I was three months into a FISMA assessment for a Department of Defense contractor when the project manager dropped a bombshell: "We just realized our authorization boundary includes systems we didn't document."
My stomach dropped. We'd spent twelve weeks documenting controls, conducting interviews, and preparing for assessment. Now we had to start over—or worse, face a failed audit that would cost them their government contracts worth $14 million annually.
That painful experience taught me something I now tell every client on day one: your authorization boundary isn't just a technical diagram—it's the foundation of your entire FISMA compliance program. Get it wrong, and everything else falls apart.
After fifteen years working on federal compliance projects, I've seen authorization boundaries sink more FISMA implementations than any other single factor. Today, I'm going to share everything I've learned about getting it right the first time.
What Is a FISMA Authorization Boundary (And Why Everyone Gets It Wrong)
Let me start with a confession: the first authorization boundary I ever defined was a disaster.
I was consulting for a federal health agency in 2012. They asked me to define the boundary for their patient records system. Simple, right? I drew a nice box around their application servers, database, and web servers. Clean. Tidy. Completely wrong.
During the assessment, the auditor started asking questions:
"What about the authentication server that validates user logins?"
"Where's the backup system that stores copies of this data?"
"How are you accounting for the network infrastructure connecting these components?"
"What about the workstations administrators use to manage these servers?"
Every question revealed another gap. By the end of week one, our "simple" boundary had expanded to include 47 additional components I hadn't considered.
"An authorization boundary isn't what you think your system includes. It's everything that can affect the confidentiality, integrity, or availability of the information the system processes."
The Official Definition (Translated to English)
According to NIST SP 800-37, an authorization boundary is:
"All components of an information system to be authorized for operation by an authorizing official, including any external systems that provide services to the system."
In plain English? It's every piece of hardware, software, network component, facility, and person that can:
Access your system's data
Modify your system's functionality
Affect your system's availability
Provide essential services to your system
Think of it like defining a secure perimeter. Everything inside the boundary must meet FISMA requirements. Everything outside the boundary must be either trusted (through interconnection agreements) or completely isolated.
Why Getting the Boundary Right Matters (A $3.2 Million Lesson)
Let me share a story that still makes me wince.
In 2017, I was called in to help a defense contractor who'd failed their FISMA assessment. They'd received a "Deny Authorization to Operate" decision—essentially a death sentence for their government work.
The problem? They'd defined their authorization boundary too narrowly. Their system included:
A web application for classified documents
Application servers within their secure facility
A database cluster with encryption
Looks complete, right? But here's what they missed:
Outside their documented boundary but critical to operations:
The VPN concentrator that remote workers used to access the system
The domain controller authenticating all users
The SIEM system collecting security logs
The patch management server updating their systems
The backup system storing encrypted copies of classified data
The virtual infrastructure platform hosting everything
When the auditor discovered these undocumented components, she had no choice but to fail them. Why? Because the authorization basis—the documented rationale for approving the system—was incomplete. The system as operated didn't match the system as authorized.
The cost:
$340,000 to redo the assessment
$1.8 million in delayed contract renewals
$890,000 in consulting fees to fix the gaps
9 months of operational disruption
Immeasurable reputational damage
All because they drew the boundary in the wrong place.
"In FISMA compliance, what you don't document is just as dangerous as what you don't secure."
The Three Boundary Patterns I've Seen Work
After managing over 30 FISMA authorization projects, I've found that successful boundaries follow one of three patterns:
Pattern 1: Application-Centric Boundary
Best for: Standalone applications with limited integration
What's included:
The application itself
Supporting infrastructure (servers, storage, network)
Authentication and authorization systems
Logging and monitoring systems
Backup and recovery systems
Administrative access systems
Real-world example: I worked with a federal agency implementing a grants management system. Their boundary included:
Component Category | Specific Systems | Justification |
|---|---|---|
Application Layer | Grants web application, API gateway, workflow engine | Core functionality |
Data Layer | PostgreSQL database cluster, Redis cache | Data storage and processing |
Infrastructure | VMware virtual infrastructure, SAN storage | Hosting platform |
Security Services | Active Directory, MFA appliance, SIEM | Authentication and monitoring |
Network | Application subnet, firewall rules, load balancer | Network connectivity |
Management | Patch server, backup system, admin workstations | Operations and maintenance |
Clean, comprehensive, and—critically—everything an auditor would ask about was already documented.
