Between the DoD’s publication of the FedRAMP equivalency memo, the subsequent discussion amongst the CMMC community, and more small businesses providing cloud-based services to the DoD (e.g. through SBIR projects) we’ve been getting this question a lot lately. This post will explain the differences between FedRAMP and CMMC, and clear up any confusion as to when each of these assessment and authorization regimes apply to small-to-medium business DoD contractors.
What is FedRAMP?
FedRAMP stands for the GSA’s Federal Risk and Authorization Management Program, which authorizes cloud services for use in Federal Government environments and/or on Federal Government programs. What is a cloud service? A service – a digital provision of hardware and software – is considered cloud-based if it meets the five characteristics as described by the National Institutes of Standards and Technology standard 800-145:
- On-demand self-service – customers can provision the services on their own whenever they want
- Broad network access – services are accessed through ubiquitous endpoint systems such as workstations, mobile devices, and web browsers
- Resource pooling – data handling occurs on shared IT resources, with logical access controls segregating customer data
- Rapid elasticity – resource availability spools up and down according to demand
- Measured service – customers pay as they go and only pay for resources they use
But basically a cloud service is one that a Cloud Service Provider (CSP) hosts on its own wide-area-network-based hardware and makes available for consumption, either by the general public or by specific groups.
There are three types of cloud services:
- Infrastructure-as-a-Service (IaaS): a local network created by a CSP that a customer can use to support multiple platforms and/or applications. Example: AWS GovCloud, in which Totem Tech’s Totem™ Cybersecurity Compliance Management (CCM) application is hosted.
- Platform-as-a-Service (PaaS): an operating system provided by a CSP that a customer can use to host their own applications. Example: Microsoft Azure Virtual Desktops, as employed in Totem Tech’s ZCaaS™ CUI Enclave.
- Software-as-a-Service (SaaS): an application developed and offered by a CSP that a customer can use to perform some function. Example: Microsoft 365 or Google Workspace applications.
Federal Contract Information (FCI) and its more sensitive subset Controlled Unclassified Information (CUI) are data types that, by regulation, require more robust cybersecurity safeguards than those implemented in your standard commercial cloud service. FedRAMP, therefore, is the Federal Government’s process to ensure cloud services are secure enough to handle – store, process, transmit – FCI or CUI.
CSP can have their service authorized under FedRAMP according to various impact levels, depending on the sensitivity of the information that is intended to be handled there:
- Low Impact
- Moderate Impact
- High Impact
The Impact level represents the damage that could be done to the Federal Government’s mission should the confidentiality, integrity, or availability of the information be compromised. FCI can be handled in Low or Moderate Impact systems, depending on the type of data, while a cloud service must be authorized at Moderate Impact or higher to handle the more sensitive and impactful CUI.
There are two paths to FedRAMP authorization:
- Agency sponsored: an agency, such as the Department of Defense (DoD), recognizes the need for a particular CSP offering, and agrees to “sponsor” – or initiate – the FedRAMP authorization of a cloud service for a particular use case.
- Joint Authorization Board (JAB): A CSP can independently pursue preliminary, “provisional” authorization for its cloud service through the JAB (a consortium of several Executive branch agencies), hoping for adoption by a Federal Agency, which will then finalize the authorization for a particular use case. The JAB will determine viability of the cloud service within the FedRAMP marketplace prior to initiating the authorization process.
FedRAMP authorization, even at the Low Impact level, and using either authorization path, involves achieving over a thousand cybersecurity objectives, and is a time consuming and expensive proposition for a CSP. So CSP don’t approach FedRAMP lightly. Once a cloud service passes several assessments (performed by an accredited third-party assessment organization, a 3PAO, on behalf of the Federal Government), it is issued an Authorization To Operate (ATO) under the FedRAMP program.
If you’re going to try to sell a cloud service to the Federal Government, including the DoD, you’ll have to have that service FedRAMP authorized. Furthermore, DoD contractors – members of the Defense Industrial Base (DIB) – that simply plan to use a cloud service to handle CUI are required by DFARS 252.204-7012 (“DFARS 7012”) to ensure the cloud service has achieved at least a Moderate Impact FedRAMP ATO, or equivalent. Well known CSP such as Google, Adobe, Microsoft, and AWS all have cloud services with Moderate ATOs. So, DIB members have choices when it comes to cloud services in which to handle CUI. But what if a DIB member wants to handle CUI in a cloud service that doesn’t have an ATO? Then the CSP will have to prove FedRAMP Moderate “equivalency”. We’ll explore this concept a bit in a section below, and if you join us in one of our CMMC Readiness Workshops, we do a deep-dive into understanding cloud service authorization and equivalency. But next let’s contrast FedRAMP with CMMC so you can see the difference between these two assessment paradigms.
What is CMMC and how is it different from FedRAMP?
To ensure that DIB members effectively secure the FCI and CUI they handle (whether or not it’s handle in the cloud), the DoD has proposed the Cybersecurity Maturity Model Certification (CMMC). Similar to FedRAMP, CMMC will also require cybersecurity assessments, in some cases by a CMMC third-party assessment organization (C3PAO). Like FedRAMP, there are also three levels of CMMC, related to the impact of the type of information a DIB member may handle:
- Level 1: for all DIB members, since, by virtue of executing a DoD contract, subcontract, or service/product provision, we all handle FCI
- Level 2: for those DIB members that, in addition to FCI, handle CUI
- Level 3: for those DIB members that handle CUI related to critical DoD missions (e.g. critical weapons systems)
Note that Commercial-off-the-Shelf (COTS) providers are likely exempt from CMMC requirements.
