The Department of Defense Clarifies FedRAMP Equivalency Standard

Michael Joseph Montalbano
Blank Rome LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Blank Rome LLP

As many Department of Defense (“DoD”) contractors know, if they want to store, process, or transmit covered defense information (“CDI”) with a cloud service provider (“CSP”), then the CSP must meet the security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (“FedRAMP”) Moderate baseline. This begs the question, what is equivalence to the FedRAMP Moderate baseline? Earlier this month, the DoD issued a much-needed memorandum that helps answer this question.

The memorandum first establishes that if a CSP is already authorized at the FedRAMP Moderate level under the existing FedRAMP process, then the CSP is permitted to store, process, and transmit CDI. This provides a powerful incentive for contractors to use CSPs that are FedRAMP authorized—they have already been approved by the Government.

If the CSP is not FedRAMP authorized, the CSP can still store, process, and transmit CDI if the CSP meets security requirements equivalent to that of FedRAMP Moderate. To achieve this equivalency, a FedRAMP-recognized Third Party Assessment Organization (“3PAO”) must verify annually that the CSP meets all FedRAMP Moderate security controls. The CSP must also provide the contractor with a body of evidence (“BoE”) that further confirms the CSP meets the FedRAMP Moderate security requirements. The BoE must include the following:

  • System Security Plan;
  • Security Assessment Plan;
  • Security Assessment Report performed by a FedRAMP-recognized 3PAO; and
  • Plan of Action and Milestones (“POA&M”)—if the 3PAO assessment results in an open POA&M, the CSP must implement and close out the POA&M before it can achieve FedRAMP Moderate equivalency.

The memorandum makes clear that the onus is on the contractor to validate that the BoE meets the FedRAMP Moderate equivalency standards outlined in the memorandum (i.e., that the BoE contains the documents and information identified in DoD’s memorandum). By contrast, FedRAMP-authorized CSPs have already been approved by the Government, eliminating the need for contractors to monitor their CSPs, and the BoEs they submit, for compliance with the FedRAMP Moderate security controls. In selecting a CSP, contractors should carefully weigh the costs and benefits of using a FedRAMP Moderate-authorized CSP versus a CSP that must be established as FedRAMP Moderate equivalent.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Blank Rome LLP | Attorney Advertising

Written by:

Blank Rome LLP
Blank Rome LLP
Contact
more
less

Blank Rome LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide