Understanding Minimum Assessment Scope (MAS) in FedRAMP 20x Artwork

Behind the Shield

Behind the Shield is InfusionPoints’ podcast where we sit down with partners, customers, and industry leaders to talk about FedRAMP, compliance, and cybersecurity in today’s government landscape. Each episode offers laid-back, insightful conversations that blend expertise with real-world experiences.

All Episodes

Behind the Shield

Understanding Minimum Assessment Scope (MAS) in FedRAMP 20x

May 12, 2026 • InfusionPoints • Season 1 • Episode 33

0:00 | 31:25

In this episode of Behind the Shield, InfusionPoints’ Chad Spears and Tanner Bailey break down one of the most important concepts shaping the future of FedRAMP 20x: the Minimum Assessment Scope (MAS).

As organizations begin preparing for the transition toward continuous validation and automated security evidence, understanding what actually belongs in scope has become critical. Chad and Tanner unpack how MAS is designed to help organizations focus on the systems, resources, and validations that truly matter to the security of the environment instead of wasting time, engineering effort, and budget on unnecessary complexity.

The conversation explores how FedRAMP 20x is pushing organizations toward a more operational, automation-first mindset. Rather than treating compliance as a one-time documentation exercise, the discussion highlights how continuous validation, reusable checks, and machine-readable evidence are changing the way cloud providers approach authorization readiness.

Throughout the episode, the team connects the technical realities of Minimum Assessment Scope back to real business outcomes. From reducing engineering overhead and controlling costs to accelerating authorization timelines and improving operational maintainability, MAS is positioned as a foundational starting point for organizations pursuing a modernized FedRAMP strategy.

Whether you’re a security engineer, cloud architect, compliance lead, executive stakeholder, or CSP trying to understand what FedRAMP modernization actually means in practice, this episode provides practical insight into where the ecosystem is heading and how to prepare.

Chapters:
Introduction and Overview - 0:08
Understanding MAS (Minimum Assessment Scope) - 0:56
Importance of MAS in FedRAMP 20X - 4:52
Defining the Scope and Its Impact - 7:29
Challenges and Considerations - 11:33
Business Impact of MAS - 26:46
Conclusion and Resources - 28:21

What You’ll Learn:
• What Minimum Assessment Scope (MAS) actually means in FedRAMP 20x
• How MAS can reduce complexity, cost, and engineering effort
• Why continuous validation changes the way compliance is approached
• How reusable KSI validation checks improve operational efficiency
• Why automation and machine-readable evidence are central to FedRAMP modernization
• The connection between MAS, speed-to-authorization, and long-term maintainability
• Updates on Consolidated Rules 2026 (CR2026) and evolving FedRAMP terminology
• What organizations should be doing now to prepare for the future of FedRAMP

InfusionPoints Links:
FedRAMP 20x Quick Look Assessment: https://xbu40.com/assessment
https://infusionpoints.com/
LinkedIn: https://www.linkedin.com/company/infusionpoints/
Chad Spears: https://www.linkedin.com/in/chad-spears007/
Tanner Bailey: https://www.linkedin.com/in/tanner-b-37a50a132/

InfusionPoints & AWS:
InfusionPoints is proud to be an Amazon Web Services Premier Tier Services Partner, supporting organizations in building, managing, and defending secure cloud environments.

About Us:
InfusionPoints is a trusted cybersecurity, cloud engineering, and compliance partner helping organizations Build, Manage, and Defend secure, mission-ready environments in highly regulated markets.
We specialize in FedRAMP, FedRAMP 20x, DoD, and enterprise security frameworks, supporting organizations from initial authorization through continuous monitoring and optimization. Our team brings deep technical expertise and real-world operational insight to every engagement.
Through our independent, security-first approach, we integrate people, processes, and technology to deliver scalable, compliant, and resilient solutions. From strategy and architecture to operations and defense, we help customers move faster without sacrificing security.

