Although it is premature to speculate on how much flexibility contractors and CSPs might have with respect to the DFARS 7012 requirement, early indications suggest that there will be little to no flexibility. The terms “meets” and “equivalent” by their very nature aren’t conducive to wiggle room.  The DoD Procurement Toolbox Cybersecurity FAQ questions 110 through 117 provide commentary on the DFARS requirement concerning cloud systems, and their comments shed some light on how to interpret these terms.  See, for example, the following verbiage:

  • A113. Cloud systems handling CUI must “meet the same set of requirements” as a “CSP service authorized/approved by the FedRAMP program”
  • A115.  “The CSP meets the FedRAMP Moderate baseline security requirements
  • A116. “The CSP has to meet all of the requirements equivalent to the FedRAMP Moderate Baseline”

This language implies that word “equivalent” doesn’t really provide any wiggle room.  The security requirements that must be followed is the FedRAMP moderate baseline exactly as it has been defined by the FedRAMP PMO.  The word “meets” doesn’t provide much wiggle room either, since DoD clarifies that they expect “all of the requirements” to be addressed.  The Rev 4 FedRAMP moderate baseline contains 325 controls, but most of those controls contains parts (e.g., a through g) and some of those parts contain subparts (e.g., a.1 and a.2).  Does DoD really expect that CSPs have to address every part and sub-part of all 325 controls?  That would seem to be unrealistic.  Even FedRAMP authorized systems, which presumptively meet the DFARS 7012 requirement, do not full address everything.  However, there is not much leeway either.  Unfortunately, it’s not entirely clear at this point exactly how much flexibility there is.  CSPs should expect DoD to be skeptical and risk averse.  If a CSP’s security control assessment indicates that there are five high risk findings and 15 moderate risk findings, it seems unlikely that the DoD or CMMC C3PAO would consider the CSP to have meet the requirements.  At the very least, CSPs should expect that even a single high risk finding, or more than very few moderate risk findings, will be treated as a red flag to be investigated further.  The safest approach, of course, is to be very conservative and hope to address all but very few (e.g., less than 10) moderates a few low-risk findings.

In addition, CSPs should pay attention to the FedRAMP baseline controls that correspond to 800-171 controls that DoD has rated as potentially leading to significant risk of exploitation or exfiltration.  These controls are important because DoD has indicated that systems handling CUI cannot pass a CMMC assessment unless these controls are fully implemented with no POA&Ms.  It is reasonably likely that these controls will also need to be fully addressed in order to “meet” the FedRAMP moderate baseline.  The FedRAMP moderate baseline is intended to provide a more rigorous standard in order to mitigate the increased risk of handling CUI in the cloud.  Therefore, if full implementation of these significant-impact controls is needed to pass an assessment using the lesser standard for CMMC, it stands to reason that these controls must be fully implemented to meet the requirements of a more robust standard for FedRAMP equivalency as well.  For that reason, SecureIT recommends that CSPs fully implement all FedRAMP baseline controls that correspond to 800-171 high impact controls.  The significant-impact 800-171 controls are rated with a value of “5” in the Scoring Template that is included as Annex A within the NIST SP 800-171 DoD Assessment Methodology.  There are forty-four 800-171 controls that are scored with a “5” value due to the significant risk of exploitation or exfiltration.  These forty-four 800-171 controls can be mapped to the 800-53 controls that are part of the FedRAMP moderate baseline using Appendix D Mapping Tables within NIST SP 800-171r2.  CSPs should fully meet all FedRAMP moderate baseline controls that map to one of the 800-171 controls that has been rated as a “5” by DoD’s scoring methodology.

Additional guidance on DFARS and FedRAMP Moderate Equivalency is coming via a SecureIT CMMC FAQ eBook. .  Check here occasionally for details.