The Equivalency Memo: Watch at Your Own Peril (Especially if You Own a Small Business)
I will never go back to the theater if this is what I have to watch - Small business owner who provides ERP to subcontractors of DoD Primes
5 out of 5 stars, would see again! - Large CSP who is already on the FedRAMP Marketplace
From the critic reviews above, you can see that everyone has different reactions to the Department of Defense’s memorandum titled “Federal Risk and Authorization Management Program Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings” In providing clarity, the DoD has also provided a good amount of heartburn for Cloud Service providers who know have to figure out how they are going to get their environments up to FedRAMP moderate standards. How the heck did we get to this CMMC/FedRAMP Mod plotline anyway?
Brief history of NIST 800-171/CMMC
The Department of Defense (DoD) mandated in early 2018 that all organizations exchanging CUI enforce the 110 security controls listed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171): Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. To overcome the shortcomings in NIST 800-171 compliance enforcement, and the need to continually defend the vast attack surface of the Defense Industrial Base (DIB), the DoD released a tiered system of Cybersecurity Maturity Framework in 2020. CMMC 2.0 was then introduced in November 2021 to help streamline the levels from 5 to 3. Starting in Q1 of 2024, CMMC compliance will become a mandatory requirement for DIBs. The DIB Contractors will not be able to bid on DoD Contracts if they fail to comply with the appropriate CMMC Level.
FedRAMP Equivalent
Before December 21, 2023, Cloud Service providers only had a vague DFARS stipulation — clause 252.204-7012 — that required DoD contractors to ensure that “FedRAMP equivalent” controls are in place for any cloud service offering (CSO) that handles CUI. On 12/21, the DoD issued a memorandum that clarified the scope, especially in the case of cloud service providers who may not engage in business directly with the DoD, but who may get a whiff of CUI data from a sub of a prime:
“...Where applicable, DFARS clause 252.204-7012 requires any contractor that uses an external cloud service provider to store, process, or transmit any covered defense information in the performance of a DoD contract to “require and ensure” that the cloud service provider
Meets security requirements equivalent to the FedRAMP moderate baseline and
Complies with DFARS 252.204-7012 requirements for cyber incident reporting, malicious software, media preservation, and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.”
In summary, the DoD memorandum sets the precedent that meeting CMMC/DFARS 252.204-7012 is no longer the minimum security standard for DoD subcontractors that offer Cloud Services to DIB contractors. FedRAMP Moderate is.
What’s the Difference between CMMC and FedRAMP MOD equivalent?
CMMC is based on NIST 800-171, which is based on DFARS 252.204.7012. FedRAMP is based on NIST 800-53. The bigger question moving forward is reciprocity. Being CMMC level 2 compliant DOES NOT equal being FedRAMP MOD equivalent. Establishing reciprocity between CMMC and FedRAMP is a top priority. Soon, your FedRAMP Moderate efforts could pave the way for easier CMMC acceptance."
Other differences include:
FedRAMP MOD consists of 325 controls, whereas CMMC level 2 only has 110
FedRAMP MOD and CMMC both require a System Security Plan (SSP), a Customer Responsibility Matrix (CRM), and a Plan of Action and Milestones (POAM). In addition, FedRAMP MOD requires:
Configuration Management Plan
Incident Response Plan (IRP)
Control Implementation Summary (CIS) Workbook
Federal Information Processing Standard (FIPS) 199
Separation of Duties Matrix
Continuous Monitoring Strategy (required by CA-7)
User Guide
Digital Identity Worksheet
Rules of Behavior
Information System Contingency Plan (ISCP)
FedRAMP CSPs are audited by a 3PAO, while a CMMC audit is performed by a C3PAO. 3PAOs can be found on the FedRAMP Marketplace website.
But what about the Plan of Action and Milestones statement?
Yes, the memo does have a statement we expect will be modified in the future. Currently, it states that a CSP cannot have any open POAM items resulting in the 3PAO assessment. If you are a CSP currently going through a FedRAMP Moderate authorization with a sponsor, you ARE allowed POAM items that follow your normal process for closing out based on severity. Why would being “FedRAMP Moderate Equivalent” actually be more stringent, than the usual process? We expect this statement to be picked apart and more clarity provided in the future.
Final Thoughts (tl;dr)
If you are a CSP and your customers are working directly with the DoD, start thinking about how you will get to FedRAMP Moderate equivalent ASAP. The memo gives the subcontractors the option to take a risk-based approach in continuing to use non-FedRAMP moderate equivalent CSPs, as long as those CSPs are on the journey to authorization, and can provide updates in the process. The responsibility lies with contractors to ensure CSPs meet these standards, as validated by DCMA DIBCAC. Contractors must be vigilant in scrutinizing CSP claims, demanding tangible proof of FedRAMP Moderate equivalence. The memo clarifies the role of contractors as approvers and emphasizes their accountability in the event of a CSO compromise.
Illumen has developed a RampUp approach to partnering with CSPs on their CMMC or FedRAMP journeys. For both paths, we first work with the CSP to understand their CSO and identify any gaps in FedRAMP compliance. After ensuring that all controls are implemented, we write up the System Security Plan (SSP) for the CSP, engage the 3PAO auditor, and manage the audit on the CSP’s behalf.
For more information about FedRAMP equivalence or our RampUp approach, email hello@illumen.io or use the “let’s talk” button above.