Pattern 2: Enclave-Based Boundary
Best for: Multiple related systems sharing infrastructure
What's included:
All systems within a secure enclave
Shared infrastructure (network, storage, compute)
Common security services
Enclave-wide monitoring and logging
Boundary protection systems
I implemented this approach for a defense contractor with 12 different classified systems. Instead of authorizing each system separately (12 different authorization packages, 12 different assessments, 12 different ATO decisions), we defined one enclave boundary containing all systems.
Key components by layer:
Layer | Components | Shared Services |
|---|---|---|
Perimeter | Border firewalls, VPN gateway, IDS/IPS | All systems |
Network | Core switches, distribution switches, DMZ | All systems |
Compute | Virtual infrastructure clusters, blade servers | All systems |
Storage | SAN fabric, NAS appliances, backup systems | All systems |
Security | SIEM, vulnerability scanners, antivirus management | All systems |
Applications | 12 distinct applications | Per-application databases |
This approach:
Reduced assessment costs by 68%
Shortened time-to-authorization from 14 months to 7 months
Simplified ongoing continuous monitoring
Made adding new systems significantly easier
Pattern 3: Service-Based Boundary
Best for: Cloud services or multi-tenant platforms
What's included:
The service delivery platform
Customer data storage and processing
Service management infrastructure
Shared security services
Customer interface systems
I've worked on three FedRAMP authorizations (which use the same boundary concepts as FISMA), and this pattern is becoming increasingly common.
Example: Federal cloud email service
Service Component | Infrastructure Elements | Security Controls |
|---|---|---|
Email delivery | Mail servers, anti-spam, anti-malware | Boundary protection, malware defense |
Data storage | Distributed storage, encryption services | Encryption at rest, access control |
User interface | Web mail, mobile sync, API | Secure communications, authentication |
Administration | Provisioning, billing, usage monitoring | Audit logging, separation of duties |
Operations | Monitoring, incident response, capacity planning | Continuous monitoring, incident response |
The key difference: the boundary represents the entire service capability, not individual customer instances.
The Eight-Step Process for Defining Your Boundary
Here's the methodology I use with every client. It's saved me from countless "oh no, we forgot that" moments.
Step 1: Start With the Mission
Don't start with technology. Start with the question: "What is this system supposed to do?"
I worked with a VA medical center implementing an electronic health records system. We started by documenting:
System Mission: Enable healthcare providers to access, create, and modify patient medical records securely while maintaining HIPAA and FISMA compliance.
Primary Functions:
Patient record creation and retrieval
Clinical documentation and notes
Prescription management
Lab and imaging results integration
Patient portal for personal health information
Once you know the mission, you can identify what needs to be inside the boundary to accomplish it.
Step 2: Map All Data Flows
This is where most people discover components they'd forgotten.
Create a data flow diagram showing:
Where data enters the system
How data moves between components
Where data is stored
Where data exits the system
Who accesses data and how
Pro tip: Use different colors for different data sensitivity levels. I use:
Red: Classified or CUI (Controlled Unclassified Information)
Orange: PII (Personally Identifiable Information)
Yellow: Internal use only
Green: Public information
When you visualize data flows, forgotten components become obvious. In one project, this exercise revealed:
A file transfer server nobody had mentioned
An external reporting system receiving daily data exports
An email gateway processing system notifications
A certificate authority validating system certificates
All critical components that would have been discovered during assessment—creating an instant finding.
