What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. The governing bodies of FedRAMP include the Office of Management and Budget (OMB), US General Services Administration (GSA), US Department of Homeland Security (DHS), US Department of Defense (DoD), National Institutes of Standards & Technology (NIST), and the Federal Chief Information Officers (CIO) Council.
Cloud Service Providers (CSPs) who want to offer their Cloud Service Offerings (CSOs) to the US government must demonstrate FedRAMP compliance. FedRAMP uses the NIST Special Publication 800 series and requires cloud service providers to complete an independent security assessment conducted by a third-party assessment organization (3PAO) to ensure that authorizations are compliant with the Federal Information Security Management Act (FISMA). For more information, see the FedRAMP website.
Why is FedRAMP Important?
In response to the Cloud First Policy (now Cloud Smart Strategy), the Office of Management and Budget (OMB) issued the FedRAMP Policy Memo (now Federal Cloud Computing Strategy) to establish the first government-wide security authorization program for Federal Information Security Modernization Act (FISMA). FedRAMP is mandatory for all US federal agencies and all cloud services. FedRAMP is important because it increases:
- Consistency and confidence in the security of cloud solutions using National Institutes of Standards & Technology (NIST) and FISMA defined standards
- Transparency between US government and cloud providers
- Automation and near real time continuous monitoring
- Adoption of secure cloud solutions through reuse of assessments and authorizations
What are the requirements for FedRAMP compliance?
The Cloud First Policy requires all federal agencies to use the FedRAMP process to conduct security assessments, authorizations, and continuous monitoring of cloud services. The FedRAMP Program Management Office (PMO) has outlined the following requirements for FedRAMP compliance:
1. The cloud service provider (CSP) has been granted an Agency Authority to Operate (ATO) by a US
federal agency, or a Provisional Authority to Operate (P-ATO) by the Joint Authorization Board (JAB).
2. The CSP meets the FedRAMP security control requirements as described in the National Institutes of
Standards & Technology (NIST) 800-53, Rev. 4 security control baseline for moderate or high impact
levels.
3. All system security packages must use the required FedRAMP templates.
4. The CSP must be assessed by an approved third-party assessment organization (3PAO).
5. The completed security assessment package must be posted in the FedRAMP secure repository.
What is CMMC 2.0?
CMMC 2.0 is the next iteration of the DoD’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.
What are the new levels in CMMC 2.0?
On December 3, 2021, the DoD released the CMMC 2.0 Model Overview. The CMMC 2.0 model encompasses the basic safeguarding requirements for FCI specified in Federal Acquisition Regulation (FAR) 52.204-21 and the security requirements for CUI in NIST SP 800-171r2 per Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012; Executive Order 13556 .
CMMC Level 1 (Foundational) for companies with FCI only; information requires protection, but is not critical to national security; requires 17 basic safeguarding practices; CMMC Level 1 Scoping Guidance
CMMC Level 2 (Advanced) for companies with CUI; will require the 110 practices from NIST SP 800-171r2; may require third-party or self-assessments, depending on the type of information; CMMC Level 2 Scoping Guidance
CMMC Level 3 (Expert) for the highest priority programs with CUI; will use a subset of NIST SP 800-172; will be assessed by government officials.
Why is CMMC 2.0 being implemented?
Cybersecurity is a top priority for the Department of Defense
The Defense Industrial Base (DIB) is the target of increasingly frequent and complex cyberattacks. To protect American ingenuity and national security information, the DoD developed CMMC 2.0 to dynamically enhance DIB cybersecurity to meet evolving threats and safeguard information.
Who needs to be CMMC certified?
Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
Will CMMC reciprocity be honored with FedRAMP certification?
The DoD announced its intent to honor CMMC reciprocity for FedRAMP certifications.
Can StormCloud Gov Lower CMMC Audit Expenses?
Yes, StormCloud Gov enclaves hold FedRAMP certification, enabling the majority of controls to be inherited, potentially reducing CMMC audit costs.
Do I have to adhere to regulations immediately, or can I wait for CMMC?
No, if you’ve been recently awarded a government or military contract, compliance with 800-171 is already required. Utilizing StormCloud Gov enclaves can facilitate achieving this necessary compliance!