A new memo from the Defense Department clarifies who is accountable for ensuring the security of cloud services at the FedRAMP moderate level.
The latest document provides guidance on a clause within the Defense Federal Acquisition Regulation Supplement regarding the application of FedRAMP moderate to cloud services being used by contractors for storing and processing covered defense information.
“One of the things that we learned in the early days of cloud was there was a lot of finger-pointing going on when something bad would happen. Let’s say a vulnerability would be found, or a zero-day event happened, there was this confusion around, ‘Is that the cloud service provider’s responsibility? Is that a contractor’s responsibility? Is that the government’s responsibility or somebody else? Who really is responsible?’” Raj Iyer, ServiceNow’s global head of public sector and a former chief information officer of the Army, told Federal News Network.
“And I think what this memo clarifies is that at the end of the day, the DoD’s contract is with that company A, and they got to make sure that they have an incident response plan, which shows how they’re going to coordinate any kind of remediation, or triaging that needs to happen when there is an incident that happens. That way, DoD holds the contractor accountable and responsible, and it’s their job to coordinate with all of the stakeholders.”
Historically, there has been a lot of debate around what being FedRAMP equivalent means. Since 2016, the DFARS clause said that if contractors use an external cloud service provider to store, process or transmit controlled unclassified information (CUI), the contractor should ensure that the cloud service provider meets security requirements equivalent to the FedRAMP moderate baseline.
The DFARS clause also required the cloud service provider to comply with incident reporting, data retention and access requirements listed in the clause.
With the new memo, to be considered FedRAMP moderate, cloud services must achieve 100% compliance with the latest security control baseline through an assessment conducted by a FedRAMP-recognized third-party organization.
In addition, the cloud service provider needs to present a list of evidence, or a body of evidence, to the contractor, including a system security plan, security assessment plan, security assessment report and a plan of action and milestones should they fall short in any areas. The memo says that requirements for FedRAMP moderate equivalency do not allow for a plan of action and milestones from a third party organization and any action items identified in the plan of actions and milestones must be marked as closed by the third party.
“From an evidence standpoint, the evidence requirements are pretty consistent with things that are going to be in your security package. I don’t think there’s anything in there that’s going to be super hard for organizations to come up with,” Grant Schneider, senior advisor to the Alliance for Digital Innovation and a former federal chief information security officer, told Federal News Network.
“With the 100% compliance and the inability to have a plan of action and milestone, even though they list plan of action milestones as a piece of the evidence that you have to meet every element under FISMA moderate, under 800-53, I think that may be a challenge for organizations to meet.”
Schneider said that if organizations are not 100% compliant with the latest FedRAMP moderate security control baseline for various reasons, it will have to be a business decision whether they want to make that investment to get to 100% to do business with DoD.
The memo says that the contractor approves their organization’s cloud services and ensures that the selected cloud service provider has a response plan. Moving forward, the contractor, not the cloud service provider, will be held responsible for reporting should a compromise happen and make sure their cloud provider follows the incident response plan.
It’s unclear what triggered the memo, but Schneider said he would like to see more context for what might have caused its issuance.
“I would love to see, is there a particular issue that the department ran into, in some way, shape or form that caused them to put this out? Or is there a particular risk that they’re looking to avoid? I don’t know what that is, but I would certainly love to know what the answer is,” Schneider said.
Over the years, DoD has had various cyber policies emerging independently, including the Cybersecurity Maturity Model Certification (CMMC) program, with the zero trust framework eventually becoming an overarching approach to cybersecurity. As for the memo, Iyer said this is most likely one of the policy areas that needed tightening up.
“The DoD is relying more and more on cloud service offerings, putting more and more of our sensitive data in the cloud. And it became clear to [our adversaries], if there’s a single point of failure, it is cloud. Second point, it was very clear that our adversaries knew that the vulnerabilities were in the supply chain,” Iyer said.
“Yes, this does put a burden on industry. But I think for industry, for the defense industrial base, they’ve always known that this was coming. So this should be no news to anybody. We shouldn’t expect to see any pushback. And for the cloud service providers like us, we’ve always taken this seriously. And it’s part of what you have to do to serve the defense customer. And yes, it comes with the cost. But this is going to filter out companies that are serious about working with the DoD and protecting the data. It is absolutely critical that the tightening happens through the policy and process,” he added.
CMMC final rule
David McKeown, DoD’s chief information and security officer, signed the FedRAMP equivalency memo on Dec. 21, but it didn’t become public until January. The long-awaited CMMC proposed rule came out around the same time, laying out requirements “for a comprehensive and scalable assessment mechanism” to ensure defense contractors and subcontractors implement required security protocols when sharing sensitive unclassified information on their networks.
The proposed CMMC rule adds little detail on top of DFARS 7012, and the requirements appear to be more stringent than what is laid out in the proposed rule. DoD will most likely align the requirements from both documents when it releases the final CMMC rule.
“I think the question will be if there’s something that the DoD is intending this memo to change inside of CMMC, I would really hope for their sake that they already had that in the proposed rule. Because typically, once a proposed rule is out for public comment, you can make changes in the final rule. But typically, you can’t make really big substantive changes that weren’t somehow either included or alluded to in the proposed rule. So if this is going to cause a significant shift, I think that could be problematic just from a rulemaking procedure or from a rulemaking standpoint,” Schneider said.