Hi,We're working on our FedRAMP Auth Boundary and having a hard time figuring out how our secrets manager fits in. We use a 3rd party, non-FedRAMP SaaS and we use it for passwords/secrets that we use to access clients site (which may or may not contain Federal data)

We believe the secrets manager contains no Federal data or Metadata, however it could impact the CIA of Federal Data/Metadata.

To be clear, I feel that this tool falls squarely in our Auth Boundary and hence we should move to a FedRAMP tool (Keeper) or self host in-boundary, but we can't reach a consensus here.

To second that question, would it be fair to say that any lines that cross our defined auth boundary e.g. between our Gov and Commercial hosting accounts should be severed where possible (i.e. by moving services into the boundary even if we're not 100% sure that it will handle Federal data/metadata? Or I guess we face scrutiny on exactly what that cross-boundary line is...

Thank you for helping navigate this minefield!