On 12/21/23, the DoD released a memo clarifying the stringent requirements of FedRAMP moderate “equivalency”– and it’s effective immediately. We’ll cover everything you need to know in this blog.
On 12/21/23, the Department of Defense (DoD) released a memo clarifying the stringent requirements of FedRAMP moderate “equivalency”– and it’s effective immediately.
The bottom line: DoD Contractors are now on the hook for their FedRAMP moderate “equivalent” Cloud Service Provider’s (CSP) compliance.
If you are a DoD Contractor storing, processing, or transmitting defense data with a CSP, you should ask yourself:
- “Am I willing to dedicate the time and energy to gather and report all the DoD is asking for?”
- “Am I willing to risk the chance of my CSP not maintaining and reporting perfectly?
The CSP can’t miss the mark. They can’t even have a POA&M. If they miss the mark, it’s on you.
Are you willing to take the risk of your CSP sinking every free throw?
What does this mean? We’ll cover everything you need to know in this blog.
In this blog we’ll answer the questions:
- What is a CSP?
- Where did this memo come from?
- What is the difference between FedRAMP Moderate Authorized and FedRAMP Moderate Equivalent?
- What exactly are contractors using equivalent CSPs responsible for?
- What is the margin of error allowed?
- What should I do if I have an “equivalent” CSP?
What is a CSP?
A Cloud Service Provider (CSP) is a company that offers computing services and resources over the internet, allowing users to access and utilize computing resources without the need for owning or maintaining physical hardware.
Your organization is likely using a CSP – think companies like Microsoft Azure, Adobe, GitHub, and Oracle - you might be using them to run an application, host a website, or store and process your data.
According to the memo: the DoD requires a lot of contractors with defense data being stored, processed, or transmitted with a FedRAMP Equivalent CSP.
Where did this memo come from?
Since 2016 DFARS clause 252.204-7012 has stated that if a contractor puts Controlled Unclassified Information (CUI) in the cloud then the contractor needs to ensure two things happen:
- Require and ensure that the cloud service provider meets security requirements "equivalent" to the FedRAMP Moderate baseline.
- The cloud service provider complies with incident reporting, data retention, and access requirements in paragraphs (c) through (g)* of DFARS.
The DoD offered the FedRAMP moderate “equivalency” clause as an accommodation and catch-up mechanism for the Defense Industrial Base (DIB) to get on board with these new standards.
Fast forward to today and the story probably went something like this:
DIBCAC started looking around, checking to see how DFARS implementation was going in the Defense Industrial Base, and popping their head up into the cloud – they likely found CUI flowing left and right. Their reaction? This memo.
Now the time for accommodations has run out.
What is the difference between FedRAMP Moderate Authorized and FedRAMP Moderate Equivalent?
The difference between FedRAMP Moderate Authorized and FedRAMP Moderate Equivalent can likely be found in this claim - if your current CSP is saying, “You’re all good, we’ve got NIST 800-171 down pat,” you need to ask them if they are FedRAMP authorized.
You can check the authorized FedRAMP marketplace for verification.
If they say, “don’t worry, we’re FedRAMP Equivalent”, that is no longer a fuzzy alternative to FedRAMP Moderate Authorized; it has now become clear what the DoD means by “equivalent”.
This shouldn’t be too surprising; “equivalent” simply means the same as - meaning, the same as FedRAMP moderate authorized.
If you are a black belt “equivalent” you should be able to do all the tricks and pass all the tests that a black belt can, even if you don’t have the belt.
What exactly are contractors using equivalent CSPs responsible for?
The surprise is not the meaning of “equivalency” it’s the clarification that CSPs aren’t responsible for proving or maintaining their FedRAMP compliance, the contractors are.
Let me rephrase that: in the event of an incident, you are now held liable for proving and maintaining your current provider's FedRAMP compliance.
Contractors with equivalent CSPs have a mountain of work and all the responsibility; contractors with authorized CSPs have little work and no responsibility.
If you have an equivalent CSP, it’s on you to:
- Present all the extensive evidence of your CSPs equivalency (and there’s a lot – see below)
- Ensure a 3rd party assessor (3PAO) validates the equivalency
- Take responsibility and the burden of failure if they miss the mark
As the DoD put it: the onus is on the contractor.
