By Les Buday, Managing Director

FedRAMP Moderate Equivalency is Born

In October of 2016, the Department of Defense (DoD) issued Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 which, in part, includes considerations for cloud service providers (CSPs) used by DoD contractors to store, process, or transmit covered defense information (CDI)/controlled unclassified information (CUI). In short, this regulation stipulates that DoD contractors must require and ensure that the CSP meets security requirements equivalent to those within the FedRAMP Moderate baseline. For many of us involved in helping the Defense Industrial Base (DIB) comply with the myriad of cybersecurity requirements and regulations they must contend with, understanding how best to “require and ensure” that CSPs meet equivalency to this FedRAMP standard has been a challenge. One approach taken by DoD contractors has been to incorporate contractual clauses in their agreements with their CSPs requiring them to meet the FedRAMP Moderate baseline security requirements. Others have asked their CSPs to provide either a self-attestation of compliance or a “report of compliance” from an independent third-party assessment. Regardless of the tact taken, the underlying criteria for being “FedRAMP Moderate Equivalent” was still ill-defined.

DoD offers insight into how CSPs could demonstrate Equivalency: the SSP and the CRM

In late 2021, DoD issued clarification in their Procurement Toolbox Cybersecurity FAQ Questions 110-117 covering requirements for cloud systems, with question 115 specifically addressing CDI/CUI handling by CSPs. The DoD guidance indicated that CSPs can provide a body of evidence (BOE) that describes how they meet the FedRAMP Moderate baseline and suggests using a System Security Plan (SSP) to do so. The SSP would document the system environment, system responsibilities, and the current status of the FedRAMP Moderate baseline controls. For shared responsibility models, a Customer Implementation Summary or Customer Responsibility Matrix (CIS/CRM) that summarizes how each control is met and which party (CSP or customer) is responsible for maintaining each control.

Furthermore, the DoD referenced the SSP and CIS/CRM FedRAMP templates in their guidance to provide examples of the type of security control information that CSPs would need to provide. DoD also clarified the four areas that would need to be addressed by CSPs in the BOE they submit:

  1. The SSP must plainly attest to the current implementation status of the FedRAMP Moderate controls, including whether the controls are fully implemented, partially implemented, or planned.
  2. The SSP must describe how the controls are implemented. It is not sufficient to merely attest that controls are implemented; CSPs must include descriptions of security practices, processes, and tools that are in place to meet requirements.
  3. The SSP must describe the system environment with narrative and graphical depictions of the system boundary, key devices and components within the boundary, and any system interconnections.
  4. Responsibility for controls must be clearly delineated because controls can be implemented by the CSP, inherited from another CSP (for example, a SaaS inheriting controls from AWS), deferred to the CSP’s customers, or shared by multiple parties. Defining who is responsible for each element of a control helps ensure that all parties share a common understanding of responsibilities. These responsibilities can be documented in the SSP or in a CIS/CRM attached to the SSP.

New line

new line

The Cyber AB Introduces a New Notion: Attestation from a FedRAMP 3rd Party Assessor (3PAO)

In July 2022, the Cyber AB released an initial draft version (v 1.0) of its CMMC Assessment Process (CAP) guide.  While this guide was wholly developed by the Cyber AB [the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC) Ecosystem that oversees CMMC conformance], it was reviewed and endorsed by the DoD. Within the CAP was additional insight on how the DoD was going to determine FedRAMP Moderate Equivalency. Not only does this guide confirm the need for a CSP to provide an SSP and CRM as key elements of their BOE – consistent with what the DoD had previously identified through its Procurement Toolbox – but it also introduces the notion that, “a FedRAMP Third-Party Assessment Organization (3PAO)…may serve in this role to attest to the credibility of the [CSP’s] body of evidence”. The specific mention of using a 3PAO to attest to the CSP’s BOE makes a lot of sense, given that FedRAMP 3PAOs, are formally recognized by the FedRAMP PMO as having the necessary FedRAMP knowledge and skills to perform security assessments of cloud systems. As such, they are qualified from both a credibility and professional perspective to attest to meeting FedRAMP Moderate equivalency and the validity of the CSP’s SSP.

The DoD Makes it Official: Defining the Criteria to Meet FedRAMP Moderate Equivalency

In December of 2023, the DoD finally released official guidance on how CSP’s housing DoD Contractor CUI would need to demonstrate meeting FedRAMP Moderate Equivalency. This official guidance comes in the form of a DoD Memorandum entitled, ”Federal Risk and Authorization Management Program Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings”.

Based on the information herein, the DoD has determined that for a CSP to be considered FedRAMP Moderate equivalent, they must achieve 100 percent compliance with the latest FedRAMP moderate security control baseline through an assessment conducted by a 3PAO and present the body of evidence (BoE) found in the list below:

System Security Plan (SSP)

  • Information Security policies and procedures (covering all control families)
  • User Guide
  • Digital Identity Worksheet
  • Rules of Behavior (RoB)
  • Information System Contingency Plan (ISCP)
  • Incident Response Plan (IRP)
  • Configuration Management Plan (CMP)
  • Control Implementation Summary (CIS) Workbook
  • Federal Information Processing Standard (FIPS) 199
  • Separation of Duties Matrix
  • Applicable Laws, Regulations, and Standards
  • Integrated Inventory Workbook

Security Assessment Plan (SAP)

  • Security Test Case Procedures
  • Penetration Testing Plan and Methodology conducted annually and validated by a FedRAMP-recognized Third Party Assessment Organization (3PAO)
  • FedRAMP-recognized 3PAO Supplied Deliverables (e.g., Penetration Testing Rules of Engagement, Sampling Methodology)

Security Assessment Report (SAR) performed by a FedRAMP-recognized 3PAO

  • Risk Exposure Table (RET)
  • Security Test Case Procedures [and Results]
  • Infrastructure Scan Results conducted monthly and validated annually by [FedRAMP-recognized] 3PAO
  • Database Scan Results conducted monthly and validated annually by a FedRAMP-recognized 3PAO
  • Web [application] scan results conducted monthly and validated annually by a FedRAMP-recognized 3PAO
  • Container scan results conducted monthly and validated annually by a FedRAMP-recognized 3PAO
  • Auxiliary Documents (e.g., evidence artifacts)
  • Penetration Test Reports

Plan of Action and Milestones (POA&M)/Continuous Monitoring

  • Continuous Monitoring Strategy
  • Continuous Monitoring Monthly Executive Summary, validated annually by a FedRAMP-recognized 3PAO
  • A POA&M with all findings closed and validated by a 3PAO

What Happens Next?

DoD’s latest guidance has eliminated a lot of the conjecture, assumptions, and varying interpretations of what constitutes meeting FedRAMP Moderate Equivalency that has been floating around the industry since it was first introduced back in 2016. Of course, with this latest, “official” clarification from the DoD comes more questions from industry on the challenges of generating the BoE, the process for a CSP being deemed as “meeting equivalency”, and the way forward for CSPs to maintain that designation once achieved. SecureIT dives into some of these questions, along with providing our own observations around what happens next for CSPs supporting DoD contractors as CMMC rapidly approaches its formal release and implementation across the DIB.

Overwhelmed? SecureIT understands that navigating compliance requirements can be difficult especially when you don’t have compliance experts on staff. SecureIT partners with our customers serving as key members of their FedRAMP and CMMC expert team. Our team approach helps companies achieve their compliance objectives while saving time and letting you focus on your core mission. Contact us today to learn more.