By Greg Kent, Senior Vice President, CTO
A previous blog discussed the latest guidance from DoD and the Cyber AB in the draft CMMC Assessment Process (CAP) document. Specifically, CSPs need to address both criteria defined in the CMMC CAP:
(1) documenting an SSP that attests to the compliance status, describes how the requirement is addressed, and clarifies the control responsibilities (either in the SSP or an attached matrix) for each security requirement of the FedRAMP moderate baseline, and
(2) engaging a FedRAMP-recognized 3PAO to perform a security assessment and provide an attestation regarding the cloud system meeting requirements of the FedRAMP moderate baseline as documented in the SSP
CSPs should anticipate that the DoD or CMMC C3PAO will perform some level of review of the documentation provided for each of these requirements. It is unlikely that an attestation letter from a 3PAO asserting simply that the CSP meets the requirements will be accepted at face value. For example, CSPs should expect to provide not only a cover letter, but also the detailed security assessment report with findings. If the assessment report contains many significant findings, it is unlikely that the DoD or CMMC C3PAO will consider the cloud system to “meet” the security requirements equivalent to the FedRAMP moderate baseline. CSPs should also expect that the DoD or CMMC C3PAO will perform spot-checks on the SSP documentation. If the SSP does not contain sufficient detail to show how the security requirements are addressed (or fails to clarify control responsibilities) or, for example, fails to address the requirements listed in control PL-2 of the FedRAMP moderate baseline, then the DoD or CMMC C3PAO will be unlikely to consider the CSP as in compliance, regardless of the 3PAO’s assessment results. The CSP should also be mindful of ensuring that their assessor has sufficient independence. If the CSP engages a 3PAO as an advisor to assist them in preparing to meet the security requirements, then that 3PAO is precluded from doing the assessment. Another 3PAO must be engaged for that assessment and attestation.
DoD contractors using cloud services for the storage, processing, or transmission of CUI are ultimately accountable for ensuring that the requirements of the DFARS clause are addressed, including ensuring that the cloud systems used for handling CUI meet security requirements equivalent to the FedRAMP moderate baseline. If a DoD DIBCAC assessor or CMMC C3PAO determines that the CSP does not meet the requirements, the DoD contractor will fail their assessment and experience all the negative consequences that entails. The easiest way to comply with the DFARS requirement for cloud computing is to use only FedRAMP authorized cloud services for handling CUI. The FedRAMP Marketplace lists cloud services that are involved with the FedRAMP program. Only services that have a status of authorized at the moderate or high impact levels will meet the requirements of DFARS. Since the control compliance of these CSPs is overseen through the FedRAMP process, contractor can be assured of compliance.
If using non-FedRAMP-authorized cloud services to handle CUI, the contractor needs to ensure that the two criteria identified in the CMMC CAP are addressed. Contractors should coordinate with the CSPs that they are using for CUI to ensure that progress is underway to address the requirements, as many CSPs are not aware of what they should do. Synchronizing timing is also important. If a contractor needs to start an assessment in 9 months to get a contract, but their cloud provider needs 18 months to become compliant with FedRAMP moderate, identifying this significant problem as early as possible can help determine a workaround. Because accountability for compliance and the down-side risk lies with the contractor, it is crucial for contractors to provide oversight. Early in the process, contractors should make sure they understand how their CSPs are preparing for their assessment and look for early warning signs. For example, a contractor might want to ask their CSP if a FedRAMP-recognized 3PAO has been engaged as an advisor to help ensure that concerns are identified and addressed before the assessment. If the CSP has decided to try to figure out FedRAMP on their own, that may raise a red flag to the contractor that there could be trouble ahead. Similarly, when the CSP has produced the SSP and obtained an assessment/attestation report, DoD contractors should review the documentation package produced by their CSP to see if it appears sufficient and reasonably likely to check the box for both criteria when reviewed by the DoD or CMMC assessor. If the contractor determines that the body of evidence supplied by the CSP fails to describe with sufficient detail how the control is met or fails to define adequately the customer control responsibilities for controls, then corrections need to be made before the documentation is ready to be shared with the DoD or CMMC assessor.