But aside from these two procedural and structural similarities, FedRAMP and CMMC aim to achieve different results. To start with, while FedRAMP is managed by the Federal Government itself, the DoD has contracted a private organization, the Cyber AB, to manage the CMMC “ecosystem”. The GSA, with input from the 3PAO, issues the FedRAMP ATO; however, in CMMC the C3PAO itself issues a Level 2 CMMC certification and government only issues a Level 3 certification.
FedRAMP authorizes cloud services by inspecting just those IT system components that support the cloud service itself. CMMC “certifies” the entire IT system a contractor uses to handle FCI and CUI. And since an IT system consists of physical facilities, hardware, firmware, software, networking equipment, users, and cloud services, the CMMC usually has a broader scope. However, CMMC’s broad scope does parallel another characteristic of FedRAMP: the expense. A CMMC assessment will take weeks to plan and execute, and will cost thousands of dollars. The Level 1 assessment consists of an annual a self-assessment only, the cost of which is primarily lost staff work time. But at Level 2, contractors will have to hire a C3PAO for the assessment at least once every three years, the expense and time-consumption of which will be quite burdensome, especially for small-to-medium-sized (SMB) business in the DIB. The DoD itself estimates a Level 2 assessment will cost SMB $100k+! For CMMC Level 3, the assessment burden is an order of magnitude more than at Level 2, as, in addition to procuring a Level 2 certification, there are more comprehensive cybersecurity requirements which the DoD itself (through the DIBCAC office) will verify and issue a Level 3 certificate. We won’t go into the details of the CMMC requirements and assessment protocols in this post, but you can read more on the CMMC requirements in this post.
Below is a table depicting the similarities and differences between FedRAMP and CMMC:
What is the difference between a FedRAMP Moderate ATO and a CMMC Level 2 certification?
We often get the question: “Does a CSP have to maintain both a FedRAMP ATO and a CMMC Level 2 certification for a cloud service that handles CUI?” The answer was provided by the DoD in the CMMC rule and in FedRAMP Moderate equivalency memo. No, a FedRAMP Moderate ATO satisfies the entirety of the DFARS 252.204-7012 clause for the protection of CUI.
FedRAMP Moderate Authorized CSOs [Cloud Service Offerings] identified in the FedRAMP Marketplace provide the required security to store, process or transmit [CUI] in accordance with Defense Federal Acquisition Regulations Supplement (DFARS) clause 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting" and can be leveraged without further assessment to meet the equivalency requirements
Note that, as part of a CMMC assessment, a DoD contractor is expected to prove any cloud service it uses is authorized at an impact level commensurate with the sensitivity of the information handled there: Low or Moderate for FCI, and Moderate or High for CUI. For CUI, if the cloud service doesn’t have a FedRAMP Moderate ATO, then several DoD publications (DFARS 7012, the CMMC rule, and the FedRAMP equivalency memo) state the CSP will have to prove FedRAMP Moderate “equivalency”. So let’s spend a moment to understand this “equivalency”.
What is FedRAMP Moderate equivalency?
The DFARS 7012 states the following:
“If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline…"
For over a decade, what constituted FedRAMP Moderate “equivalency” had been somewhat of a mystery. But the DoD put all that to bed with a memo issued in 2023 (which we discuss in detail in our CMMC Readiness Workshops), explicitly defining equivalency. In a nutshell, the contractor must ensure the CSP maintains:
- Over a dozen System Security Plan (SSP) documents
- A 100% passing assessment from a 3PAO (no in work POA&M items!)
- Attestation that the CSP abides the DFARS 7012 c-g clauses for incident response and reporting
- A Continuous Monitoring strategy
This means then that proving equivalency is just as burdensome on a CSP as if it pursues an actual FedRAMP ATO. Of course, if the CSP doesn’t have an agency sponsorship or JAB approval, then it’s only recourse is FedRAMP equivalency.
Either way though, the DoD contractor undergoing a CMMC assessment will have to be prepared to defend its selection of cloud services it uses to handle CUI, and those services will have to have a FedRAMP Moderate ATO or prove equivalency.
Wrapping up
As you can see, while there are similarities between FedRAMP and CMMC, there are many more differences, most significantly in the mission and scope of each assessment program. FedRAMP is for general Federal Government consumed cloud services, and CMMC is for DoD contractors. DoD contractors facing CMMC Level 2+ must ensure any cloud services they use have a FedRAMP Moderate ATO or meet equivalent protections.
If you need more help understanding the differences between FedRAMP and CMMC, come join us as we dive into more details in our quarterly CMMC Level 2 Readiness Workshops. In these workshops we explore the options for FedRAMP authorized cloud services, and discuss how a DIB member might choose between them, depending on the data handled. Also, if you’re looking for a pre-packaged FedRAMP Authorized environment in which to handle CUI, check out our ZCaaS™ CUI Enclave.
Good Hunting!
–Adam
