FedRAMP Moderate Equivalency for Cloud Service Providers Explained
Published 09/19/2024
Originally published by Schellman.
Looking back, December 2023 was a big month for the Department of Defense (DoD). Not only did they release the 32 CFR Part 170 - Cybersecurity Maturity Model Certification (CMMC) Proposed Rule, but they also published a memorandum titled Federal Risk and Authorization Management Program (FedRAMP) Moderate Equivalency for Cloud Service Provider’s (CSP) Cloud Service Offerings (CSOs). The latter, in a huge development, clarified requirements for CSOs that are currently (or will be) storing, processing, or transmitting Covered Defense Information (CDI)—more commonly referred to as Controlled Unclassified Information (CUI)—although there are some nuances that must be understood.
This isn’t the first major step toward this determination. Back in 2016, when the DFARS 252.204-7012 clause was being revised, the DoD acknowledged the idea that members of the Defense Industrial Base (DIB)—more specifically DoD contractors—might choose to put CUI in the cloud. Considering that the DoD must meet a minimum of FedRAMP Moderate or DoD IL2 requirements to put data in a CSO, there became a related need to require contractors who choose to put CUI in the cloud to also ensure that CUI is stored, processed, or transmitted with the same standard of protection. And so, the clause was revised to state:
“If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.”
Ever since, there’s been friendly debate in the IT audit community and among the DIB on what would be necessary or acceptable to meet what was laid out in the above statement—particularly regarding the term “equivalent.”
But now, the DoD’s memorandum has finally clarified their expectations as it relates to FedRAMP Moderate Equivalency. In this article, we’ll summarize the memo, including what documentation is required to demonstrate equivalency, how equivalency is validated, and why simply getting FedRAMP Authorized may not be the best alternate solution.
We hope this information will assist DIB contractors in determining what their CSPs must do to comply with DFARS clause 252.204-7012—as will the additional context provided by the 32 CFR CMMC Proposed Rule—including how DIB contractors determine which CSPs to do business with as it pertains to the handling of CUI by the CSP.
How to Achieve FedRAMP Moderate Equivalency
In short, the memorandum dictates that CSOs can obtain FedRAMP Moderate equivalency by:
- Achieving 100% compliance—i.e., zero findings—with the latest FedRAMP Moderate security control baseline; and
- Having that compliance assessed by a FedRAMP-recognized Third-Party Assessment Organization (3PAO); and
- Presenting the body of evidence (BoE)—i.e., supporting documentation—to the contractor (i.e., member of the DIB).
As simple as three bullet points may seem, achieving 100% compliance with the FedRAMP Moderate baseline to demonstrate equivalency will be extremely challenging because the DoD is serious about that 100%— CSPs must fully implement all 323 controls within the FedRAMP Moderate baseline and your 3PAO assessment must yield zero control findings.*
* While DoD requirements for FedRAMP Moderate Equivalency do not allow for POA&Ms resulting from a 3PAO’s assessment, CSPs are allowed to have operational POA&Ms.
Why Not Just Get FedRAMP Authorized?
And, if that’s the case, you may be thinking, “Why not just go ahead and pursue a FedRAMP Authorization To Operate (ATO)?” Why consider the equivalency path at all? After all, CSOs seeking a FedRAMP Authorization—a process that involves finding a sponsor and federal agency/FedRAMP PMO reviews—do not require 100% compliance as the equivalency option does.
And while the small leniency concerning findings may seem attractive, CSPs should also consider that the FedRAMP ATO process—including the effort to find an agency sponsorship* and the subsequent steps in the process—is time consuming, rigorous, and requires additional review from the FedRAMP PMO.
Do You Already Have FedRAMP ATO? Are You Still Working Through the FedRAMP Process? Per the DoD memo, FedRAMP Equivalency is not required for CSOs that are FedRAMP Moderate Authorized under the existing FedRAMP process. However, that carve-out does not apply to CSOs without a formal FedRAMP Moderate Authorization, which means that CSOs in the following states would still be required to demonstrate FedRAMP Equivalency via the process defined below:
|
*The FedRAMP Program is currently undergoing modernization per this OMB Memorandum, a key aspect of which is that additional paths to authorization will be created, including the “program authorization” which would not require an agency sponsor. Such a development would be a boon for CSPs that handle CUI but are unable to find a sponsor, as it would provide yet another alternative path to equivalency. For more information on program authorization and other key takeaways from the draft OMB Memorandum on FedRAMP modernization, read our breakdown.
What Documentation is Necessary for FedRAMP Equivalency in CMMC?
So then, if you, as a CSP, instead decide to move forward with obtaining FedRAMP equivalency for your CSO through 100% compliance with the Moderate baseline, you’ll need to make the comprehensive control implementations, have those assessed by a 3PAO applying standard FedRAMP assessment methodology, and provide a BoE to your DIB contractor. But what comprises that BoE?
