Many organizations with software-as-a-service products assume that FedRAMP accreditation testing is only conducted on the application. In reality, all the underlying infrastructure supporting the solution are in scope for the assessment. So, for testing access controls, your assessor will not stop at your application. They will test access controls for the operating systems and other underlying components within the infrastructure.