Step 3: Document All System Interfaces
Every connection point is a potential boundary question. Document:
Interface Type | Connected System | Data Exchanged | Protocol | Boundary Status |
|---|---|---|---|---|
Authentication | Enterprise Active Directory | User credentials, group memberships | LDAPS | Inside boundary |
Logging | Enterprise SIEM | Security logs, audit records | Syslog/TLS | Outside boundary (trusted) |
Time sync | NTP servers | Time synchronization | NTP | Outside boundary (low-risk) |
Patching | WSUS server | Software updates | HTTPS | Inside boundary |
Backup | Enterprise backup | Full system backups | Proprietary/encrypted | Inside boundary |
Monitoring | Network monitor | Performance metrics | SNMP | Outside boundary (trusted) |
For each interface, you need to answer:
Is this component critical to system security?
Does it process, store, or transmit system data?
Could compromise of this component affect your system?
Can you separate it with a clear, manageable interconnection?
"Every line crossing your authorization boundary is a risk that needs documentation, assessment, and ongoing monitoring."
Step 4: Include Supporting Infrastructure
This is where people make the biggest mistakes. Your boundary must include:
Compute Infrastructure:
Physical servers or virtual hosts
Hypervisors and management consoles
Container orchestration platforms
Serverless execution environments
Storage Infrastructure:
File servers and NAS devices
SAN fabric and storage arrays
Database servers
Backup systems and media
Network Infrastructure:
Switches and routers within the security perimeter
Firewalls providing boundary protection
Load balancers
VPN concentrators
Wireless access points (if applicable)
Security Infrastructure:
Authentication servers
Authorization systems
Encryption key management
Security monitoring and SIEM
Intrusion detection/prevention
Antivirus/anti-malware management
Management Infrastructure:
Patch management systems
Configuration management databases
Administrative access systems (jump boxes, bastion hosts)
Change management tools
Here's a checklist I use:
Infrastructure Category | Components to Consider | Include? | Justification |
|---|---|---|---|
Compute | Virtual hosts | ✓ | Hosts application VMs |
Physical servers | ✓ | Running critical services | |
Management consoles | ✓ | Administrative access to infrastructure | |
Storage | SAN arrays | ✓ | Stores all system data |
Backup appliances | ✓ | Contains system backups | |
File servers | ✓ | Application file storage | |
Network | Core switches | ✓ | Critical path for system traffic |
Access switches | ✗ | General campus network, not system-specific | |
Firewalls | ✓ | Boundary protection | |
Load balancers | ✓ | Application delivery | |
Security | IDS/IPS | ✓ | Security monitoring for boundary |
Antivirus server | ✓ | Malware protection for endpoints | |
SIEM | ? | Could be external with interconnection agreement | |
Management | Patch server | ✓ | Updates system components |
Monitoring | ? | Could be external with interconnection agreement |
Step 5: Consider Physical and Environmental Components
Don't forget the physical world. Your boundary may need to include:
Physical Security:
Data center or server room
Physical access control systems
Security cameras (if monitoring system areas)
Environmental controls (HVAC, power, fire suppression)
I once worked on an assessment where the auditor asked about physical security for the server room. The organization assumed physical security was someone else's problem. Wrong. If unauthorized physical access could compromise your system, it's part of your boundary.
Rule of thumb: If someone with physical access could:
Directly access system hardware
Plug into your system network
View system data on displays
Steal system media
Then those physical controls are part of your authorization boundary.
Step 6: Define What's Explicitly Outside
This is just as important as defining what's inside. Document:
External Dependencies:
External System | Service Provided | Risk Level | Mitigation |
|---|---|---|---|
Internet Service Provider | Network connectivity | High | Encrypted connections, VPN |
Public cloud services | Development/testing environments | Medium | Completely separate from production |
Commercial email | Business communications | Low | No system data permitted |
Enterprise HR system | User provisioning data | Medium | Interconnection Security Agreement |
Public DNS | Domain name resolution | Low | DNSSEC validation |
Interconnected Systems: These are systems outside your boundary that provide services to your system. Each needs:
Interconnection Security Agreement (ISA)
System Security Plan from the external system
Current authorization status
Regular security posture review
I learned this lesson the hard way. A system I was authorizing depended on an enterprise Active Directory. During assessment, the auditor asked for AD's authorization status. We didn't have it. The auditor couldn't verify that our authentication service met security requirements. Finding: "Interconnected system lacks documented authorization."