"𝙏𝙝𝙚 𝙤𝙣𝙪𝙨 𝙞𝙨 𝙤𝙣 𝙩𝙝𝙚 𝙘𝙤𝙣𝙩𝙧𝙖𝙘𝙩𝙤𝙧 𝘵𝘰 𝘷𝘢𝘭𝘪𝘥𝘢𝘵𝘦 𝘵𝘩𝘦 𝘉𝘰𝘌 (𝘉𝘰𝘥𝘺 𝘰𝘧 𝘌𝘷𝘪𝘥𝘦𝘯𝘤𝘦) 𝘱𝘳𝘰𝘷𝘪𝘥𝘦𝘥 𝘣𝘺 𝘵𝘩𝘦 3𝘗𝘈𝘖 𝘮𝘦𝘦𝘵𝘴 𝘵𝘩𝘦 𝘔𝘰𝘥𝘦𝘳𝘢𝘵𝘦 𝘌𝘲𝘶𝘪𝘷𝘢𝘭𝘦𝘯𝘵 𝘴𝘵𝘢𝘯𝘥𝘢𝘳𝘥𝘴 𝘰𝘶𝘵𝘭𝘪𝘯𝘦𝘥 𝘪𝘯 𝘵𝘩𝘪𝘴 𝘮𝘦𝘮𝘰 𝘢𝘯𝘥 𝘪𝘧 𝘶𝘴𝘪𝘯𝘨 𝘢 𝘊𝘚𝘖 𝘵𝘩𝘢𝘵 𝘪𝘴 𝘍𝘦𝘥𝘙𝘈𝘔𝘗 𝘔𝘰𝘥𝘦𝘳𝘢𝘵𝘦 𝘦𝘲𝘶𝘪𝘷𝘢𝘭𝘦𝘯𝘵, 𝘮𝘶𝘴𝘵 𝘱𝘳𝘰𝘷𝘪𝘥𝘦 𝘵𝘩𝘦 𝘊𝘙𝘔 𝘵𝘰 𝘋𝘐𝘉𝘊𝘈𝘊 𝘢𝘯𝘥 3𝘗𝘈𝘖 𝘢𝘴𝘴𝘦𝘴𝘴𝘰𝘳𝘴 𝘵𝘰 𝘴𝘶𝘱𝘱𝘰𝘳𝘵 𝘢𝘴𝘴𝘦𝘴𝘴𝘮𝘦𝘯𝘵𝘴.
𝙏𝙝𝙚 𝙘𝙤𝙣𝙩𝙧𝙖𝙘𝙩𝙤𝙧 𝙖𝙘𝙩𝙨 𝙖𝙨 𝙖𝙥𝙥𝙧𝙤𝙫𝙚𝙧 𝘧𝘰𝘳 𝘵𝘩𝘦 𝘶𝘴𝘦 𝘰𝘧 𝘵𝘩𝘦 𝘊𝘚𝘖 𝘣𝘺 𝘵𝘩𝘦𝘪𝘳 𝘰𝘳𝘨𝘢𝘯𝘪𝘻𝘢𝘵𝘪𝘰𝘯 𝘢𝘯𝘥 𝘤𝘰𝘯𝘧𝘪𝘳𝘮𝘴 𝘵𝘩𝘢𝘵 𝘵𝘩𝘦 𝘴𝘦𝘭𝘦𝘤𝘵𝘦𝘥 𝘊𝘚𝘗 𝘩𝘢𝘴 𝘢𝘯 𝘪𝘯𝘤𝘪𝘥𝘦𝘯𝘵 𝘳𝘦𝘴𝘱𝘰𝘯𝘴𝘦 𝘱𝘭𝘢𝘯.
𝙏𝙝𝙚 𝙘𝙤𝙣𝙩𝙧𝙖𝙘𝙩𝙤𝙧, 𝙣𝙤𝙩 𝙩𝙝𝙚 𝘾𝙎𝙊'𝙨 𝘾𝙎𝙋, 𝙬𝙞𝙡𝙡 𝙗𝙚 𝙝𝙚𝙡𝙙 𝙧𝙚𝙨𝙥𝙤𝙣𝙨𝙞𝙗𝙡𝙚 𝘧𝘰𝘳 𝘳𝘦𝘱𝘰𝘳𝘵𝘪𝘯𝘨 𝘪𝘯 𝘵𝘩𝘦 𝘦𝘷𝘦𝘯𝘵 𝘰𝘧 𝘊𝘚𝘖 𝘤𝘰𝘮𝘱𝘳𝘰𝘮𝘪𝘴𝘦.