SPEAKER_01 0:08

All right. Welcome everybody to another episode of Behind the Shield. My name is Chad Spears. I'm the CISO here at Infusion Points. And as always, it seems like here lately, I've got uh my counterpart, Mr. Tanner Bailey, subject matter expert here on All Things 20X. Tanner, thank you so much for joining me again today. Um excited to be able to take this platform here of the Behind the Shield, uh our podcasting platform, and actually tie it into uh the webinars that you and I have been doing as of recent, because today we're gonna be focusing on one of the things that's really popped up here recently, uh, and a matter of questions and uh just some some thoughts around uh you know the folks that attended the webinar and kind of some some questions around, you know, what does our certain piece here really mean? And that piece that we're gonna be talking about and diving a little bit deeper in today is MAS or minimum assessment scope, uh, as folks will be hearing it uh described now within FedRAMP 20X. So, Tanner, I'm gonna go ahead and kick it over to you first, right out the gate, at a high level, what is MAS?

SPEAKER_00 1:17

Yeah, so MAS is uh minimum assessment scope, like you said, it's one of the balance improvement requirements, um, but more importantly, it's built in as one of the sub-requirements as a part of the AFR KSI. AFR is authorization by FedRAMP. Uh the AFR KSI basically takes each of the balance improvements and makes them an individual KSI. Uh so it's kind of like a nested KSI family, if you will. Uh makes a lot more sense if you go and you know read uh the KSIs directly from FedRAMP, um, which you know you can see where kind of the style of how that's built out. Uh but you know, the long and short of minimum assessment scope is you're identifying the parts of your system that are in scope for security testing. Um and MAS, it's not quite comprehensive as far as what you need to test with your KSIs, but it helps identify, especially in the cloud native architecture, what is in scope for your testing. So, you know, immediately thought immediately my thoughts go to as a part of your MAS checks, uh your validation checks. Again, if you haven't joined us before, uh FedR20X, KSIs are the new way of doing your security controls, like you did with Rev5. Instead, it's a key security indicator. So there's a requirement, and then you approve how you're following said requirement instead of following a prescribed way from a security control. Um, so to do that, we advise that folks build out validation checks. So you'll have multiple validation checks per KSI based off what you're doing. You want to get as much credit for all the security processes that you are doing or the security configurations that you have in place. So, you know, my mind on the MAS front is MAS requires that you prove your minimum assessment scope, like prove what needs to be tested for following set KSIs. So, you know, in a cloud architecture, I mean, scope, what needs to be tested, immediately mine goes to inventory. So gather your inventory, uh, make sure that you've got all of those documented, but then with that inventory, what else should you be thinking about? Are you STIG hardening? Are you CIS hardening each of the images that you're leveraging for said inventory? Um, your ports and protocols, you know, are you in your networking? What ports and protocols are in use? That's part of your scope. And, you know, you can basically just take that and extrapolate that and just dive deeper and deeper into that. Um, but there's also the importance of understanding what outside of your traditional assessment scope or outside of your boundary needs to be included. So um that's all you like your back office, the the squishy controls. We actually were just on a webinar today with um with Ancor. Um, so you know when this was recorded, if you're paying attention. Um the squishy controls, as um Josh over at uh at Ancore said, are the the back office things like personnel security or security training or even you know investment metrics or like business decisions, that that all is still relevant to your system. It's not part of your traditional Rev5 boundary, um, where it's like you know the big red line that when you leave the system and you go into your learning management system, it's not considered party a boundary. So um, yeah, I mean that's that's that's that's a not so brief overview of MAS. So I'll kick it back to you, Chad.

SPEAKER_01 4:28

Yeah, so what I what I'm hearing is is that uh you know it is what it what it sounds like, right? It's the smallest set of uh systems that must be proven secure to support your authorization, right? Or certification, right? So it's not necessarily it's not everything you have, uh, but it is what actually matters, uh you know, from a risk perspective. And and defining that is really what it boils down to. So I think it's important now that we've kind of defined that and and what it is, and and the you know, I just stated that it's not everything. Um why this change, right? So why this matters now in 20x. Let's let's talk a little bit about that. I know traditionally in the Rev5 uh world, uh there would become a little bit of bloat, if you will, right? Uh in this. So the the scope was often growing over time. It seemed like everything, more and more systems, more and more controls, more and more complexity continued to get pulled in. Talk to us a little bit about that and and then the difference now in the 20X landscape.

