Department of Defense (DoD) contractors are subject to strict compliance requirements, particularly when it comes to cybersecurity. Because these organizations access, process, store and transmit highly sensitive government information, they have to meet a rigorous set of baseline requirements as defined by the DoD’s Cybersecurity Maturity Model Certification (CMMC) program.
Getting ahead of CMMC 2.0
CMMC compliance is far from easy to achieve — especially with a new version of the program in development. CMMC 2.0’s exact requirements have yet to be revealed, but DoD mission partners will inevitably have to implement them once they arrive. Otherwise, they’d be unable to bid for future contracts and would risk impeding long-term growth.
Fortunately, contractors don’t have to sit around and wait. There are other regulations involving Controlled Unclassified Information (CUI) they must comply with right now — most notably, the Defense Federal Acquisition Regulation Supplement (DFARS).
DFARS and the Federal Risk & Authorization Management Program (FedRAMP)
DFARS is a cybersecurity mandate that requires all contractors to protect CUI by implementing a set of standardized controls. After its initial release in 2018, the DoD struggled with low compliance rates. So, it created CMMC to unify all mission partners under one comprehensive framework.
Despite the new standard, contractors must still comply with DFARS. The simplest explanation is that it outlines the baseline processes that CMMC is based upon, thereby laying the foundation for compliance. In short, that means mission partners can proactively prepare themselves for CMMC 2.0 by first meeting their DFARS requirements.
A specific DFARS stipulation — clause 252.204-70123 — requires DoD contractors to ensure that “FedRAMP equivalent” controls are in place for any cloud service offering (CSO) that handles CUI. In other words, the DoD claims DFARS obligations can be fulfilled by adopting the same controls required of a FedRAMP Moderate designation.
Bottom line: CSOs with a FedRAMP authorization will likely qualify for DFARS compliance.
Is FedRAMP Moderate enough?
However, many mission partners are confused on two important fronts:
- FedRAMP is only acceptable to vendors that directly serve federal agencies, as authorizations are intended for government-wide reuse. Many vendors’ CSOs are used by commercial entities or deployed in a private cloud, not directly with the federal government. Therefore, they don’t qualify for FedRAMP. According to the DoD, mission partners can bypass this issue by ensuring their vendors meet the same minimum standards (even if they’re not formally FedRAMP authorized).
- FedRAMP Moderate may not work for all contractors. Although DFARS says it’s sufficient, the DoD’s Security Requirements Guide states the minimum security level for any CSO handling CUI is Impact Level 4 (IL4), which is much higher than FedRAMP Moderate. The DoD addressed this discrepancy by explaining that FedRAMP Moderate is sufficient for vendors that service a contractor. IL4 or IL5 is required if the vendor contracts directly with the DoD.
It’s clear to see that, although DFARS is necessary, it’s also highly confusing.
The Project Hosts FasTrack
Project Hosts offers two options for DoD mission partners hoping to get ahead of their eventual CMMC 2.0 requirements and simplify compliance:
- FedRAMP Moderate Equivalent Turnkey Managed Service: The first offering is deployed in Microsoft Azure and leverages the Project Hosts FedRAMP-authorized General Support System. Connecting a CSO to our platform empowers you to inherit the majority of the controls without having to implement them on your own.
- DoD IL4 Equivalent Turnkey Managed Service: The second is deployed in Azure Gov and leverages an IL5-authorized platform. This allows DoD customers to inherit IL5 security controls, greatly reducing the burden of managing and maintaining them.
Best of all, they’re delivered on a timeline of just four to six months without an audit and up to 12 if one is required — a much faster turnaround than braving the process on your own.
With the Project Hosts FasTrack, you don’t have to sit around and wait for CMMC 2.0. Our solutions will help you proactively address compliance and prepare your business for the opportunities ahead.
Contact our team for more information about how Project Hosts can help your organization today.