As it relates to FedRAMP Moderate Equivalency, the following documentation must be included or obtained as part of your FedRAMP assessment and provided to DIB contractors to demonstrate equivalency with the Moderate baseline:
Document | Details |
System Security Plan (SSP)
| As the SSP is meant to document how compliance is achieved in relation to FedRAMP control requirements for a given CSO, it must include the following:
The SSP also includes several attachments:
3PAOs will review the SSP as part of their assessment, but—when provided as part of the BoE—DIB contractors will also use it to assess the CSO and surmise the risk of that CSO storing, processing, or transmitting the contractor’s data. |
Security Assessment Plan (SAP)
| The SAP includes:
The SAP also includes the following attachments:
|
Security Assessment Report (SAR)
| The SAR includes:
The SAR also includes several attachments that are either generated by the 3PAO during testing or part of the evidence provided by the CSP:
|
Plan of Action and Milestones (POA&M)
| A POA&M assists CSPs in identifying, evaluating, prioritizing, and continuously assessing the progress of corrective efforts to address security weaknesses, deficiencies, or vulnerabilities in the CSO. In addition, other artifacts are required as part of a CSP’s ongoing responsibilities for maintaining the security posture of the CSO:
Given that FedRAMP Moderate Equivalency requires full compliance with the baseline, DoD requirements for FedRAMP Moderate Equivalency do not allow for control-related POA&Ms that result from a 3PAO assessment of the CSP’s CSO. However, the memo does state that CSOs are allowed to have operational POA&Ms (e.g., vulnerability scan remediation as part of ongoing continuous monitoring responsibilities). These POA&Ms would either be provided by the CSP at the beginning of the assessment as a form of due diligence and/or generated at the end of the assessment to track remediation efforts of findings identified by the 3PAO. |
While the DIB contractor must validate that the BoE the CSP provides meets the FedRAMP Moderate Equivalent standards, the DIB contractor must also ensure the following obligations are (or will be) met:
- Endorse the use of the CSO by their organization and confirm that the selected CSP has an incident response plan.
- Ensure the CSP follows the incident response plan, including notifying the contractor in the event of an issue.
- Report any compromise of the CSO in accordance with the applicable contract terms and conditions, as the memorandum dictates that the contractor—not the CSP’s CSO—will be held responsible.
FedRAMP Equivalency Validation - Who is Responsible for What?
Once the CSP has fully implemented the 323 controls FedRAMP Moderate in their CSO, has achieved 100% compliance with the baseline per the 3PAO’s assessment, and has provided their BoE to their DIB contractor, the CSP’s equivalency must still be validated.
As FedRAMP Moderate Equivalency is heavily tied to the 32 CFR CMMC Proposed Rule, the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will oversee this validation, and that will involve their review of the BoE and obligations outlined above.
What’s Still Unclear About FedRAMP Moderate Equivalency
As much clarification as this memorandum provided about the opportunity for CSPs to demonstrate their CSO’s FedRAMP Moderate Equivalency to the DIB, some things still have yet to be fully and clearly incorporated into this new avenue:
- While the memorandum did outline Points of Contact for inquiries regarding equivalency in the CMMC Ecosystem, at no point did it reference the adoption of this avenue for the Joint Surveillance Voluntary Assessment program or the 32 CFR CMMC Proposed Rule.
- The 32 CFR CMMC Proposed Rule responded to a public comment on the rule itself regarding the acceptance of alternate standards, specifically for cloud standards in stating: “If an OSC uses an external CSP to process, store, or transmit CUI or to provide security protection for any such component, the OSC must ensure the CSP’s product or service offering either (1) is authorized as FedRAMP Moderate or High on the FedRAMP Marketplace; or (2) meets the security requirements equivalent to those established by the Department for the FedRAMP Moderate or High baseline.” But while the 32 CFR CMMC Proposed Rule requires the use of CSOs that are FedRAMP Moderate Authorized or deemed FedRAMP Moderate equivalent when handling CUI and security protection data (a CMMC-custom term), the memorandum only references CUI.
- Though the CA-8(2) control for Red Teaming exercises* was added to the requisite controls in the Moderate Baseline as part of FedRAMP’s recent transition to Revision 5, the memorandum made no indication of the deliverables associated with these exercises whether they’re performed internally by the CSP or the 3PAO or another third-party.
- As mentioned previously, the memorandum indicated that operational POA&Ms are allowed; however, it does not fully define “operational POAMs” and the types of findings that may fall into the category, nor does the memo go into detail about thresholds for the number of operational POA&Ms at a given time.
*Red Team exercises simulate attempts by real attackers to compromise the system and extend farther than the traditional penetration test.
What’s Next for CSPs, DIB Contractors, and CMMC?
All in all, this new memorandum from the DoD—together with the 32 CFR CMMC Proposed Rule—has provided much-needed clarification regarding the compliance of DIB contractors with DFARS clause 252.204-7012 and that of the third-party solutions you’re using to store, process, or transmit CUI or Security Protection Data. Per this memorandum, CSPs working with contractors must formally demonstrate FedRAMP Moderate Equivalency, and now you understand a little more of what that will entail.
These developments will surely keep the experts talking about the details and nuances in the coming months/years, and in the meantime, if you’re looking for more information regarding CMMC, check out our other content:
- Determining Your Level of CMMC Compliance: The Importance of CUI
- How To Get CMMC Certified
- Insight Into the Joint Surveillance Voluntary Assessment (JSVA) Program
Related Articles:
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024