This document provides a justification for excluding the Customer Check-In System from the FedRAMP authorization boundary.
System Description
The Customer Check-In System is a cloud-based application used to log customers entering an office facility. The system collects limited information at the time of check-in, including the visitor’s name, reason for visit, and date/time of entry. The system supports front-desk and physical security operations only.
Out-of-Scope Determination
The Customer Check-In System is considered **out of scope for FedRAMP authorization** based on the following factors:
- No Federal Mission Data
The system does not process, store, or transmit federal information created by or for a federal agency in support of an agency mission, as defined by OMB Circular A-130. The data collected is limited to administrative visitor records for facility access purposes.
- Administrative / Physical Security Function
The system supports physical access management and visitor tracking and is not part of any federal information system that supports mission-critical, operational, or programmatic functions.
- No Integration with Federal IT Systems
The system does not integrate with federal networks, identity management systems, personnel systems, authentication services, or other agency information systems. It operates independently of agency IT infrastructure.
- Limited PII with No Systemic Impact
While the system collects limited personally identifiable information (PII), the data is not used for identity verification, authorization, or access to federal information systems. The compromise of this data would have minimal impact and does not meet the threshold for inclusion in a FedRAMP authorization boundary.
- Outside the Authorization Boundary
The Customer Check-In System is not included within any FedRAMP-authorized Cloud Service Offering (CSO) boundary and is not required to be assessed under the FedRAMP program.
Conclusion
Based on the criteria above, the Customer Check-In System does not meet the definition of a Cloud Service Offering requiring FedRAMP authorization and is appropriately designated as **out of scope**. The system may still be subject to agency-specific privacy, records retention, or security requirements as applicable.