Cloud service providers, FedRAMP “Equivalency” and CMMC

If you’re uncertain about the definition of a cloud service provider (CSP) within the context of the Cybersecurity Maturity Model Certification (CMMC), or if you utilize a CSP that handles controlled unclassified information (CUI), this article could provide useful insights. It covers what a CSP is in CMMC, requirements for CSPs under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, the Department of Defense (DOD) FedRAMP Equivalency Memo and the DOD’s CMMC proposed rule and the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC’s) expectations for CSPs. 

What is CSP in CMMC?

The definition of a CSP from the proposed CMMC rule issued in December of 2023 is:

“CSP is defined as an external company that provides a platform, infrastructure, applications, and/or storage services for its clients.” [1]

Many contractors leverage cloud solutions for a variety of reasons, such as sharing information through applications, hosting platforms or managing their entire DOD program’s in-scope environment. If a contractor chooses to use a CSP, the DOD has defined requirements that apply today, as well as additional requirements that are likely to apply in the future.

While some organizations argue they aren’t CSPs because they are not infrastructure as a service (IAAS) or platform as a service (PAAS), the definition of CSP clearly includes both software and applications. 

DFARS 252.204-7012 requirements

The DOD has defined the following CSP requirements for contractors in their contracts via DFARS 252.204-7012: 

“If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) [2]. Moderate baseline and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment" [2].

Although the inclusion of this clause in many DOD contracts dates to 2017, the exact meaning of “equivalent” remained unclear until the release of the DOD FedRAMP Equivalency Memo in January 2024, highlighted below. Without guidance, many CSPs claim their products are FedRAMP equivalent based on their own definitions or their reliance on Amazon Web Services (AWS) or Azure infrastructure - both of which are FedRAMP authorized. 

Additionally, some confusion surrounds CMMC requirements as all contract managed systems must adhere to the requirements of National Institute of Standards and Technology (NIST) SP 800-171 Revision 2. Some CSPs claim compliance to the DOD’s requirements by adhering to NIST SP 800-171 Revision 2 instead of FedRAMP. However, as we will highlight below, all CSPs in-scope must implement FedRAMP moderate requirements to be considered compliant, regardless of DFARS or CMMC mandates.

The DOD equivalency memo

Due to the lack of definition for “equivalent” in the DFARS documentation, the DOD issued a memo in January of 2024 to explain what they meant by “equivalent to FedRAMP moderate”. It reads as follows: 

“To be considered FedRAMP Moderate equivalent, Cloud Service Offerings (CSOs) must achieve 100 percent compliance with the latest FedRAMP moderate security control baseline through an assessment conducted by a FedRAMP recognized Third Party Assessment Organization (3PAO) and present the following body of evidence (BoE):  

System Security Plan (SSP) 

• Information Security Policies and Procedures (covering all control families)
• User Guide 
• Digital Identity Worksheet 
• Rules of Behavior (RoB) 
• Information System Contingency Plan (ISCP) 
• Incident Response Plan (IRP) 
• Configuration Management Plan (CMP) 
• Control Implementation Summary (CIS) Workbook 
• Federal Information Processing Standard (FIPS) 199 
• Separation of Duties Matrix 
• Applicable Laws, Regulations, and Standards 
• Integrated Inventory Workbook 

System Assessment Plan (SAP) 

• Security Test Case Procedures 
• Penetration Testing Plan and Methodology conducted annually and validated by a FedRAMP-recognized 3PAO 
• FedRAMP-recognized 3PAO Supplied Deliverables (e.g., Penetration Test Rules of Engagement, Sampling Methodology) 

Security Assessment Report (SAR) performed by a FedRAMP-recognized 3PAO 

• Risk Exposure Table 
• Security Test Case Procedures 
• Infrastructure Scan Results conducted monthly and validated annually by 3PAO 
• Database Scan Results conducted monthly and validated annually by a FedRAMP-recognized 3PAO 
• Auxiliary Documents (e.g., evidence artifacts)
• Penetration Test Reports

Plan of Action and Milestones (POA&M) 

• Continuous Monitoring Strategy (required by CA-7) 
• Continuous Monitoring Monthly Executive Summary, validated annually by a FedRAMP-recognized 3PAO” [3]

This definition helped to state the requirements and remove any confusion about what “equivalency” meant. 

DOD CMMC proposed rule 

Additionally, the December 2023 CMMC proposed rule further confirmed FedRAMP is required for CSPs by stating the following:  

“(5) Assessment of Cloud Service Provider. Organizations Seeking Certification (OSCs) may use a FedRAMP Moderate (or higher) cloud environment to process, store, or transmit CUI in execution of a contract or subcontract with a requirement for CMMC Level 2 under the following circumstances: (i) The CSP product or service offering is FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline in accordance with the FedRAMP Marketplace; or (ii) The CSP product or service offering is not FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline but meets security requirements equivalent to those established by the FedRAMP Moderate (or higher) baseline. Equivalency is met if the Organizations Seeking Assessment (OSA) has the CSP’s SSP or other security documentation that describes the system environment, system responsibilities, the current status of the Moderate baseline controls required for the system, and a Customer Responsibility Matrix (CRM) that summarizes how each control is MET and which party is responsible for maintaining that control that maps to the NIST SP 800–171 Revision 2 requirements.” [4] 

Although the proposed rule may evolve, and the DOD might adjust their equivalency memo based on feedback, it is increasingly clear at the time of this article that FedRAMP Moderate or equivalent is the requirement for all CSPs in contractors’ scope for DFARs or CMMC. 

DIBCAC expectations 

To achieve CMMC Level 3 certification, contractors must undergo an assessment by the DIBCAC against NIST SP 800-171 Revision 2. Additionally, all in-scope CSPs must be evaluated against FedRAMP Moderate. Recently, a contractor assisted by Baker Tilly faced this challenge and checked the FedRAMP marketplace for each of its in-scope CSPs. If a CSP was not listed, the contractor requested the BoE outlined in the DOD equivalency memo. A CSP lacking all BoE elements is not FedRAMP Moderate or equivalent, which would lead to a failed DIBCAC assessment. For instance, one of the contractor’s CSP had most BoE elements but inherited some FedRAMP requirements from Azure, falling short of 100% compliance. Ironically, the CSP could obtain FedRAMP authorization with Plan of Action and Milestones (POA&Ms) but not equivalence. Baker Tilly is working with the contractor to plead the CSP’s case to the DIBCAC.  

When dealing with CSPs for compliance or vendor selection, remember that mere claims of FedRAMP status are not enough. While a CSP may claim they are FedRAMP, if they don’t follow the letter of the DOD Equivalency Memo, they are not FedRAMP equivalent. The DOD Equivalency Memo mandates 100% compliance with the FedRAMP Moderate, assessed by a 3PAO.  

Sources

[1] Federal Register : Cybersecurity Maturity Model Certification (CMMC) Program with reference to: CISA Cloud Security Technical Reference Architecture (December 2023)
[2]MEMORANDUM FOR (osd.mil) (May 2024)
[3] FEDRAMP-EquivalencyCloudServiceProviders.pdf (defense.gov) (December 2023)
[4] 2023-27280.pdf (govinfo.gov) (December 2023)