February 19, 2021
Today, DFARS clause 252.204-7012 requires defense contractors to be NIST 800-171 compliant, but the clause also allows your organization to fulfill Department of Defense (DoD) contract requirements using software provided by Cloud Service Providers (CSPs) authorized at the FedRAMP Moderate Baseline. It looks like a similar reciprocity arrangement will soon be made for defense contractors as they work to become Cybersecurity Maturity Model Certification (CMMC) compliant.
Although the official memorandum has yet to be released, Katie Arrington, the Chief Information Security Officer for Defense Acquisitions, said at a January event that CMMC will have FedRAMP reciprocity.
While we wait for the government to issue the official memorandum, let’s break down some similarities and differences between a CSP that has a FedRAMP Joint Authorization Board (JAB) Authorization with the requirements to achieve Cybersecurity Maturity Model Certification (CMMC).
This discussion will help you prepare the questions you need CSPs to answer so you can be confident your business maintains compliance and eligibility to win lucrative DIB contracts.
Both FedRAMP and CMMC programs have a defined process with a formal approval board. Some CSPs have agency authorizations and others, like Infor, have a FedRAMP JAB Provisional Authority to Operate (P-ATO) at the FedRAMP Moderate Baseline level. The FedRAMP JAB is made up of the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA).
Important to note, however, is that even if a CSP is FedRAMP authorized, the CSP still needs to be evaluated and certified for CMMC compliance, despite the anticipated reciprocity between the two programs.
Both programs identify and maintain lists of approved CSP vendors; FedRAMP has its FedRAMP Marketplace, and the CMMC program maintains its CMMC Marketplace.
If you see a CSP in the FedRAMP marketplace with at least a Moderate Baseline authorization, then you can reasonably expect them to begin targeting higher than CMMC Level 1 when they go through the CMMC assessment.
However, CSPs could encounter data export compliance issues if they don’t run their solutions with US persons on US soil. In order to meet US export control compliance requirements, the Infor Regulated Industries SaaS (IRIS) cloud environment is managed by US persons on US soil and leverages AWS GovCloud IaaS that restricts data center management to US citizens.
Third Party Assessment Organizations (3PAOs)
Both FedRAMP and CMMC programs require an approved Third-Party Assessment Organization (3PAO) to certify CSPs, but each program has different approval processes.
Current FedRAMP assessors are in process to become certified CMMC Third Party Assessment Organizations (C3PAOs) assessors; however, before the C3PAOs can conduct an assessment, their own organization must successfully complete a CMMC Maturity Level 3 assessment conducted by the Defense Contract Management Agency (DCMA) - Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Both FedRAMP and CMMC programs have continuous monitoring requirements, including third-party assessments based fundamentally on National Institute of Standards and Technology (NIST) controls.
FedRAMP requires annual assessments and monthly deliverables including 100% authenticated scans, asset inventory, Plan of Action & Milestones (POA&M), and executive summaries. FedRAMP also requires assessments for significant changes to the environment in addition to the annual assessments.
CMMC requires an assessment for certification every 3 years, but does not allow POA&Ms.
We will need to wait for official communication to find out if the 3-year CMMC certification requirement will be different for CSPs seeking FedRAMP/CMMC reciprocity, especially since 3PAOs will likely manage both programs, and they already assess FedRAMP controls annually.
Regardless, you can be confident Infor’s IRIS cloud environment can help you meet future CMMC requirements that matches our targeted level, likely Level 3 to start.
Top 6 questions to ask a FedRAMP-authorized CSP
Although FedRAMP and CMMC program reciprocity is on the horizon, this reciprocity doesn’t address all the issues that could stand in your way as a contractor looking to win DIB business.
Here are the top 6 questions to ask your CSP to make sure you aren’t left unable to win government contracts because of a technicality.
- In addition to your FedRAMP authorization incident reporting requirements, are you currently following DFARS clause 252.204-7012 cyber incident reporting requirements?
- Have you been CMMC gap assessed?
- What is your target CMMC maturity level?
- When are you expecting your initial CMMC assessment?
- Do you have open FedRAMP (NIST 800-53) POA&Ms that map to your target CMMC Maturity Level controls?
- If you have open POA&Ms, is there an executive commitment to close them this year?
If you have any questions about how Infor can help you meet these requirements, request more information, and we will be in touch.