FedRAMP boundary · Cross-cloud transfer

Each cloud's transfer service is FedRAMP authorized — only inside its own cloud.

AWS DataSync is authorized within AWS. GCP Storage Transfer Service is authorized within GCP. Neither covers the path between them. That uncovered span is exactly what a cross-cloud transfer requires — and exactly where the evidence gap lives.

Authorization scope · End-to-end
Two FedRAMP-authorized boundaries. One uncovered crossing.
AWS scope GCP scope Uncovered Authorized
01 / FEDRAMP AUTHORIZATION SCOPE EACH SERVICE COVERS ONLY ITS OWN CLOUD AWS DATASYNC · AUTHORIZED NO FEDRAMP AUTHORIZATION GCP STS · AUTHORIZED AWS BOUNDARY EDGE GCP BOUNDARY EDGE 02 / TOPOLOGY CLOUD BOUNDARIES · CROSS-CLOUD SPAN AWS DataSync ✓ FEDRAMP AUTHORIZED Within this boundary only SCOPE: ENTIRELY WITHIN AWS No FedRAMP authorization covers this path ⊘ AUTHORIZATION BOUNDARY EXCEEDED Public internet · Inter-cloud peering · Transit fabric ↻ NEITHER TOOL EXTENDS HERE GCP Storage Transfer Service ✓ FEDRAMP AUTHORIZED Within this boundary only SCOPE: ENTIRELY WITHIN GCP 03 / IMPLICATION CROSS-CLOUD = OUTSIDE BOTH AUTHORIZATIONS Both tools are FedRAMP authorized — but only within their own cloud. The moment either tool crosses into the other cloud, its FedRAMP authorization no longer applies. Cross-cloud transfer requires a third party whose authorization spans the entire path — including the uncovered middle.
Server General · Transfer General Confirmed · GCP FedRAMP implementation guide

Source: docs.cloud.google.com/architecture/fedramp-implementation-guide — GCP's own FedRAMP implementation documentation.

— 01
Two boundaries, one gap

FedRAMP authorization is scoped to a system boundary. AWS DataSync's boundary stops at AWS. GCP Storage Transfer Service's boundary stops at GCP. The cross-cloud span lies outside both.

— 02
No combined coverage

Stacking two single-cloud authorizations does not produce a cross-cloud authorization. Each tool's evidence ends at its own boundary edge.

— 03
Where the evidence gap lives

For a regulated workload moving between clouds, the uncovered middle is precisely the segment that needs cryptographic proof of delivery — and that neither CSP-native tool provides.

Partner Resources

If you are representing one of our partners, please log into your account to access hidden resources or request an invitation to sign up for the account.

Legal compliance

HIPAA
GDPR
GDPR Recitals

Contact Us

admin@servergeneral.com

+1 650-485-1415

Our partners