SPEAKER_00 5:32

Yeah, it's it's been a it's been interesting trying to figure out how to describe the MAS at your minimum assessment scope, because you know, the only thing you really had to work with was your boundary diagram. That was about the only way that you had to truly give an overview is you know, boundary diagram and then section eight of your SSP, which was, you know, depending on how detailed your SSP was, it could be, you know, dozens of pages long. Right. But we you often found that there wasn't a lot of value in some of the SSP because it was just you know explaining the purpose of things. It wasn't explaining what like technically was in use. Um, whereas, you know, with MAS, you know, it's a picture. Cool. I mean, the picture could be accurate, the picture could be inaccurate because it's it's at the end of the day, somebody's drawing. And you know, if you're truly describing it for what it is, I mean, of course, you're using usually some really great diagramming tools out there, but at the end of the day, it's a story that somebody's building, and that's valuable, but you can build that story with automated functions. Where you're saying, like, hey, this is the networking architecture of the system because we're pulling our VPC configurations, we're pulling our subnet configurations, we're pulling all of our ports and protocols that are in use based off of like Knackle rules or WAF rules that are, you know, traffic that's allowed to pass, traffic that's not allowed to pass. Uh, and then we're grabbing an inventory of all of our resources. Um, I didn't mention it earlier, but AWS organizations or you know, similar services inside of Azure and GCP are a great, great way to show, hey, this is the macro view of my system. And then you can dive in at each level to show those details. Um, and then even at the OS level, you know, you can show like, hey, these are the OSs in use, and you check like Stigs or CIS benchmarks or whatever hardening process that you're going through, probably should be doing STIGs or CIS if you're in FedRAMP. You can see what services or functions on those OSs are allowed that need to be assessed because you're able to prove, hey, these are turned off, so we don't even need to assess those to make sure they're being used well.

SPEAKER_01 7:29

Yeah, so I think one of the things that you you hit on right there, you said the word valuable, and that's really what stands out to me. Um, you know, with with 20x, it's kind of flipping that model of um it's it's not uh quantity, it's quality, right? Um, and and really reviewing it from uh a security perspective and also a business perspective of of what is truly valuable and presenting that data uh and and even bringing that within the the scope, if you will, uh minimum assessment scope, right? And so it's gonna 20x really rewards precision, not just volume, right? So you know if the scope is too large, um then that continuous validation, this is kind of where you were going with that, the continuous validation becomes almost impossible if the scope is just so large. Um but really honing it in and figuring out what's valuable and what's uh important to the organization, but you know, and important to others that may be using the product as well out there when it comes to uh having your product authorized or certified, right? And people actually leveraging it, what's important for them to view uh on a continual basis that that proves that the environment's secure. So yeah, I I love that the fact that it's really kind of honing in the scope.

SPEAKER_00 8:43

Yeah, and it's important too, because you know, there is a lot of differences between Red5 and 20x, but it genuinely the scope of your security testing is going to change depending on like what is part of your application enclave. You know, there is no authorization boundary diagram requirement for 20x. There is no quote authorization boundary anymore. Like that's not a it's not a term, but it's still relevant that concept of you know the disconnect between like commercial processes and your federal processes. Like you're gonna have a lot of commercial processes that still need to be checked. I mean, PS and AT have been a control family or two control families that have been assessed in every single FedRamp system we've helped support.

SPEAKER_01 9:23

Right.

SPEAKER_00 9:23

But we're not testing the learning management system to see, you know, do they meet FedRamp standards? They're not connected, they're not, they're not integrated directly with the system.

SPEAKER_02 9:32

Correct.

SPEAKER_00 9:33

Um, so they don't need to be tested at the same level. Same goes with, you know, your background check processes for users. So the MAS is the opportunity that FedRamp has taken to keep that concept in mind for the traditional, you know, the big red boundary for the FedRAMP boundary, uh, or FedRAMP authorization boundary, the you know, the red five legacy idea, because it's still relevant from a security testing and like configuration, configuration checking for your validation checks, but it gives you the opportunity with those other checks, you know, we're not talking about MAS anymore, we're talking about like incident response or you know, the CED family of KSIs, where you know, we going through the workshops, uh, we were terrified of like reaching out to our LMS because, oh, that's a connection, that's an external interconnection with a non-fed ramp systems, which if you've been through L5 is is horrible. Yeah, it's it's it's it's trauma. You know, it's like you know, automatic big no no red X on your SAR. Sure. And the PMO was like, we don't care if you reach out to your LMS. You know, you're not you're letting your LMS have access into your validations, and all you're doing is checking and gathering data from your LMS. You're not right allowing, you're not, it's not a two-way connection. Um, I mean, it's the it's the same idea as like ancillary services that support your boundary and your web 5 processes, or you know, uh like ThreatFox. Threatfox is like a service we use to give us information about malicious IPs. So Threatbox is giving us data, but it's not allowed to go in and change anything, it's just giving us info. Um, same idea. We need to be able to gather that from our LMS systems, or uh, I know a lot of folks use workday, so like, hey, you might be allowed to reach out to workday automatically now to gather your background check or your, you know, if there's on if that's plugged into your user onboarding process, just plug into your user onboarding process in workday instead of bugging your HR people every time you go through a FedRAP assessment and saying, I need these 15 people's background check details and I need screenshots, and then hey, make sure you blur it out blur out their SSN. Um now you can just automate that entire process.

