FedRAMP Authorization Boundary Guidance
3. Federal Metadata in the Cloud
Federal Definition: NIST SP 800-53 describes metadata as “information describing the characteristics of
data including, for example, structural metadata describing data structures (e.g., data format, syntax, and
semantics) and descriptive metadata describing data contents (e.g., information security labels).”
FedRAMP Guidance: There are two types of metadata that each have their own security considerations
and requirements:
1. Federal metadata:
Data that, if compromised, could impact the confidentiality, availability, or integrity of the systems
supporting the processing, storage, or transmission of federal data.
For example:
● Configuration data (hostnames, IPs, system running configuration, patching level, etc.)
● Scan data (Raw scan data, POA&M, Deviation Requests, etc.)
● Security Documentation
● Incident Response Data (Active incident response data and investigation communications)
● Ticketing information with systems specific information
This is not an exhaustive list and only provides a guideline for determining the impact level of the
metadata. If there is a question about the categorization of the metadata in a CSO, the CSP must validate
with the AO the nature of the metadata. Within the federal metadata category there are two
subcategories.
Federal metadata with a direct potential impact on mission, organizations or individuals should there be
a loss of confidentiality, integrity, or availability. This includes security metadata revealing the current
security posture of the system; vulnerability information; active incident response information and
communications; and active threat assessment, penetration test or security investigation information and
communications. This type of federal metadata must reside within the authorization boundary or within
the boundary of another federal information system authorized by the AO at the same or greater FIPS-199
impact level. The types of metadata, determination of potential impact and of inclusion within the
boundary shall be made by the AO in cooperation and consultation with the CSP.
Note: JAB systems that are using external systems for the processing, storage or transmission of this type
of federal metadata must utilize a system with a JAB authorization at the same or greater FIPS-199 impact
level.
Federal metadata with an indirect potential impact on mission, organizations or individuals should there
be a loss of confidentiality, integrity, or availability. This includes data revealing system infrastructure,
facilities, and design; applications name, version, and release; application, system, and network
configuration information; interconnections and access methods; systems inventories; architecture models,
diagrams, and details; system security plans, contingency plans, risk management plans, security impact