DoD contractors should also take a careful look from another perspective at the customer responsibilities defined by their CSPs. As customers using the cloud service, DoD contractors need to make sure that they have implemented sufficient controls to meet the relevant customer responsibilities defined by the CSP. Contractors should reconcile the controls that they have implemented with respect to the cloud service and the customer responsibilities that the CSP has defined on paper. Any disconnects need to be addressed. It is worth emphasizing that DoD contractors need to make sure they are fulfilling their relevant control responsibilities as customers using the cloud server. This includes many, but not necessarily all, of the control responsibilities identified the CSP. The DoD Procurement Toolbox Cybersecurity FAQ question A116 clarifies that DoD contractors must implement the customer responsibility for any control that requires a “reciprocal implementation by the client for the CSP’s control to be effective.” For example, the CSP may have a control to queue-up patches and updates to systems that they manage, but the actual deployment of the patch or update may depend on the customer setting a time window when the patch can be deployed. Until the customer defines the time for applying the patch, it won’t be applied—the customer’s responsibility is critical for the effectiveness of the control for the cloud system. Therefore, DoD contractors using the cloud system must perform their reciprocal responsibility as customers of the cloud system. However, DoD’s answer A116 also indicates that DoD contractors do not need to implement customer responsibilities for “FedRAMP requirements that are unrelated to NIST SP 800-171 requirements.”
More specifically, DoD states that if the particular FedRAMP requirement (a control from NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations) is not mapped to a NIST SP 800-171 requirement in Appendix D of NIST SP 800-171, it need not be applied by the client. When the FedRAMP control is mapped to a NIST SP 800-171 requirement, only the actual NIST SP 800-171 requirement need be implemented, which may be somewhat different than its mapped NIST 800-53 control.
An example may help clarify that point. FedRAMP control CP-7(1) requires that an alternate processing site be sufficiently separated from the primary site to preclude both sites from being impacted by the same event. An Infrastructure as a Service (IaaS) provider may provide the technical capability to provide such separation (e.g., AWS multi-availability zones with cross-region replication), but it’s ultimately up to the cloud customer to provision their resources in a way that leverages that capability to address the control. Therefore, the CSP’s FedRAMP SSP or customer responsibility matrix may indicate the customer is responsible for choosing multiple regions with sufficient geographic separation when they provision their resources in the cloud system’s console. Even though the CSPs will list this requirement as a customer responsibility, DoD contractors do not need to implement it. Control CP-7(1) relates to availability and therefore is not directly related to protecting the confidentiality of data, so it has been excluded by NIST from the 800-171 control requirements for CUI. Because the control is out of scope for 800-171, the contractor does not need deploy their cloud services to extend across regions.
Although there is no explicit requirement for DoD contractors to document the controls they perform as customers of a cloud service within their SSP, doing so helps ensure that the contractor remembers to implement the controls and helps demonstrate to an assessor that neither side has dropped the ball. SecureIT generally recommends that contractors include within their SSP any control procedures they are responsible for as customers of a cloud service utilized for handling CUI.
If contractors are presently storing, processing, or transmitting CUI in cloud systems (rather than merely planning to do in the future), there is greater urgency to get this problem resolved as soon as possible. Unlike CMMC requirements, which won’t be included in DoD contracts for some time yet, the DFARS 7012 requirements have been mandated in all DoD contractors for the last several years. DoD contractors that presently use cloud systems to handle CUI are already in violation of their contractual obligations unless their CSPs meet security requirements equivalent to the FedRAMP moderate baseline.
DoD’s latest guidance has been useful in clarifying the expectation about an attestation by an independent, credible, and professional third-party assessor like a FedRAMP-recognized 3PAO. Additional questions remain unanswered because the current version of the CMMC Assessment Process (CAP) document is a draft that is pending finalization with DoD and therefore is subject to change. As DoD and the Cyber AB further clarifies their requirements and expectations, SecureIT will update this blog.
Looking for a trusted compliance advisory to steer your company to CUI security confidence? SecureIT understands that navigating compliance requirements can be difficult and disruptive to business. SecureIT partners with our customers serving as core members of your compliance team. Our team approach helps companies achieve their compliance objectives while saving time and letting you focus on your core mission. Contact us today to learn more.