By Payam Pourkhomami, President & CEO of OSIbeyond
For Department of Defense contractors working toward Cybersecurity Maturity Model Certification compliance, much of the effort tends to focus on internal systems and processes. However, one critical aspect that shouldn’t be overlooked is the selection of external service providers, particularly cloud service providers, known as CSPs, which can make or break your compliance efforts.
This article explores CMMC requirements for the secure handling of controlled unclassified information—a.k.a. CUI—in the cloud to provide guidance on how to select a cloud provider that will support rather than undermine your compliance efforts.
CMMC Cloud Service Provider Requirements
For defense contractors handling CUI, CMMC mandates strict requirements regarding CSPs. Specifically, any CSP used to store, process, or transmit CUI must meet one of two key criteria:
Option 1: FedRAMP Moderate Authorized
The Federal Risk and Authorization Management Program is a U.S. government program designed to standardize the security requirements for cloud services used by federal agencies. CSPs that are FedRAMP Moderate Authorized have undergone rigorous security assessments and received an authorization to operate, or ATO, certifying that they meet the necessary security controls to store, process, and transmit sensitive government data, including CUI.
FedRAMP-authorized CSPs are listed in the FedRAMP Marketplace, which provides a reliable, vetted source of cloud solutions that are compliant with DOD regulations. By selecting a CSP from this marketplace, contractors can be confident that they meet the CMMC’s requirements for securing CUI without needing to conduct further assessments or prove equivalency.
Option 2: FedRAMP Moderate Equivalent
CMMC also allows the use of CSPs that can demonstrate they are FedRAMP Moderate equivalent. According to a memorandum issued by the Department of Defense in January 2024, CSPs must meet strict criteria to be considered FedRAMP Moderate equivalent. The memorandum clarifies that to achieve equivalency, a CSP must meet 100 percent compliance with the latest FedRAMP Moderate security control baseline, which includes undergoing a thorough assessment by a FedRAMP-recognized Third Party Assessment Organization.
The CSP must provide a comprehensive body of evidence, or BOE, to the contractor, which includes key documentation such as the system security plan, incident response plan and configuration management plan. The BOE must also include monthly infrastructure and database scan results, penetration test reports, and other critical security artifacts, all validated by a 3PAO.
Unlike FedRAMP-authorized CSPs, FedRAMP-equivalent CSPs cannot have open plans of action and milestones, or POA&Ms, resulting from their assessment. All security gaps identified during the assessment must be addressed and closed, with no exceptions allowed for remediation plans, making it difficult for CSPs to meet the stringent equivalency standards.
The Danger of False FedRAMP Equivalency Claims
While the CMMC framework permits the use of CSPs that have achieved and demonstrated FedRAMP Moderate equivalency, defense contractors must exercise extreme caution before choosing a CSP that claims to be “FedRAMP equivalent.”
The problem is that, as outlined above, proving equivalency is a complex and stringent process that many CSPs may not have fully completed. For example, some providers attempt to shortcut the process by asserting that their use of a FedRAMP-authorized environment, such as AWS GovCloud, automatically makes their services FedRAMP equivalent. That’s not true, and this falsehood can easily jeopardize the compliance efforts of any defense contractor that aims to become CMMC certified.
In reality, the use of infrastructure like AWS GovCloud does not transfer FedRAMP authorization to the services offered by a CSP. The CSP itself must obtain an ATO or demonstrate full compliance with FedRAMP Moderate requirements.
Needless to say, selecting a CSP based on unverified claims of FedRAMP equivalency can lead to non-compliance with CMMC requirements, resulting in potential penalties, loss of contracts, and increased risk of data breaches. That’s why the safest and most straightforward path to compliance is to choose a CSP that is FedRAMP Moderate Authorized and listed on the official FedRAMP Marketplace.
Conclusion
The selection of a CSP is critical in the journey to achieving CMMC compliance. While CMMC allows the use of FedRAMP-equivalent CSPs, proving equivalency is a complex and stringent process, which is why misleading claims of FedRAMP equivalency can be found in the wild and easily trap defense contractors into non-compliance. We at OSIbeyond believe that the risk of going with a CSP claiming FedRAMP equivalency isn’t worth it, given that the FedRAMP Marketplace exists and makes it easy to identify and select fully authorized providers.
For more information, download the DoD Contractor’s Guide to CMMC 2.0 Compliance.