What Reciprocity Across FedRAMP and CMMC Reciprocity Might Look Like
On January 27, 2021, Katie Arrington, the chief information security officer for defense acquisitions, formally announced that the Department of Defense (DoD) would be providing Cybersecurity Maturity Model Certification reciprocity for any International Organization for Standardization (ISO) 27001 and any Federal Risk and Authorization Management Program (FedRAMP) audits. As members of the Defense Industrial Base (DIB) look to build their supply chain compliance programs, understanding FedRAMP and CMMC reciprocity can help streamline the initiative.
How does FedRAMP compliance fit into the DIB supply chain?
DoD officials and CMMC Accreditation Body (CMMC-AB) officials have indicated that FedRAMP compliance would count towards CMMC Level 3 certification. However, at this point, the required memo formalizing this has not been signed.
As of February 11, 2021, the main “sticking point” remains FedRAMP allowing for plans of action and milestones (POAMs) while CMMC does not. In other words, companies can be audited or certified as FedRAMP compliant if they have a specific action plan for remediating findings. CMMC, on the other hand, is either a yes or no. There is no in-between.
What is the benefit of FedRAMP reciprocity with CMMC?
It all comes down to money. Up to CMMC Level 3, companies can bill the government for reimbursement through indirect costs. This means that over time, they should be able to pay off their compliance costs. The DoD pledged to let contractors use their FedRAMP compliance work towards their CMMC compliance to reduce costs.
Where does FedRAMP fit into the CMMC ecosystem?
FedRAMP takes a standardized approach to cloud security for vendors working with agencies. They get assessed once, then re-use that certification within the agency ecosystem.
The FedRAMP Impact Levels
Like CMMC, FedRAMP starts by assessing the type of information Cloud Service Providers (CSPs) store, process, or transmit. However, FedRAMP then places them into three impact levels instead of assessing a maturity level.
- Low impact: loss of confidentiality, integrity, and/or availability would have little adverse effect on the agency because the data stored, transmitted, or processed personally identifiable information (PII).
- Moderate impact: loss of confidentiality, integrity, and/or availability would have serious adverse effects like operational damage, financial loss, or non-physical individual harm.
- High impact: loss of confidentiality, integrity, and/or availability would have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals, and the CSP often transmits, processes, or stores sensitive, unclassified data.
According to FedRAMP, 80% of CSPs fall into the Moderate Impact Level.
The CMMC Ecosystem Use Case
As DIB members start to build out their CMMC compliance programs, they need to take their own vendors into account. The CMMC flow down process means that contractors need to ensure their CSPs have the appropriate CMMC maturity level.
In other words, if a contractor uses a Software-as-a-Service (SaaS) application to store, transmit, or process Controlled Unclassified Information (CUI), then the SaaS provider needs to have the appropriate Level 3 maturity certification.
When the DoD signs the reciprocity memo, DIB members will be able to leverage their CSPs FedRAMP certifications as part of their supply chain management, depending on how the directive handles POAMs. They will also be able to, as subcontractors, be able to use their FedRAMP work towards proving their maturity within the CMMC ecosystem.
SteelCloud: STIG Automation Documenting System Hardening for FedRAMP and CMMC Compliance
Whether your company needs to be FedRAMP certified or CMMC compliant, system hardening is the foundation of securing systems and documenting compliance activities. If you’re an organization that wants to leverage the FedRAMP work you’ve put into your infrastructure, you might be able to leverage your National Institute of Standards and Technology Special Publication (NIST SP) 800-53 controls toward your CMMC certification. If you’re looking to validate your CSP, you can also use their FedRAMP compliance and their NIST SP 800-53 control mapping to validate their maturity level.
Automating your STIG compliance proves that you are continuously reviewing low-level technology requirements, like those contained in NIST SP 800-128 and 800-70. Although STIG compliance can be time-consuming and resource-draining, SteelCloud’s automation removes these barriers. With SteelCloud, customers can scan their environments and remediate conflicts in a single business day.