If you’re a defense contractor, you probably know the Department of Defense (DoD) issued a critical memo on January 2, 2024, signaling a significant shift in the requirements for defense contractors utilizing Cloud Service Offerings (CSOs). This memo brings about crucial changes to the FedRAMP equivalency concept, affecting many contractors’ compliance with DFARS 252.204-7012 and the Cybersecurity Maturity Model Certification (CMMC). Although it is clear that the DoD expects swift changes to be made to bolster the cybersecurity posture of the overall Defense Industrial Base (DIB), these changes don’t have to be overwhelming for you and your organization – logistically or financially!
The History of FedRAMP and the DoD
Back in 2015 when FedRAMP was still a new program, there were very few FedRAMP authorized cloud solutions, and those that were authorized were generally only made available to government agencies. However, contractors processing Covered Defense Information (CDI) in a cloud solution were also bound by the restrictions of the FedRAMP program and could not feasibly procure authorized solutions. Therefore, the DoD introduced the concept of FedRAMP equivalency. As long as a CSO met the FedRAMP Moderate baseline, implemented its associated controls, and the contractor utilizing the CSO could attest to the equivalency, it could be used to safeguard CDI. This allowed for operational continuity without the need for a CSO to obtain a formal FedRAMP authorization. However, the landscape has shifted dramatically since then and FedRAMP authorized cloud solutions, while they can be costly, are much more available and plentiful.
New Horizons for FedRAMP Equivalency
In accordance with this evolution in the industry, the new DoD memo emphasizes that CSOs must now meet and continuously adhere to 100% of the FedRAMP Moderate baseline security controls to be considered FedRAMP equivalent. All Plan of Actions & Milestones (POA&M) items must be fully closed out at the conclusion of a Third-Party Assessment Organization (3PAO) led security assessment. This heightened standard effectively marks the end of FedRAMP equivalency, posing a new set of challenges for defense contractors.
Under DFARS 252.204-7012, defense contractors are explicitly tasked to “require and ensure” that the CSOs they utilize not only meet FedRAMP Moderate baseline security requirements but also fulfill additional DFARS obligations. These include cyber incident reporting, malicious software prevention, media preservation and protection, access to necessary information and equipment for forensic analysis, and cyber incident damage assessment.
The memo’s immediate effectiveness has rendered many defense contractors suddenly non-compliant with DoD contracts with provisions concerning DFARS 252.204-7012 and the CMMC model, which are regulations on safeguarding CDI, also referred to as Controlled Unclassified Information (CUI).
CSOs, MSP/MSSPs, and Common Misconceptions
While a CMMC Proposed Rule released on December 26, 2023, suggested that a System Security Plan (SSP) and Customer Responsibility Matrix (CRM) alone might be sufficient for equivalency, it is expected to align with the language of the memo upon update. In fact, it could be argued that DFARS 7012 itself could be updated to match the memo as well. Defense contractors need to be aware that if you are utilizing a CSO that is “FedRAMP equivalent”, you may be out of compliance with your contracts. And no, merely hosting a cloud solution in Amazon Web Services (AWS) GovCloud or Microsoft 365 Government Community Cloud (GCC) High does not automatically make a CSO FedRAMP equivalent or compliant.
Furthermore, I know many of you are getting to the end of this and thanking your lucky stars you contracted with a MSP/MSSP so that all these pesky rules surrounding CSOs don’t apply to you – think again! If a cloud based MSP provides any services in scope for a defense contractor on systems processing CUI, then that MSP must also pursue at least a FedRAMP Moderate authorization if they aren’t CMMC certified at the same level as the system. MSP/MSSPs can really increase the security posture of your organization and help you meet the requirements to stay in compliance, but like any external service provider, it is the responsibility of the contractor to ensure that the MSP is in compliance before allowing them to process, handle, or safeguard CUI.
Earthling’s Free Workshop on FedRAMP Equivalency
Navigating the labyrinth of regulatory changes can be daunting, especially when contracts hang in the balance. Contractors, we understand the confusion and urgency you’re facing. At Earthling Security, we specialize in untangling the complexities of DFARS, CMMC, and the latest FedRAMP updates. Don’t let compliance concerns jeopardize your contracts; lean on our expertise to explore the options available to you and your organization, and let us help you find a compliant (and affordable!) solution. Reach out today, and let us bring clarity and certainty to your GRC strategy with our free FedRAMP workshops that provide an overview of your program along with any compliance implications, ensuring that your contracts remain secure and your operations resilient. We also offer StateRAMP workshops as well!