Two-week delay while we tracked down AD's authorization package and created an ISA. Could have been avoided with proper boundary definition.
Step 7: Document Administrative Access
Who manages your system? Where do they work? What do they use?
Your boundary likely includes:
Administrator workstations
Jump servers or bastion hosts
VPN infrastructure for remote administration
Multi-factor authentication systems
Privileged access management tools
Example administrative access documentation:
Access Type | Access Method | Authentication | Authorization | Logging |
|---|---|---|---|---|
Server administration | SSH from jump server | PKI certificate + password | RBAC via sudo | Full session recording |
Database administration | SQL client from admin workstation | Database password + MFA | Database roles | Query logging |
Network administration | Console access via jump server | TACACS+ with MFA | Privilege levels | Command logging |
Application administration | Web console via VPN | SAML SSO + MFA | Application roles | Audit logging |
Security administration | Direct console access | Privileged account + MFA | Administrative access | Full activity logging |
If your administrators need it to manage the system, it's part of your boundary.
Step 8: Create Visual Documentation
Auditors love diagrams. So do authorizing officials. Create:
Network Diagram showing:
All components within boundary
Network zones and VLANs
Firewalls and security boundaries
Data flows between components
External connections with ISAs
Component Inventory including:
Component Name | Type | Function | IP Address | OS/Version | Data Sensitivity | Inside Boundary |
|---|---|---|---|---|---|---|
APP-WEB-01 | Web Server | Public web interface | 10.1.1.10 | RHEL 8.5 | CUI | Yes |
APP-DB-01 | Database | Application data | 10.1.2.10 | PostgreSQL 13 | CUI | Yes |
SEC-FW-01 | Firewall | Perimeter security | 10.1.0.1 | Palo Alto 10.1 | N/A | Yes |
ENT-AD-01 | Auth Server | User authentication | 172.16.1.10 | Windows Server 2019 | Internal | No (ISA) |
Data Flow Diagram showing:
How information enters the system
Where information is processed
Where information is stored
How information leaves the system
What encryption protects each flow
I create these in Visio, but I've seen excellent diagrams made in draw.io, Lucidchart, or even PowerPoint. The tool doesn't matter—clarity does.
Common Boundary Definition Mistakes (And How to Avoid Them)
After fifteen years, I've seen every mistake imaginable. Here are the top five:
Mistake #1: The "Too Small" Boundary
The mistake: Defining only the application layer and ignoring infrastructure.
Real example: A federal contractor defined their boundary as "the grant management application." During assessment, the auditor asked about:
The database storing grant data
The web servers hosting the application
The application servers running business logic
The load balancer distributing traffic
The authentication system validating users
All were missing from the boundary documentation. Result: Major finding, 6-week delay, $120,000 in remediation costs.
How to avoid: Use my infrastructure checklist above. If a component is dedicated to your system, include it.
Mistake #2: The "Too Large" Boundary
The mistake: Including everything remotely connected to your system.
Real example: A defense agency included their entire enterprise network infrastructure in a system boundary. The authorization package was 2,400 pages long. The assessment took 18 months. The continuous monitoring burden was crushing.
How to avoid: Ask: "Is this component dedicated to my system, or is it a shared service?" Shared services can often be external with an ISA.