𝙏𝙝𝙚 𝙘𝙤𝙣𝙩𝙧𝙖𝙘𝙩𝙤𝙧 𝙨𝙝𝙖𝙡𝙡 𝙚𝙣𝙨𝙪𝙧𝙚 𝘵𝘩𝘦 𝘊𝘚𝘗 𝘧𝘰𝘭𝘭𝘰𝘸𝘴 𝘵𝘩𝘦 𝘪𝘯𝘤𝘪𝘥𝘦𝘯𝘵 𝘳𝘦𝘴𝘱𝘰𝘯𝘴𝘦 𝘱𝘭𝘢𝘯 𝘢𝘯𝘥 𝘤𝘢𝘯 𝘱𝘳𝘰𝘷𝘪𝘥𝘦 𝘯𝘰𝘵𝘪𝘧𝘪𝘤𝘢𝘵𝘪𝘰𝘯𝘴 𝘵𝘰 𝘵𝘩𝘦 𝘤𝘰𝘯𝘵𝘳𝘢𝘤𝘵𝘰𝘳.
𝙏𝙝𝙚 𝙘𝙤𝙣𝙩𝙧𝙖𝙘𝙩𝙤𝙧 𝙬𝙞𝙡𝙡 𝙧𝙚𝙥𝙤𝙧𝙩 𝘪𝘯𝘤𝘪𝘥𝘦𝘯𝘵𝘴 𝘪𝘯 𝘢𝘤𝘤𝘰𝘳𝘥𝘢𝘯𝘤𝘦 𝘸𝘪𝘵𝘩 𝘵𝘩𝘦 𝘢𝘱𝘱𝘭𝘪𝘤𝘢𝘣𝘭𝘦 𝘤𝘰𝘯𝘵𝘳𝘢𝘤𝘵 𝘵𝘦𝘳𝘮𝘴 𝘢𝘯𝘥 𝘤𝘰𝘯𝘥𝘪𝘵𝘪𝘰𝘯𝘴."
The Body of Evidence
The memo states: "To be considered FedRAMP moderate equivalent, [Cloud Service Offerings] must achieve 100 percent compliance with the latest FedRAMP moderate security control baseline through an assessment conducted by a FedRAMP-recognized 3rd Party Assessment Organization (3PAO)"
For reference, the FedRAMP moderate baseline is larger than the NIST SP 800-53 moderate baseline. NIST SP 800-171 represents only 60% of the NIST SP 800-53 baseline. Translation? It's pretty tough.
In addition, the contractor needs to present the following as the "Body of Evidence" (BOE):
𝗦𝘆𝘀𝘁𝗲𝗺 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗣𝗹𝗮𝗻 (𝗦𝗦𝗣):
- Policies and procedures (covering all control families)
- User guide
- Digital identity worksheet
- Rules of Behavior
- Contingency Plan
- Incident response plan
- Configuration management plan
- Control implementation summary workbook
- Separation of duties matrix
- Applicable laws, regulations, and standards
- Integrated inventory workbook
𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗔𝘀𝘀𝗲𝘀𝘀𝗺𝗲𝗻𝘁 𝗣𝗹𝗮𝗻 (𝗦𝗔𝗣):
- Security test case procedures
- Penetration testing plan and methodology (conducted annually and validated by a 3PAO)
- FedRAMP 3PAO-supplied deliverables
𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗔𝘀𝘀𝗲𝘀𝘀𝗺𝗲𝗻𝘁 𝗥𝗲𝗽𝗼𝗿𝘁 (𝗦𝗔𝗥):
- Risk exposure table
- Database, infrastructure, and web scan results (conducted monthly, validated annually by a 3PAO)
- Auxiliary documents such as evidence artifacts
- Pen test reports
𝗣𝗹𝗮𝗻 𝗼𝗳 𝗔𝗰𝘁𝗶𝗼𝗻 𝗮𝗻𝗱 𝗠𝗶𝗹𝗲𝘀𝘁𝗼𝗻𝗲𝘀 (𝗣𝗢𝗔𝗠):
- Continuous monitoring strategy
- Continuous monitoring executive summary (validated annually by 3PAO)
That is a large Body of Evidence for your organization to be responsible for validating.
