In order to obtain the CMMC certification, Executive departments, agencies, and DoD contractors must implement a certain set of cybersecurity policies and procedures to ensure their services are up to the military level of security standards. The question that remains unanswered is whether or not the CMMC requires the implementation of FedRAMP policies, which we’ve elaborated on below.
The CMMC and FedRAMP Defined
The Cybersecurity Maturity Model Certification or CMMC for short is a standard of cybersecurity initiated by the United States Department of Defense (DoD) and used across the Defense Industrial Base. As such, this standard requires DoD contractors to follow certain cybersecurity procedures to protect classified data and protected data systems. In other words, the CMMC certification ensures that required contractors can meet the security standards of the military when it comes to having proper cybersecurity controls and policies in place.
FedRAMP, on the other hand, stands for the Federal Risk and Authorization Management Program, which is a program that allows for cost-effective adoption and use of cloud services with risk-based cybersecurity in mind. FedRAMP essentially helps Executive departments, agencies, and contractors adopt and use cloud products and services in a way that won’t create a threat to the security of Controlled Unclassified Information or CUI.
CUI Protection Requirements and the CMMC
The goal behind the CMMC certification and the implementation of protection requirements is to make sure federal data is protected at the highest level possible. Agencies and contractors who implement the FedRAMP practices can ensure that their services are risk-free and that their clients can trust in their secure use of cloud products.
While there is no word of FedRAMP being a strict requirement for the Cybersecurity Maturity Model Certification, this type of security approach is required in certain scenarios. It all depends on the type of CUI data your business handles, which determines whether or not you’re required to protect it with specific CUI protection methods, FedRAMP being one of them.
The CMMC assessors will have to determine whether the third party managing the CUI uses cloud systems in their procedures, in which case it will require the FedRAMP measurements or equivalent means of protection.
Regardless of what level of CUI data your business handles, if you’re using a third party such as a cloud system in any step of the procedure, you will have to prove that the said third party meets at least certain CMMC requirements. In case you’re working with Infrastructure-as-a-Service or Iaas clouds or Software-as-a-Service clouds, you will only have to prove that the said parties are doing CMMC level 3 requirements. That is because IaaS and SaaS clouds are not subject to DFARS 252.204-7012 Paragraph D, which goes as follows:
- D) If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in the performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.
However, if the assessors determine that the FedRAMP procedures are necessary because you’re working with cloud service providers that handle CUI, the said provider would have to comply with far more requirements than CMMC level 3. There are 325 FedRAMP requirements in total that need to be met in order to ensure complete data security.