SPEAKER_01 11:33

So yeah, I think I think um it's important as well for us to denote that just because the the boundary might be a dotted line now, if you will. I don't know, maybe that's a okay way to put it. Um you still have to define a boundary, right? What I mean by that is is you you can't continuously validate everything uh without clearly defining what's important, right? And so you still have to have some uh form of boundary, if you will, of hey, this is important to the business, this is important to the security of the application. So going back to the the learning management system there, right? Well, why is that important to the to the environment? Well, if your employees aren't properly trained uh on their security uh or uh with the annual security training that has to happen every year, uh, prove that that's happening because that is overall um that is important to the uh the life cycle of of the environment and and the security of the environment as well. And so being able to reach out and pull that information in is is very critical. Uh so yeah, I I'm glad to see that it's a little bit more relaxed in what we can pull in. Um, but I'm also glad to see the stance that's now being taken of, you know, does it really make sense to the business that data that you're showing?

SPEAKER_00 12:52

Absolutely. Yeah, it's um it's it's been refreshing to, you know, have a little bit of flexibility to prove that, you know, hey, we're doing these processes and I've got, you know, it's even things like, you know, like you said, it's what is security applicable, you know, where is security applicable versus where is this something that's supporting security? Yeah. Um what's the what's the important? Is this a in-boundary or a it's the same idea as what you use as, you know, CM12.1. If you know your NIST controls, that's um, you know, data loss prevention. Um you know you can you need to know where are uh data, you know, where is certain kinds of data available in your environment? Where is the federal data being tracked? Where is the federal data metadata being tracked or stored or processed or transmitted? You need to know where that is. And it's the same idea, you're just saying what is actually part of the system versus what is help supporting the system, and then you can build that story into your validation checks. And that's really what MAS is asking you to do, which makes sense why people are a little confused or like concerned about how do I prove that. It's because it's pretty comprehensive. I mean, your whole KSI set helps explain that. And MAS, you know, our recommendation for that AFR-MAS KSI specifically, build the story of what is part of that traditional Rev5 boundary, and then rely on those other operational controls or excuse me, operational KSIs like IR, uh C E D, uh PIY to help support the like ancillary quote outside of traditional boundary controls. Yeah.

SPEAKER_01 14:20

Yeah, that's a that's a great next topic. Here's let's let's throw a few of them out for the audience here. Like, what are some things that maybe are gonna be included at a high level, right? So I know I'm thinking, right, being the CISO uh security operations side here, security tooling, right? Hey, EDR, bone management, um, those types of solutions out there. Yeah, we're gonna include that data, right? That's overall helping secure the environment. Uh, I'll go to another one. Logging and monitoring solutions. Those are gonna be within the within the scope. You know, in your mind, what are some other things uh that would be that would fall inside that boundary or uh be included in the minimum assessment scope?

SPEAKER_00 14:58

Yeah, I mean your your cloud native architecture inventory, so like all of your compute resources, databases, uh containers that are in use, uh, you know, any web apps that you mentioned, you know, security tooling. So if you've got like scanners that run on EC2, then you know you would want to have that, or you know, inside of AWS or ECP, Azure, again, whatever you know, cloud provider that you're using, you know, check what A check what services are in use. You know, you can pull that pretty easily from your cost explorer or from you know organizations, or even you can show what you're not using. You know, one of our checks, we're actually looking to see if we have an SC SCP, a service control policy inside of AWS that says we cannot, you know, we turn off any use of any of these services. So we're able to prove, and that what we did is we basically said if a service is not AWS on part of AWS's uh FedRamp services in scope, we're not gonna use it. Just, you know, and we're forcing that through SCP because our engineers are trying to solution things, and AWS has a lot of really sweet tools that aren't FedRAMP authorized, right? And we don't want them to, you know, just by genuine mistake, forget to check FedRAMP services in scope one day because it's in GovCloud, but it's not in services and scope, right? And then we don't find that out until way later. So that's a we can get credit for turning those off. So we know that there's no non-FedRap authorized AWS services. So think outside of the box for things like that. Don't just get credit for things that you are using, get credit for the things that you're not allowing the use of. And think about the ways that you're forcing not allowing those. So yeah, I mean, services and that are in use, uh, security tooling in use, like you said, your inventory, uh, and then like proving like your networking. So you can prove like what ports are, quote, in scope for use and what ports like likewise are not in scope for use. You kill two birds with one stone by showing your ports of protocols in use.