As the memo states: "𝙏𝙝𝙚 𝙤𝙣𝙪𝙨 𝙞𝙨 𝙤𝙣 𝙩𝙝𝙚 𝙘𝙤𝙣𝙩𝙧𝙖𝙘𝙩𝙤𝙧 𝘵𝘰 𝘷𝘢𝘭𝘪𝘥𝘢𝘵𝘦 𝘵𝘩𝘦 𝘉𝘰𝘌 (𝘉𝘰𝘥𝘺 𝘰𝘧 𝘌𝘷𝘪𝘥𝘦𝘯𝘤𝘦) 𝘱𝘳𝘰𝘷𝘪𝘥𝘦𝘥 𝘣𝘺 𝘵𝘩𝘦 3𝘗𝘈𝘖 𝘮𝘦𝘦𝘵𝘴 𝘵𝘩𝘦 𝘔𝘰𝘥𝘦𝘳𝘢𝘵𝘦 𝘌𝘲𝘶𝘪𝘷𝘢𝘭𝘦𝘯𝘵 𝘴𝘵𝘢𝘯𝘥𝘢𝘳𝘥𝘴 𝘰𝘶𝘵𝘭𝘪𝘯𝘦𝘥 𝘪𝘯 𝘵𝘩𝘪𝘴 𝘮𝘦𝘮𝘰 𝘢𝘯𝘥 𝘪𝘧 𝘶𝘴𝘪𝘯𝘨 𝘢 𝘊𝘚𝘖 𝘵𝘩𝘢𝘵 𝘪𝘴 𝘍𝘦𝘥𝘙𝘈𝘔𝘗 𝘔𝘰𝘥𝘦𝘳𝘢𝘵𝘦 𝘦𝘲𝘶𝘪𝘷𝘢𝘭𝘦𝘯𝘵, 𝘮𝘶𝘴𝘵 𝘱𝘳𝘰𝘷𝘪𝘥𝘦 𝘵𝘩𝘦 𝘊𝘙𝘔 𝘵𝘰 𝘋𝘐𝘉𝘊𝘈𝘊 𝘢𝘯𝘥 3𝘗𝘈𝘖 𝘢𝘴𝘴𝘦𝘴𝘴𝘰𝘳𝘴 𝘵𝘰 𝘴𝘶𝘱𝘱𝘰𝘳𝘵 𝘢𝘴𝘴𝘦𝘴𝘴𝘮𝘦𝘯𝘵𝘴.”
What is the margin of error allowed?
The most daunting detail of the memo says that no Plans of Action & Milestones (POA&Ms) are allowed. POA&Ms would be the CSPs “we’re working on it” option. Instead, the only “plan of action” allowed is perfection - and not self-attested perfection, but perfection proven through a mountain of evidence and then assessed by a third party (3PAO).
After perfect FedRAMP moderate “equivalency” is proven, the onus is on the contractor to both hold the CSP accountable for maintaining perfection and be responsible for the CSPs mistakes if they don’t.
If you are a DoD Contractor storing, processing or transmitting defense data with a CSP, you should ask yourself:
- “Am I willing to dedicate the time and energy to gather and report all the DoD is asking for?”
- “Am I willing to risk the chance of my CSP not maintaining and reporting perfectly?
The CSP can’t miss the mark. They can’t even have a POA&M. If they miss the mark, it’s on you.
Are you willing to take the risk of your CSP sinking every free throw?
With the CMMC rule and this FedRAMP memo published back-to-back, DIBCAC is sending a clear signal: the standard is set, get your house in order.
What should I do if I have an "Equivalent” CSP?
The short answer: Consider switching to a FedRAMP-Tailored Solution. We recommend either Microsoft GCC or GCC High.
If you are considering working with a different Cloud Service Provider who might be storing, handling, or transmitting CUI and they assure you that they are a FedRAMP environment, then you need to ask them what their plan is to meet the stringent standards of this memo.
Paragraphs C-G of DFARS 7012 constrain the use of common commercial cloud services. This is why Microsoft created GCC and GCC High because if you decide to put the wrong sensitive data in the commercial cloud, the cloud provider will not reciprocate the requirements of the DoD - access data retention, incident investigation, and reporting - all those things that you are obligated to do by the DoD.
Microsoft GCC and GCC High are not only FedRAMP authorized; they were created because of FedRAMP requirements.
If you would like to talk to someone about Microsoft GCC/GCC High options for storing your CUI we would love to help.
