By Greg Kent, Senior Vice President, CTO
DoD contractors using a cloud service provider (CSP) to store, process, or transmit covered defense information (CDI)/controlled unclassified information (CUI) must require and ensure that the CSP meets security requirements equivalent to those within the FedRAMP Moderate baseline. Since DFARS clause 252.204-7012 section (b)(2)(ii)(D) was finalized, many contractors have been struggling to understand how best to “require and ensure” that their CSPs meet the new requirements. Some opted for contractual clauses requiring their CSPs to meet the FedRAMP Moderate baseline security requirements. Others required CSPs to provide either self-attestations of compliance or reports of independent third-party assessments.
SSP and CIS/CRM: CSPs Should Provide an SSP and Clarify Control Responsibilities
In late 2021, DoD issued clarification in their Procurement Toolbox Cybersecurity FAQ Questions 110-117 covering requirements for cloud systems, with question 115 specifically addressing CDI/CUI handling by CSPs. The DoD guidance indicates that CSPs can provide a body of evidence (BOE) that describes how they meet the FedRAMP Moderate baseline and suggests using a System Security Plan (SSP) to do so. The SSP would document the system environment, system responsibilities, and the current status of the FedRAMP Moderate baseline controls. For shared responsibility models, a Customer Implementation Summary or Customer Responsibility Matrix (CIS/CRM) that summarizes how each control is met and which party (CSP or customer) is responsible for maintaining each control.
While the DoD guidance references the SSP and CIS/CRM FedRAMP templates in their guidance, these templates are not required, but are used to provide examples of the type of security control information that CSPs need to provide. DoD has clarified that four areas need to be addressed by CSPs in the BOE they submit:
- The SSP must plainly attest to the current implementation status of the FedRAMP Moderate controls, including whether the controls are fully implemented, partially implemented, or planned.
- The SSP must describe how the controls are implemented. It is not sufficient to merely attest that controls are implemented; CSPs must include descriptions of security practices, processes, and tools that are in place to meet requirements.
- The SSP must describe the system environment with narrative and graphical depictions of the system boundary, key devices and components within the boundary, and any system interconnections.
- Responsibility for controls must be clearly delineated because controls can be implemented by the CSP, inherited from another CSP (for example, a SaaS inheriting controls from AWS), deferred to the CSP’s customers, or shared by multiple parties. By defining who is responsible for each element of a control helps ensure that all parties share a common understanding of responsibilities. These responsibilities can be documented in the SSP or in a CIS/CRM attached to the SSP.
Attestation from FedRAMP 3PAO
In July 2022, a draft of the CMMC Assessment Process (CAP) was released that provided additional clarification of requirements for DoD contractors and CSPs. In addition to SSP and CIS/CRM documents, an assessment and attestation of the SSP by an “independent, credible, and professional source” is required. Only independent assessors can be used; any firm or individual that has provided advisory or implementation support to the CSP has a conflict of interest and cannot perform the assessment. FedRAMP 3PAOs, being formally recognized by the FedRAMP PMO as having the necessary FedRAMP knowledge and skills to perform security assessments of cloud systems, are qualified from both a credibility and professional perspective and are the only parties recognized in the CAP draft as being permitted to attest to FedRAMP equivalency and the validity of the CSP’s SSP.
Additionally, DoD contractors and CSPs should consider the experience that specific FedRAMP 3PAOs bring to performing assessments. Two-thirds of the 3PAOs listed on the FedRAMP Marketplace have performed fewer than three assessments; 40% of 3PAOs listed have not performed any assessments. It remains unclear whether such inexperienced 3PAOs would meet the DoD requirement for “credible, professional” assessors since credibility comes with experience. A good rule of thumb would be to select a FedRAMP 3PAO with more than five assessments. Currently, the FedRAMP Marketplace lists eight 3PAOs that meet this.
DoD’s latest guidance has been useful in clarifying the expectation about an attestation by an independent, credible, and professional third-party assessor like a FedRAMP-recognized 3PAO. There are, however, additional questions that remain unanswered. It is worth noting that the current version of the CMMC Assessment Process (CAP) document is a draft that is pending finalization with DoD and therefore is subject to change. As DoD and the Cyber AB further clarifies their requirements and expectations, SecureIT will update this blog. In the meantime, you can also review our complete FedRAMP Moderate Equivalency FAQ for more answers.
Overwhelmed? SecureIT understands that navigating compliance requirements can be difficult especially when you don’t have compliance experts on staff. SecureIT partners with our customers serving as key members of their FedRAMP and CMMC expert team. Our team approach helps companies achieve their compliance objectives while saving time and letting you focus on your core mission. Contact us today to learn more.