CMMC and “FedRAMP Equivalent”: How to get there
DOD contractors entrusted with Confidential Unclassified Information (CUI) in performance of their contract for the Department of Defense will have to comply with the requirements of CMMC 2.0 after it is finalized. In the meantime, there are other regulations regarding CUI that DOD contractors must comply with now, in particular DFARS clause 252.204-7012.
If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline …
In short, this clause requires DOD contractors to ensure that “FedRAMP equivalent” controls are in place for any cloud service offering (CSO) they use that handles CUI. The two ways to ensure FedRAMP equivalence are:
If the CSO is also used directly by federal agencies, then it is possible for the Cloud Service Provider (CSP) to achieve a FedRAMP authorization for the CSO. A FedRAMP authorization definitely satisfies the DFARS requirement, but it is only possible with the sponsorship of a federal agency customer.
If the CSO is not used by any federal agencies, it is not possible for the CSO to obtain a FedRAMP authorization. In this case, the best way to ensure FedRAMP equivalence is to have a 3PAO perform a FedRAMP Moderate audit on the CSO and provide an attestation that FedRAMP controls are implemented.
The Project Hosts FasTrack
Project Hosts has developed a FasTrack approach to either authorization or attestation. For both paths, we first work with the CSP to understand their CSO and identify any gaps to FedRAMP compliance. We then tie their system into Project Hosts’ FedRAMP authorized GSS One PaaS, to enable the CSO to simply inherit the majority of FedRAMP controls. After ensuring that all remaining controls are implemented, we write up the System Security Plan (SSP) for the CSO, engage the 3PAO auditor, and manage the audit on the CSP’s behalf. From start to finish, the attestation FasTrack takes about six months.
For more information about FedRAMP equivalence or the Project Hosts FasTrack, email firstname.lastname@example.org.