The ultimate goal of a recent equivalency memo from the Defense Department is to support companies using cloud services that are not yet FedRAMP certified by allowing them to go through a third-party assessment instead.
“We don’t have the capacity to accept or track [plans of action and milestones] like the Federal Risk Authorization Management Program (FedRAMP) does. But I do want to give credit to the companies that are trying to leverage a cloud that’s not yet FedRAMP certified by having a [third party assessment organization] to come in and say, ‘Okay, are they good with [National Institute of Standards and Technology Special Publication] 800-171 or not?’ And if they’re not, what’s the delta that the customer has to handle? That’s all we were trying to do there,” David McKeown, DoD’s chief information security officer, told Federal News Network after he spoke at the Meritalk’s Accelerate AI forum. “I understand there’s some confusion. I think we’re going to have a call with industry where we have a large number of them come onto the call, and talk through this a little bit more, and tell us where we can maybe clarify the memo.”
McKeown said his office plans to have a call with the industry to provide more details on the memo in the next 30-to-45 days.
The new memo offers guidance on a provision within the Defense Federal Acquisition Regulation Supplement regarding the application of FedRAMP moderate for cloud services used by contractors to store covered defense information.
For years, the Defense Industrial Base Cybersecurity Assessment Center has been assessing DoD contractors’ compliance with the regulations in the Defense Federal Acquisition Regulation Supplement. What the DIBCAC has found is that it hasn’t been clear about what it means to be FedRAMP equivalent, or the concept of FedRAMP equivalency. McKeown said that’s where the memo comes in.
“What we weren’t talking about was that you had to achieve FedRAMP moderate for all the cybersecurity controls on the face of the earth. We wanted to clarify that if you have a [third-party assessment organization] come in and assess that cloud environment, any of the 110 controls they say you satisfy, we will give you credit for that. If there are some that you do not satisfy, then you’re going to have to work out a customer responsibility matrix where the customer handles the remaining delta,” McKeown said.
With the new memo, cloud services must achieve 100% compliance with the latest FedRAMP moderate security control baseline through a third-party organization to be considered FedRAMP moderate.
The cloud service provider will need to present a list of evidence to the contractor, including a system security plan, security assessment plan, security assessment report and a plan of action and milestones. The memo says that DoD requirements for FedRAMP moderate equivalency do not allow for a plan of action and milestones from a third-party assessment organization, and any tasks identified in the plan of action and milestones must be closed by the third party.
McKeown said the effort will help certify more cloud services since only a limited number of organizations can successfully go through the FedRAMP process each year. It means that there are only so many vendors companies can choose from when looking for a cloud service offering.
Companies could also go a different route and obtain sponsorship from the military services or defense agencies. But just like with the FedRAMP pipeline, only a certain number of companies can get through the accreditation process each year.
“I know that the number of people that can get through the FedRAMP pipeline per year, because I sit on the board for the [Joint Authorization Board], is about 10 to 12. That’s not a lot. So if you don’t go with one of the vendors that’s already been FedRAMP approved, there’s not a lot of options,” McKeown said.
“The goal here was to try to help them out. Because I know one company in particular had a [third-party organization] assessment. They weren’t fully 110-control compliant and we were trying to figure out how to handle this. We’re trying to make it so that if you’re going to get that [third-party organization] assessment, we’ll give you credit for anything that the assessor said you passed. But if they said to you are not complying on some things, I can’t accept the [plan of action and milestones]. So that delta has got to be handled between you and the customer. So that’s really the goal. I thought we were helping by doing this because I know how restrictive the FedRAMP process is, whether it’s an agency or the [Joint Authorization Board].”