SPEAKER_01 16:48

Yeah, so like those boundary protections, and then I'm also hearing a little bit of like uh access management or access control or identity management, you know, IAM stuff. Um and then if there's any like handling of sensitive data, right? Pull those those in as well, uh, although they should be within the boundary, if you will. But you know, let's talk about some of those you you call them squishy controls or or squishy KSIs, but you know, you mentioned LMS, that may be one. Uh I'm thinking like even HR um HR items when it goes back to like background checks and things of that nature. People management services, yeah.

SPEAKER_00 17:23

Any of your HR tools, you know, like work days, super common for folks like managing background checks, and that's something I mentioned earlier, but um, you know, think also your company specific processes. So um, you know, incident response, sure, that's you know, that probably should be tracked in boundary. So like an incident response ticket, that should be tracked in boundary. And when we say boundary, we mean the traditional boundary, again, this is not a 20x term. This is just kind of in practice what it ends up looking like. Uh so like your incident response tickets or your incident response tabletop tickets, those should probably be on boundary. But think outside of the box of ways that you can show, you know, what is an incident, a fish. You know, so one of the one of the examples that we keep going back to is we have we contract with a third party that reaches out to our um, you know, Chad as CISO, you and a couple of guys internally know that it's happening, but nobody else on lead leads knows, or you know, there might be a small subset of the team that knows it's happening, but they'll do a third-party penetration test slash fishing exercise against the entire company. And we get metrics from that. So metrics will include, you know, like did, you know, we make sure that, you know, hey, if it's caught by some spam filter, probably not a great fish test. So let's open it back up on the spam filter, let them through, and then we get metrics on who falls to the fishing exercise, which hopefully is nobody. Uh, and then we also get metrics on how quickly, you know, what was the average open time, what was the average uh response time if they responded to the fish, or what was the average reporting metric? And we took that and said, hey, this is a back office process. This is not something that's part of our system directly, but it supports the system. If somebody falls to a fishing exercise and puts their FedRamp credentials in, then you know, if I if I fail the fishing exercise and I give my FedRamp credentials, cool. This isn't a process that has anything to do with FedRAMP this third-party fish exercise, but it proves that I could fall to a fish. So it's part of those squishy controls. So it's not part of your incident response process, but a fishing exercise could be you know an attempted incident or a you know an attack from a customer.

SPEAKER_01 19:28

That's very important you that you call that out because I know that time and time again we've talked with several organizations that uh are doing this FedRant penetration testing. And and a lot of time it's that external to corporate piece where there's the failure, right? We know though that threat actors are going to leverage that and then pivot uh and move laterally, uh unfortunately within the boundary at that point because credentials would then be exposed. But yeah, being able to show that, hey, yeah, we're we're testing that um and pulling that in because as you mentioned, that is uh and that could impact the overall security of the environment. So it's awesome to to call that out. Uh so let's talk about we talked about some things that we should include. What about some things that um or common mistakes that we see of things that shouldn't be included? Because I know that we've seen this, like a common mistake is to pull everything in, and it's kind of like a just to be safe. I'm gonna go ahead and just pull this information in. Um but to me that's where things start to break down because you again getting too much and having too wide of a scope um causes problems because again, we can't clearly define uh what matters. So, what are some areas that that you would recommend not pulling in?

