Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification (CMMC) program is aligned to DoD’s information security requirements for DIB partners. It is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.
CMMC 2.0 &
"FedRAMP Equivalent": How to get there.
DOD contractors entrusted with Confidential Unclassified Information (CUI) in performance of their contract for the Department of Defense will have to comply with the requirements of CMMC 2.0 after it is finalized. In the meantime, there are other regulations regarding CUI that DOD contractors must comply with now, in particular DFARS clause 252.204-7012.
If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline …
In short, this clause requires DOD contractors to ensure that “FedRAMP equivalent” controls are in place for any cloud service offering (CSO) they use that handles CUI. The two ways to ensure FedRAMP equivalence are:
01
FedRAMP Authorization
If the CSO is also used directly by federal agencies, then it is possible for the Cloud Service Provider (CSP) to achieve a FedRAMP authorization for the CSO. A FedRAMP authorization definitely satisfies the DFARS requirement, but it is only possible with the sponsorship of a federal agency customer.
02
FedRAMP Attestation
If the CSO is not used by any federal agencies, it is not possible for the CSO to obtain a FedRAMP authorization. In this case, the best way to ensure FedRAMP equivalence is to have a 3PAO perform a FedRAMP Moderate audit on the CSO and provide an attestation that FedRAMP controls are implemented.
03
The Project Hosts FasTrack
Project Hosts has developed a FasTrack approach to either authorization or attestation. For both paths, we first work with the CSP to understand their CSO and identify any gaps to FedRAMP compliance. We then tie their system into Project Hosts’ FedRAMP authorized GSS One PaaS, to enable the CSO to simply inherit the majority of FedRAMP controls. After ensuring that all remaining controls are implemented, we write up the System Security Plan (SSP) for the CSO, engage the 3PAO auditor, and manage the audit on the CSP’s behalf. From start to finish, the attestation FasTrack takes about six months