Must read for anyone with DFARS 252.204-7012 in their contract!
FedRAMP equivalent is defined for DFARS 252.204-7012
Summary: FedRAMP Equivalency, as used in DFARS 252.204-7012, means that the cloud provider has been third-party-validated, with a full audit, by a FedRAMP Third Party Assessment Organization, to have implemented every control from the FedRAMP Moderate baseline.
How does the memo apply to DFARS 252.204-7012?
“(D) If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.”
https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.
What are some requirements for FedRAMP equivalency?
“To be considered FedRAMP Moderate equivalent, [Cloud Service Offerings] CSOs much achieve 100 percent compliance with the latest FedRAMP moderate security control baseline through an assessment conducted by a FedRAMP-recognized Third Party Assessment Organization…”
And they must provide a body of evidence to the contractor:
- System Security Plan
- Control Implementation Summary (CIS) Workbook * this is the Shared Responsibility Matrix
- Security Assessment Plan
- Security Assessment Report performed by a 3PAO
- Plan of Actions and Milestones
And they must support 252.204-7012 (d-g)
- Cyber incident reporting
- Malicious software preservation
- Media preservation and protection
- Access to additional information and equipment for forensic analysis
- Cyber incident damage assessment
Is FedRAMP “equivalent” harder than regular FedRAMP?
In short, yes! With regular FedRAMP authorization, a cloud provider can be authorized and still have have some requirements not implemented. In contrast, a provider that is seeking “equivalency” must have every single requirement implemented.
Why is equivalent harder?
Full FedRAMP authorization involves having a senior authorizing official from the government determine whether risk from that cloud is acceptable. That authorizing official is a trusted person (an information assurance manager with the best interests of the U.S. Government and National Security in mind). The official reviews all reported vulnerabilities and POA&Ms for the cloud and makes an intelligent decision about whether or not to accept them. If the thought process behind the POA&M makes sense to them, they can authorize a cloud even if it has vulnerabilities.
With equivalency, there is no senior authorizing official from the government. The DoD cannot assume that anyone in this process has the best interests of the U.S. Government or national security in mind. Because they can’t trust anyone’s judgement in the equivalency process to review and accept risks, they simply say that no risks are allowed.
In short, FedRAMP “equivalent” requires perfect implementation of all FedRAMP Moderate baseline controls because the DoD is trying to make FedRAMP equivalency a self-service option. For the folks following CMMC, this thought process by the DoD probably seems eerily familiar. Perfect implementation of all cybersecurity requirements, anyone?
What about an equivalent cloud hosted on another cloud platform?
It is common for clouds to be hosted on another cloud.
For example, a SaaS cloud (FedRAMP equivalent) might be installed as a series of virtual compute objects inside of an IaaS cloud.
During the 3PAO assessment, the security controls provided by the IaaS cloud (such as physical protection of the datacenter) would be verified. Typically, the SaaS cloud would “inherit” controls from the IaaS cloud. The assessor would review the FedRAMP audit reports for the IaaS cloud to verify that the controls are performed and shared responsibilities are upheld.
The body of evidence for the SaaS cloud, even if FedRAMP “equivalent”, should be all that is needed to verify compliance for the SaaS cloud from this memo’s perspective. The body of evidence would include a 3PAO verification of dependencies from the IaaS cloud.
What if my cloud says they are FedRAMP “equivalent” or “compliant” with no body of evidence?
In almost all cases, if your cloud vendor is not listed in the fedramp.gov marketplace, they don’t match the memo’s definition of equivalent.
SaaS clouds that are built on a FedRAMP IaaS or PaaS cloud are not inherently FedRAMP equivalent. Even the fedramp.gov website says that in the FAQ section.
“Q: If a Software-as-a-Service (SaaS) or Platform-as-a-Service (PaaS) resides on a FedRAMP Authorized Infrastructure-as-a-Service (IaaS), does that mean it is also FedRAMP Authorized?
A: No, using a FedRAMP Authorized infrastructure does not automatically make your service FedRAMP compliant. Each layer (i.e., IaaS, PaaS, and SaaS) must be evaluated on its own and become FedRAMP Authorized. However, when your software sits on a FedRAMP Authorized infrastructure, it will inherit controls from that authorized system and you can explain this in your documentation.”
There are a lot of cloud vendors who’ve been telling their DoD contractors “we’re equivalent” or “we’re compliant” and they are NOT.
Even if they say that they were assessed by a 3PAO, if they can’t give you a system security plan and audit report showing that the assessed cloud network matches the scope of services that you are using, they are a bad actor. Beware.
What if my cloud service provider is not FedRAMP equivalent?
Start taking action today. At the least, reach out and tell your clouds that they need to articulate a timeline for reaching equivalency. This is already affecting your compliance to DFARS 252.204-7012 and will affect Joint Surveillance Voluntary Assessments, which validate compliance to DFARS 252.204-7012.
FedRAMP equivalent for CMMC?
What about CMMC assessment? Interestingly, the CMMC Proposed Rule has different criteria for FedRAMP equivalent. Will the CMMC Proposed Rule (written before this memo) be revised to match the memo? My bet is yes.
Video – review of the FedRAMP memo
Amira Armond (Certified CMMC Assessor and Instructor) and Jonathan Weadon (Certified CMMC Professional) from Kieri Solutions discuss the memo and the background behind it.