundary — between formal review cycles?
  • What evidence shows the documented scope matched the actual environment at the time of the most recent assessment?

Update History

2026-02-04Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Ask AI

Configure your API key to use AI features.