Boundary size comparison:
Boundary Type | Components | Assessment Duration | Assessment Cost | Annual Monitoring Effort |
|---|---|---|---|---|
Too Small | 15 | Failed audit | $340K (redo) | N/A |
Right-Sized | 47 | 6 months | $185K | 480 hours/year |
Too Large | 340+ | 18 months | $890K | 2,400 hours/year |
Mistake #3: The "Forgotten Dependency" Problem
The mistake: Failing to identify critical dependencies.
Real example: A system depended on an enterprise patch management service. Nobody documented this. During operations, the patch service was taken offline for maintenance. The system couldn't receive security updates. Finding: "System unable to maintain security posture during routine maintenance."
How to avoid: Create a dependency map. For every component, ask: "What does this depend on to function properly?"
Mistake #4: The "Undocumented Interface" Issue
The mistake: System interfaces that aren't documented in the authorization package.
Real example: A financial system had a nightly batch job that exported data to an enterprise data warehouse. This interface wasn't documented. During assessment, log review revealed the data transfer. Finding: "Undocumented external connection transferring sensitive data."
How to avoid: Review firewall rules, network flow data, and application configurations. Document everything that crosses the boundary.
Mistake #5: The "Wrong Categorization" Error
The mistake: Misclassifying system impact level, leading to incorrect boundary and control selection.
Real example: A system was categorized as "Low Impact" because it contained "general business data." During assessment, we discovered it also processed CUI (Controlled Unclassified Information). The categorization was wrong. The boundary was insufficient. The controls were inadequate.
Result: Reassessment at Moderate Impact level, additional $340,000 in security controls, 9-month delay.
How to avoid: Start with information categorization. Let data sensitivity drive system categorization, which drives boundary and control selection.
Special Boundary Scenarios
Some situations need special consideration:
Cloud Systems
Cloud systems complicate boundary definition because you don't own the infrastructure. For a FedRAMP-authorized cloud service, your boundary includes:
Customer responsibility:
Data you upload
Applications you deploy
User access controls you configure
Monitoring you implement
Inherited from cloud provider:
Physical infrastructure
Hypervisor layer
Network infrastructure
Physical security
Example: AWS-hosted federal application
Layer | Your Boundary | Provider Boundary | Shared |
|---|---|---|---|
Applications | ✓ Application code, configs | ||
Data | ✓ Data encryption, access control | ✓ Backup services | |
Platform | ✓ OS patches, hardening | ✓ Container orchestration | |
Infrastructure | ✓ Compute, storage, network | ||
Physical | ✓ Data centers, power, cooling |
Your authorization boundary includes your responsibilities. The cloud provider's FedRAMP authorization covers their responsibilities.
Contractor-Operated Systems
When contractors operate systems on behalf of federal agencies, boundary definition gets complex.
Key questions:
Who owns the authorization? (Usually the agency)
Who operates the system? (Contractor)
Where is the system hosted? (Could be anywhere)
Who's responsible for security controls? (Shared)
Responsibility matrix example:
Control Family | Agency Responsibility | Contractor Responsibility |
|---|---|---|
Access Control | Define access requirements, approve users | Implement technical controls, manage accounts |
Incident Response | Define procedures, receive notifications | Detect incidents, perform initial response |
Security Assessment | Approve assessment plan, make ATO decision | Conduct self-assessment, coordinate with 3PAO |
Continuous Monitoring | Review monitoring reports, maintain authorization | Perform ongoing monitoring, report changes |
The boundary must clearly document where agency systems end and contractor systems begin, with ISAs for interfaces.
Multi-Tenant Systems
When one system serves multiple federal customers, each customer's data must be protected from other customers.
Boundary considerations:
Tenant isolation mechanisms
Shared infrastructure components
Customer-specific customizations
Data segregation methods
I worked on a case management system serving 12 different federal agencies. The authorization boundary included:
Shared components (single authorization):
Multi-tenant application platform
Shared database with row-level security
Common authentication services
Consolidated logging and monitoring
Customer-specific (documented in authorization):
Customer data partitions
Customer-specific workflows
Customer user populations
Customer interconnections
This approach allowed one authorization to cover all 12 agencies, with appendices documenting customer-specific configurations.
