As many Department of Defense (“DoD”) contractors know, if they want to store, process, or transmit covered defense information (“CDI”) with a cloud service provider (“CSP”), then the CSP must meet the security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (“FedRAMP”) Moderate baseline. This begs the question, what is equivalence to the FedRAMP Moderate baseline? Earlier this month, the DoD issued a much-needed memorandum that helps answer this question.
The memorandum first establishes that if a CSP is already authorized at the FedRAMP Moderate level under the existing FedRAMP process, then the CSP is permitted to store, process, and transmit CDI. This provides a powerful incentive for contractors to use CSPs that are FedRAMP authorized—they have already been approved by the Government.
If the CSP is not FedRAMP authorized, the CSP can still store, process, and transmit CDI if the CSP meets security requirements equivalent to that of FedRAMP Moderate. To achieve this equivalency, a FedRAMP-recognized Third Party Assessment Organization (“3PAO”) must verify annually that the CSP meets all FedRAMP Moderate security controls. The CSP must also provide the contractor with a body of evidence (“BoE”) that further confirms the CSP meets the FedRAMP Moderate security requirements. The BoE must include the following:
- System Security Plan;
- Security Assessment Plan;
- Security Assessment Report performed by a FedRAMP-recognized 3PAO; and
- Plan of Action and Milestones (“POA&M”)—if the 3PAO assessment results in an open POA&M, the CSP must implement and close out the POA&M before it can achieve FedRAMP Moderate equivalency.
The memorandum makes clear that the onus is on the contractor to validate that the BoE meets the FedRAMP Moderate equivalency standards outlined in the memorandum (i.e., that the BoE contains the documents and information identified in DoD’s memorandum). By contrast, FedRAMP-authorized CSPs have already been approved by the Government, eliminating the need for contractors to monitor their CSPs, and the BoEs they submit, for compliance with the FedRAMP Moderate security controls. In selecting a CSP, contractors should carefully weigh the costs and benefits of using a FedRAMP Moderate-authorized CSP versus a CSP that must be established as FedRAMP Moderate equivalent.