SPEAKER_00 20:42

Yeah, I mean, uh my mind doesn't initially go to what things shouldn't be pulled in as a scope. You know, I again making sure you have that distinction of saying, like, if it's one of those squishy controls, don't bring it in. You know, that I'm easy enough to kind of understand, like, hey, this isn't a process that is actually actively part of your traditional Red 5 boundary. It supports it. So don't bring those into your MAS checks, leave those for the other checks as appropriate. Um, to me, it's really determining, you know, what do you prioritize in MAS because I think it's the it based off everything we've seen, it really is the PMO's intention for there to continue to be more data gathered for a KSI. Um, so you know, start by saying, what do I need as the minimum for my, I know it's pun in pun non-intended, what is the minimum POC I need for my minimum assessment scope checks to prove that I can do this, and then maybe make a short list and say, you know, hey, I need to get the rest of my KSIs sorted out, but I've got a short list of things that I want to add to my MAS later on. Um, and that probably is going to depend on what federal class you're pursuing. You know, if you're pursuing class A, that'll probably be a shorter POC for MAS than if you're pursuing class C or class D, you know, whenever phase four gets started. But um I think it goes it really goes back to the conversation of what provides value. You know, like VPC flow log configuration probably doesn't need to be included in your MAS. Right. But your uh like SEAM, like your SEAM S3 bucket, like I say, you store all your logs into S3, that S3 bucket probably should be included. Don't make a check specifically for that S3. Is that S3 included? Or is that S3 or is that EC2? You know, replace it with whatever asset inside of the environment. If there's an environment asset that you have to manage that is not managed by your service provider, is that included in your MAS? Okay, cool. Don't make a bunch of checks for each of those assets or each of those asset types. Just make a check for your inventory and streamline all that into one check because it still provides the same amount of data, but it helps streamline your KSI checks.

SPEAKER_01 22:49

Um I like where you're going with that, right? Of um again, define that minimum assessment uh that minimum scope first. Um, but you know, one thing I want to call out here as well is you you said create a checklist um and and start you know denoting those things down. However, I I want to make sure that people are uh very, very uh careful in doing that because one of the mistakes as well that that I feel like people can go down is is treating this as a documentation exercise. And it's not that, right? Because that would kind of be falling back to the old traditional way. It's not a documentation exercise. And let me uh uh help unpack what what I'm talking about here. Instead, treat this as an engineering exercise or an engineering decision because everything that you're defining here, you need to be asking yourself, can I automatically pull data or can I use some type of code or uh scripting to pull the data out, to pull out what's relevant, right? There may be some things that the answer to that is no, but we should be working towards the the manner of being able to continuously uh prove and pull that data out. So make sure that you got that checkbox in there when you are defining this list out so that we can uh continuously uh run scripts against it and and pull that information out.

SPEAKER_00 24:10

Yeah, and you know, the a good exercise if you're Rev5 authorized, um, or even if you're like far down the path to Rev5 and you're deciding to pivot towards 20x, you know, I I know I made a joke about the fact that you know there is no such thing as the diagram anymore, but use any diagrams that you've developed to your advantage. You know, go through the diagram and say, okay, for each of these components and icons, is this something I manage? This can help you build that checklist that you know Chad was referring to. Go through and say, okay, is this an AWS resource that I manage? If not, cool. Then I don't, there's probably not, you know, it's not EC2s that I need to go check or include in inventory, but I could check all the AWS services that I have in use. So it can be included in that list. But then if there is parts of that AWS service that you need to like configure, like for example, like uh let's say you use KMS as an example, and you use KMS managed keys, probably could include as a check. Maybe it's not part of your MAS checks, but it helps you think of for other checks down the road as far as you know, service accounts. You're looking at the CNA family, or excuse me, the uh authentication KSI now. We're saying, do you have key rotation automatically configured? You know, automatic key rotation configured for inside of KMS for your service accounts. That's a check you can think of for your other KSIs. So MAS itself doesn't provide you know this massive amount of value to your assessor, but it is a way for the assessor to say, okay, these are all the services at scope. These are all the things that they need to be having in their other KSI families. Um, and then that also, if you're doing that exercise, that also helps you design all your KSIs because you say, okay, these are all the things that are in my boundary. And then as you're going through KSIs, you can just hit each KSI against each of those resources and say applicable or not applicable. And if it's applicable, how do you prove it for that service? And then that's how you build out your you know list on a KSI by KSI basis. Um, which again, a lot easier said than done. You know, we we we know that, but um, it's it's at least a starting point. And it helps you instead of saying these are the control families, you know, AC2, I have passwords. Okay, where do you have passwords in the environment? A lot of places. So now you're saying, okay, cool, here's this resource. Let me go KSI by KSI for this resource in my minimum assessment scope. And if that KSI is not applicable, cool, I don't have to build a validation check for it. But if it's applicable, then you have the idea, okay, here's this KSI validation check, I've built it. And then when you get to the next one that's applicable, maybe there's overlap. You can reuse a check you've already made. Um, so you can just make it a very, you know, straightforward process.

SPEAKER_01 26:47

Yeah, I think um, you know, how I always love to kind of pivot this over to the business aspect or the business impact as well. And one of the things I'm hearing is that you know MAS is going to directly kind of impact essentially three things here that that every organization I feel like is probably gonna care about. Number one, it it's the ability to help control cost, right? Uh and I'll explain here in just a minute what what I mean by that, right? Um speed, um, but then even like you know, operability as well, right? And so going back to that cost, right? Hey, if if you're able to define a smaller scope and and really prove only and and focus on only what matters to the security of the environment, well then obviously the fewer controls or fewer validations, uh is is less engineering hours. It has to happen to uh prove that and build those continuous validations. Speed, right? Obviously, if if you can automate it, uh then it's a faster path to the authorization or the certification, right? And then the you know, the interoperability, right, is you know, it's just easier to maintain that continuous compliance that we're talking about here, continually and uh proving uh that the environment is secure and that the data that we are pulling from uh really does matter. So I think, you know, to me, um for for the executives out there that may be listening, right? The MAS uh is the ability to help control cost uh and and control the speed at which you're moving and and also the complexity for your FedREP 20x journey. So it's it is really the starting point uh of the 20x journey in defining that minimum assessment scope there. I agree. So uh I I think with that, you know, um obviously we we we've defined our minimum assessment scope for XBU 40, uh, and we went through that exercise um I think to kind of close things out here. Um if you're looking out there, you're still looking for some help around the minimum assessment scope and kind of you know, where do I start or you know, what do I do to begin? Uh we still have our uh assessment uh questionnaire that's out there on our XBU40.com site. Uh you can uh head on over to there and take that, I think it's 23 questions, uh questionnaire, and it'll kind of help define where you're at. And I believe it'll even kind of help even define a little bit of that minimum assessment scope and and get the the gears turning towards what should be within scope. So uh go and uh definitely check that out if you're uh still questioning some things. Uh but Tanner, any last words here on uh minimum assessment scope for our audience?

SPEAKER_00 29:16

No, not on minimum assessment scope. Um, you know, that quick look assessment tool that you were referring to, Chad, we'll um we'll drop a link in the description. You know, again, um we always try to make sure that folks are aware of updates from FedRAMP as well. So did want to make a point that um uh consolidated rules 2026, uh, you know, just a little bit of context on that is that's basically the finalized 20x requirements from the PMO. And uh those are still targeted for end of twenty end of June of this year, so end of next month. But the um the PMO did release a blog on the afternoon of May the 4th uh about basically a public preview of what those are gonna look like. Uh they've also you know released some links uh to the GitHub. We're gonna be they're gonna be posting the final look so you can kind of get an idea of how it's gonna be structured, the consolidated rules. Um again, not no earth shattering news from the PMO right now. It seems like they're sticking to their guns. Um so I would recommend reading through that. It's a very brief read. It doesn't take very long. Um like I said, no earth shattering news if you've been following FedRAMP, they're not pivoting heavily, they're you know still sticking to what they've been talking about. Um, but they're also it's not, you know, Pete said that they'd probably be releasing um some stuff in early May about consolidated rules. So they're still sticking to schedules, which is good to hear. Um very much so.

SPEAKER_01 30:33

I think one of the things I've seen out of that was if you head on over to the marketplace as well, you'll now see some of the new language out there. Uh so class C certified uh is out there. They still got moderate in brackets uh for the for the level, uh, but we're starting to see some of that new language uh trickle in.

SPEAKER_00 30:48

So yeah, other than that, I mean it's all the I mean, you it's on YouTube. You guys know the drill. Like like, subscribe, all that jazz. Um, so you know, it we'll uh we'll be doing some more webinars, everything like that. You know, we did one with Ancor earlier today, uh with Alex and I, so um you know from our 20x engineering team. So other than that, I mean uh that's that's about it. Well you'll always find us behind the shield, as we say. Um otherwise have a good day, everybody.

SPEAKER_02 31:15

All right, I love it. Thanks, Tanner. See y'all.