Boundary Changes and Continuous Monitoring
Here's something nobody tells you: your authorization boundary will change. Count on it.
When Boundary Changes Require Reauthorization
Major changes that require new authorization:
Change Type | Example | Requires New ATO? | Required Action |
|---|---|---|---|
Significant component addition | Adding new application functionality | Yes | Update SSP, reassess controls, AO approval |
Change in impact level | Discovering CUI in "Low" system | Yes | Recategorize, reassess, new authorization |
Major architecture change | Moving from on-prem to cloud | Yes | New authorization package, full assessment |
Boundary expansion | Integrating new system into boundary | Depends | Significant change review, possible reassessment |
Minor changes that need documentation but not reauthorization:
Change Type | Example | Continuous Monitoring | Required Action |
|---|---|---|---|
Component replacement | Upgrading database version | Report in monthly | Update inventory, verify controls |
Adding capacity | New servers for scaling | Report in monthly | Update inventory, verify configuration |
Security updates | Patching vulnerabilities | Report in monthly | Verify patch applied, test functionality |
Configuration changes | Modifying firewall rules | Report in monthly | Document change, update procedures |
The Boundary Change Process I Use
When a boundary change is proposed:
Step 1: Impact Assessment
What's changing and why?
Does it affect system security?
Does it change risk level?
Does it affect control implementation?
Step 2: Documentation Update
Update System Security Plan
Revise network diagrams
Update component inventory
Document new data flows
Step 3: Control Verification
Verify controls still work as documented
Test new component security
Validate interconnections
Review access controls
Step 4: Authorizing Official Notification
Describe the change
Explain security impact
Provide updated documentation
Request approval or new ATO
Step 5: Continuous Monitoring Integration
Add new components to monitoring
Update security baselines
Revise assessment procedures
Schedule verification testing
"A well-defined boundary makes change management possible. A poorly-defined boundary makes change management a nightmare."
Tools and Templates for Boundary Definition
Over the years, I've developed tools that make boundary definition faster and more accurate:
Component Discovery Checklist
□ Application components
□ Web servers
□ Application servers
□ APIs and integration layers
□ Mobile applications
□ Desktop applications
□ Data components
□ Databases
□ Data warehouses
□ File storage
□ Caching layers
□ Backup systems
□ Infrastructure components
□ Physical servers
□ Virtual hosts
□ Containers
□ Network devices
□ Storage arrays
□ Security components
□ Firewalls
□ IDS/IPS
□ Authentication servers
□ Encryption systems
□ Security monitoring
□ Management components
□ Admin workstations
□ Jump servers
□ Patch management
□ Configuration management
□ Change control systems
□ External interfaces
□ User access points
□ Data exchanges
□ Service dependencies
□ Monitoring integrations
□ Backup connections
Boundary Decision Matrix
For each component, answer these questions:
Question | Yes = Include | No = Consider External |
|---|---|---|
Is it dedicated to this system? | ✓ | ISA with shared service |
Does it process system data? | ✓ | May be external with ISA |
Does it store system data? | ✓ | Must have strong controls |
Could its compromise affect system security? | ✓ | Risk-based decision |
Could its unavailability affect system availability? | ✓ | Consider redundancy |
Do you control its operation? | ✓ | May need provider FedRAMP |
Documentation Template
Here's the structure I use for boundary documentation:
Section 1: System Description
System name and identifier
System owner and authorizing official
Mission and business purpose
Users and stakeholders
Section 2: Boundary Definition
Narrative description of boundary scope
Included components and justification
Excluded components and justification
Physical boundaries (facilities, rooms)
Logical boundaries (networks, VLANs)
Section 3: Component Inventory
Hardware components
Software components
Network devices
Security tools
Management systems
Section 4: Data Flows
External data inputs
Internal data processing
Data storage locations
External data outputs
Encryption at each stage
Section 5: Interconnections
External system dependencies
Interconnection Security Agreements
Data exchange protocols
Security controls at interconnection points
Section 6: Diagrams
Network architecture diagram
Data flow diagram
Physical topology
Security zones
Boundary protection mechanisms
Real-World Success: A Complete Example
Let me walk you through a recent project where we got the boundary right from day one.
System: Federal student loan management system Impact Level: Moderate (PII and financial data) Environment: Hybrid cloud (on-premises and AWS)
Initial Scoping Session
We gathered stakeholders:
System owner (Department of Education representative)
Application development team
Infrastructure team
Security team
Our consulting team
Key questions we answered:
What's the mission?
Enable students to apply for, manage, and repay federal student loans
Process loan disbursements to educational institutions
Track repayment and default status
What data does it handle?
Student PII (names, SSNs, addresses)
Financial data (income, loan amounts, repayment schedules)
Educational institution data
Loan servicer information
What are the critical functions?
Student portal for applications and account management
Loan calculation and approval engine
Payment processing and tracking
Reporting to loan servicers and credit bureaus
Integration with Department financial systems
Component Identification
We spent two weeks mapping every component:
Application Tier:
Component | Purpose | Location | Included in Boundary |
|---|---|---|---|
Student Portal | Web interface | AWS (us-gov-west) | Yes - core function |
API Gateway | Integration layer | AWS (us-gov-west) | Yes - handles all data exchange |
Application Servers | Business logic | On-premises datacenter | Yes - processing engine |
Workflow Engine | Loan processing | On-premises datacenter | Yes - core function |
Reporting System | Analytics | AWS (us-gov-west) | Yes - uses system data |
Data Tier:
Component | Purpose | Location | Included in Boundary |
|---|---|---|---|
Production Database | Live loan data | On-premises datacenter | Yes - stores all system data |
Read Replicas | Reporting queries | AWS RDS (us-gov-west) | Yes - copies of system data |
Document Storage | Application documents | AWS S3 (us-gov-west) | Yes - stores uploaded documents |
Backup System | Data protection | On-premises + AWS | Yes - contains system data |
Infrastructure Tier:
Component | Purpose | Location | Included in Boundary |
|---|---|---|---|
VMware Cluster | Virtual hosts | On-premises datacenter | Yes - hosts system VMs |
AWS EC2 Instances | Cloud compute | AWS (us-gov-west) | Yes - runs system workloads |
SAN Storage | On-prem storage | On-premises datacenter | Yes - stores system data |
Hybrid VPN | Cloud connectivity | On-prem + AWS | Yes - critical network link |
Security Tier:
Component | Purpose | Location | Included in Boundary |
|---|---|---|---|
Perimeter Firewalls | Boundary protection | On-premises datacenter | Yes - protects boundary |
AWS Security Groups | Cloud firewalling | AWS (us-gov-west) | Yes - cloud boundary protection |
IDS/IPS | Threat detection | On-premises datacenter | Yes - monitors boundary |
SIEM | Security monitoring | Enterprise (external) | No - ISA in place |
HSM | Key management | On-premises datacenter | Yes - encrypts system data |
Management Tier:
Component | Purpose | Location | Included in Boundary |
|---|---|---|---|
Jump Servers | Admin access | On-premises datacenter | Yes - administrative access |
Patch Management | Updates | On-premises datacenter | Yes - system-specific |
AWS Systems Manager | Cloud management | AWS (us-gov-west) | Yes - manages cloud resources |
Monitoring | Performance | Enterprise (external) | No - ISA in place |
External Dependencies
We documented seven external systems:
External System | Service Provided | ISA Status | Risk Level |
|---|---|---|---|
Enterprise Active Directory | User authentication | In place | Medium |
Enterprise SIEM | Security log aggregation | In place | Low |
Department Financial System | Payment processing | Required | High |
Credit Bureau Interface | Credit reporting | Required | Medium |
Loan Servicer Portal | Account servicing | Required | Medium |
IRS Income Verification | Income verification | In place | High |
Enterprise Email | System notifications | In place | Low |
Each required an ISA documenting:
Data exchanged
Security requirements
Connection method
Control responsibilities
Incident response procedures
Final Boundary Documentation
Our completed boundary package included:
Diagrams:
Network architecture (showing all components and connections)
