MAS-CSO-TPRMUSTAll frameworksImplementation guide coming soon

Third-Party Information Resources

Minimum Assessment Scope (MAS) · General Provider Responsibilities

Applies to: Providers

Who this applies to: Providers
Service class: All service classes
Force: MUST
Timeframe: No fixed timeframe

Reviewed implementation guidance for MAS-CSO-TPR is not published yet. The official source below remains complete and authoritative.

Information required

General usage and configuration
Explanation or justification for use
Mitigation measures in place to reduce the potential impact to federal customer data
Compensating controls in place to reduce the potential impact to federal customer data

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST address the potential impact to federal customer data from third-party information resources used by the cloud service offering, ONLY IF MAS-CSO-IIR (Identify Information Resources) APPLIES, by documenting the following information about each applicable third-party information resource:

Defined terms in this requirement

Cloud Service Offering Federal Customer Data Information Resource Initial Incident Report (IIR)Provider Third-Party Information Resource

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.

Information required

Official FedRAMP source

Defined terms in this requirement

Related requirements

Change history