The Department of Defense Clarifies FedRAMP Equivalency Standard
Tuesday, January 30, 2024
cloud information defense security standards FedRAMP
Print Mail Download i

As many Department of Defense (“DoD”) contractors know, if they want to store, process, or transmit covered defense information (“CDI”) with a cloud service provider (“CSP”), then the CSP must meet the security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (“FedRAMP”) Moderate baseline. This begs the question, what is equivalence to the FedRAMP Moderate baseline? Earlier this month, the DoD issued a much-needed memorandum that helps answer this question.

The memorandum first establishes that if a CSP is already authorized at the FedRAMP Moderate level under the existing FedRAMP process, then the CSP is permitted to store, process, and transmit CDI. This provides a powerful incentive for contractors to use CSPs that are FedRAMP authorized—they have already been approved by the Government.

If the CSP is not FedRAMP authorized, the CSP can still store, process, and transmit CDI if the CSP meets security requirements equivalent to that of FedRAMP Moderate. To achieve this equivalency, a FedRAMP-recognized Third Party Assessment Organization (“3PAO”) must verify annually that the CSP meets all FedRAMP Moderate security controls. The CSP must also provide the contractor with a body of evidence (“BoE”) that further confirms the CSP meets the FedRAMP Moderate security requirements. The BoE must include the following:

  • System Security Plan;
  • Security Assessment Plan;
  • Security Assessment Report performed by a FedRAMP-recognized 3PAO; and
  • Plan of Action and Milestones (“POA&M”)—if the 3PAO assessment results in an open POA&M, the CSP must implement and close out the POA&M before it can achieve FedRAMP Moderate equivalency.

The memorandum makes clear that the onus is on the contractor to validate that the BoE meets the FedRAMP Moderate equivalency standards outlined in the memorandum (i.e., that the BoE contains the documents and information identified in DoD’s memorandum). By contrast, FedRAMP-authorized CSPs have already been approved by the Government, eliminating the need for contractors to monitor their CSPs, and the BoEs they submit, for compliance with the FedRAMP Moderate security controls. In selecting a CSP, contractors should carefully weigh the costs and benefits of using a FedRAMP Moderate-authorized CSP versus a CSP that must be established as FedRAMP Moderate equivalent.

© 2024 Blank Rome LLP

Current Legal Analysis

More from Blank Rome LLP

OMB Embraces Government Use of Artificial Intelligence
by: Robyn N. Burrows
EPA Issues Final PFAS National Primary Drinking Water Regulation
by: Margaret Anne Hill
60-Second Sustains: Criterion Corporation
by: Elizabeth N. Jochum
Colorado Becomes the First State to Explicitly Protect “Neural Data”
by: Daniel R. Saeedi
Estate Planning for the Business Owner Series, Part 2: Valuing the Business
by: Andrew Haas
The FTC Won’t Let It Be: Non-Compete Ban Stirs Controversy
by: Kevin M. Passerini , Anthony B. Haller
3 Highlights from CFIUS Proposed Rule: Enhanced Penalties, Expanded Information Requests, and Mandatory Response Times
by: Anthony Rapa , George T Boggs
Time for Compliance with DOD’s Cybersecurity Regulations is NOW
by: Michael J. Montalbano , Samarth Barot
Finally!? DOL Cranks Up Exempt Salary Threshold Near $60,000
by: Jason E. Reisman
OMB Issues Guidance on Application of Section 889 to Federal Assistance Recipients—and Confirms No Part B “Use” Prohibition
by: Robyn N. Burrows

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins