top of page

When is FedRAMP equivalency required?

For years, cloud service providers (CSPs) selling to the public sector have been subject to strict compliance requirements. This is especially true for CSPs working with Department of Defense (DoD) contractors — organizations that process extremely sensitive data with national security implications.

FedRAMP Authorization

One of their broadest mandates involves the Federal Risk and Authorization Management Program (FedRAMP). According to law, contractors must require CSPs to implement security controls “equivalent” to the FedRAMP Moderate baseline.

But what does that mean? When is it required? And what can CSPs do to simplify the process?

In this brief guide, we’ll answer these questions and explain how Project Hosts can help streamline compliance.

What is FedRAMP equivalency?

Since 2015, DoD contractors have had to comply both with Cybersecurity Maturity Model Certification (CMMC) and also with the Defense Federal Acquisition Regulation Supplement (DFARS) — a set of rules designed to protect Controlled Unclassified Information (CUI).

DFARS clause 252.204-7012, in particular, requires DoD contractors to ensure cloud service offerings (CSOs) that process CUI have security controls equivalent to the FedRAMP Moderate baseline. In short, FedRAMP is a separate regulatory framework that unifies all federal agencies under one set of security standards. It provides a marketplace where they can easily find compliant vendors that demonstrate high-assurance data protection.

However, for a long time, CSPs have been in the dark about what “FedRAMP equivalency” means and how they can achieve it. Fortunately, the DoD issued a memo clarifying its exact requirements.

Per the guidance, FedRAMP Moderate equivalency means that a CSO has a fully documented System Security Plan (SSP), is audited annually by a FedRAMP-certified Third Party Assessment Organization (3PAO), maintains continuous monitoring (e.g., monthly vulnerability scanning and patching), and remediates all vulnerabilities within the required timeframes.

Critically, without FedRAMP equivalency, cloud vendors won’t be able to sell their applications to DoD mission partners that process CUI. What many CSPs fail to realize, however, is that they also have to become FedRAMP Moderate equivalent if they process Covered Defense Information (CDI).


In simple terms, CUI is information that’s sensitive and in the interests of the United States but not strictly regulated by the federal government. According to DFARS, CDI is unclassified controlled technical information that the DoD hasn’t identified but was developed and used by the contractor in service of their contract.

Because of this wider definition, many DoD mission partners are deciding the simplest path is to require virtually all CSOs to achieve FedRAMP Moderate equivalency.

How to fast-track FedRAMP Moderate equivalency

CSPs face an uphill battle if they haven’t already achieved FedRAMP Moderate authorization. The process is years long, extremely expensive, and notoriously complex.

Moreover, even after initially gaining compliance, they must implement continuous monitoring to maintain compliance.

The good news? Project Hosts’ FasTrack solution can do the heavy lifting on their behalf. Our General Support System (GSS) is a Platform-as-a-Service offering that expedites the journey from start to finish.

GSS One is already FedRAMP-authorized, which means CSOs can immediately inherit the majority of required controls. With our turnkey compliance services, we’ll simplify the assessment process by writing the SSP, monitoring the CSO, and managing 3PAO audits. =

Ready to fast-track compliance? Learn more about our FedRAMP solutions today.


Recent Posts

See All


Want to learn more about FedRAMP Equivalency?

Contact Project Hosts Today!

Thanks for submitting!

bottom of page