Data flow diagram (showing information movement)
Physical topology (showing datacenter and cloud locations)
Security zones (showing network segmentation)
Inventories:
47 components with full details
7 external interconnections with ISAs
12 network connections between zones
23 data flows between components
Narrative: 15 pages describing:
Boundary rationale
Component inclusion/exclusion decisions
Interconnection justification
Physical and logical boundaries
Administrative access methods
Assessment Results
The authorization assessment went smoothly:
No boundary-related findings
Auditor praised boundary clarity
All components documented and assessed
All interconnections verified
ATO granted on schedule
Time investment:
Boundary definition: 80 hours
Documentation: 120 hours
Diagram creation: 40 hours
Total: 240 hours ($72,000 at our rates)
Value delivered:
No surprise findings
No assessment delays
Clear ongoing monitoring scope
Foundation for future changes
6-month faster ATO than similar systems
"Spending 240 hours on boundary definition saved us 800+ hours of assessment rework and delays. Best investment we made in the entire project."
Your Boundary Definition Action Plan
Ready to define your authorization boundary? Here's your week-by-week plan:
Week 1: Discovery and Planning
Day 1-2: Document system mission and critical functions
Day 3: Identify all application components
Day 4: Map all data flows
Day 5: Review with stakeholders
Week 2: Component Identification
Day 1: Inventory infrastructure components
Day 2: Identify security components
Day 3: Document management systems
Day 4: List administrative access methods
Day 5: Review completeness
Week 3: External Dependencies
Day 1-2: Identify external system dependencies
Day 3-4: Document each interconnection
Day 5: Determine ISA requirements
Week 4: Documentation
Day 1: Create network diagram
Day 2: Create data flow diagram
Day 3: Build component inventory
Day 4: Write boundary narrative
Day 5: Internal review and revision
Week 5: Validation
Day 1-2: Technical team review
Day 3: Security team review
Day 4: Authorizing Official review
Day 5: Incorporate feedback
Budget estimate:
Internal staff time: 200-300 hours
Consultant support (if needed): $50,000-$75,000
Diagramming tools: $500-$2,000
Assessment preparation: Included in above
Final Thoughts: The Boundary as Foundation
After fifteen years working on FISMA authorizations, I've learned that boundary definition is where projects succeed or fail.
A well-defined boundary:
Makes assessments predictable and manageable
Enables accurate control implementation
Simplifies continuous monitoring
Facilitates change management
Provides clear accountability
A poorly-defined boundary:
Creates assessment surprises and delays
Results in control gaps and findings
Complicates ongoing operations
Makes changes risky and expensive
Obscures security accountability
The choice is yours. Invest time upfront in getting the boundary right, or pay much more later when you get it wrong.
I opened this article with a story about a $14 million contract at risk because of a boundary mistake. I'll close with a different story.
Last year, I worked with a small federal contractor on their first FISMA authorization. They had a tight budget, limited staff, and enormous pressure to get authorized quickly so they could bid on federal contracts.
We spent the first month solely on boundary definition. The project manager was frustrated. "We should be implementing controls," he said. "We're wasting time on diagrams and documentation."
I convinced him to trust the process.
When assessment came, the auditor's first comment was: "This is the clearest authorization boundary I've reviewed all year. I understand exactly what I'm assessing."
The assessment took six weeks instead of the typical twelve. They received their ATO with zero major findings. They've since won three federal contracts worth $8.7 million annually.
The project manager called me last month. "Remember when I said we were wasting time on the boundary? I was wrong. That month we spent on boundary definition was the most valuable month of the entire project."
Get your boundary right. Everything else becomes easier.