January 10, 2024
FedRAMP Moderate Equivalency Defined
(and why you care, if you handle CUI)
Last week, the DoD's recent memo defining "FedRAMP Moderate Equivalency" (FRME) was released. The definition of FRME in this memo is much stricter and more comprehensive than the definition in the proposed CMMC rule.
In a nutshell? If you want to use cloud services to process, store or transmit CUI, you probably will want to use a FedRAMP Authorized Cloud Service Offering. Read on to learn the details of why you may care.
If you handle CUI and you have the DFARS 7012 clause in any of your contracts, you may have noticed this section (b)(2)(ii)(D):
"If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment."
What does this mean?
First, "covered defense information" (CDI) is unclassified controlled technical information or other CUI related to a contract. So if you handle CUI, this may apply to you.
Second, what is an external cloud service provider? According to the definition in the proposed CMMC rule published on Dec 26:
"Cloud Service Provider (CSP) means an external company that provides a platform, infrastructure, applications, and/or storage services for its clients."
(Note: this definition is widely considered to be overly broad and we hope it will be modified in the final version of the rule. )
The products offered by CSPs are "cloud service offerings" (CSO).
If you are using a CSO to process, store or transmit CUI, it must meet security requirements equivalent to the FedRAMP Moderate baseline. But what exactly does "equivalent to" mean? How does one prove equivalency? Contractors have been puzzling over this for years, and DoD finally came out with an official answer. Unfortunately, it's not the answer anyone had hoped for:
"To be considered FedRAMP Moderate equivalent, CSOs must achieve 100 percent compliance with the latest FedRAMP moderate security control baseline through an assessment conducted by a FedRAMP-recognized Third Party Assessment Organization (3PAO)"
The memo continues to list the documentation required (extensive) and states that no open POA&Ms will be allowed for equivalency (despite the fact that FedRAMP Authorized CSOs are allowed POA&Ms). The CSO must have an annual assessment by a 3PAO to prove continuing 100% compliance with the requirements of both FRME and DFARS 7012. Finally, it is the contractor's responsibility to verify the CSO is meeting all these requirements, and is responsible for reporting incidents and verifying that the CSO is following the incident response plan.
To summarize, an "equivalent" CSO is held to a higher standard than an "authorized" CSO (100% compliance with no POA&Ms), and the contractor assumes many of the CSO's compliance obligations.
This memo has caused waves in the DoD contractor community. Many organizations, both contractors and vendors, host their CUI in GovCloud and think that means they are covered. It does not. We may soon see changes in vendor offerings as a result of this memo.
Ultimately what does this mean for you? If you are are currently using cloud services to process, store or transmit CUI, or are considering making any changes to your covered information system that involves any cloud services, you should check the FedRAMP Marketplace to see whether your current CSOs are authorized, and if not, whether there are authorized products that will meet your needs. You should carefully interview current and prospective vendors and ask hard questions about equivalency. Many vendors claim they are "compliant" with FedRAMP, but it is now your responsibility to verify that they are in fact meeting the requirements of FRME.
Need help? You know where to find me!
Want more information? Check out my upcoming virtual CMMC workshops: | |
Wednesday, February 28, 2024 |
Tuesday, March 5, 2024 |
Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107
If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!