You may have heard a vendor say they are FedRAMP Moderate Equivalent (FRME), but what does that really mean, and how do you know if they are?
First, let’s discuss what FedRAMP is. FedRAMP is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies.1
FIPS 199 Moderate Baseline
Within 32 CFR Part 2002, CUI Basic is categorized at no less than the moderate confidentiality impact level in accordance with FIPS PUB 199 (incorporated by reference, see § 2002.2). FIPS PUB 199 defines the security impact levels for Federal information and Federal information systems.2
This means that the protection requirements for Controlled Unclassified Information (CUI) in federal information systems are the NIST SP 800-53 Moderate baseline set of controls.
NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
For nonfederal organizations, NIST created SP 800-171 to outline the protection requirements of CUI when residing in nonfederal systems and organizations.
NIST SP 800-171 was derived from the NIST SP 800-53 moderate baseline tailoring out uniquely federal requirements (FED), non-confidentiality related requirements (NCO), and expected to be routinely satisfied requirements without specification (NFO). Appendix E of NIST SP 800-171 has tables to indicate how each moderate baseline control was tailored.3
252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
The Department of Defense mandates that defense contractors use NIST SP 800-171 to protect CUI in covered contractor information systems.
In addition to the requirement for NIST SP 800-171, DFARS 7012 also created the concept of FedRAMP Moderate Equivalency with section (b)(ii)(D):
“If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in the performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/documents-templates/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.”4
CSO vs CSP
It is worth noting that there is a distinction between a Cloud Service Provider (CSP) and a Cloud Service Offering (CSO). The CSP is the company, and the CSO is the product. A CSP can have more than one CSO, and each CSO would need to undergo the assessment process to either become FedRAMP Authorized (FRMA) or FedRAMP Moderate Equivalent (FRME).
Federal Risk and Authorization Management Program Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings
Known as the Dod FedRAMP Moderate Equivalency memorandum, this memo specified what the DoD meant by the DFARS 7012 paragraph and how to achieve FedRAMP Moderate Equivalency.
Both FRMA and FRME include an assessment by an independent FR-recognized 3PAO evaluating whether the CSO meets the requirements of the FedRAMP moderate security control baseline.
Per the FedRAMP equivalency memo, an FR-recognized 3PAO needs to perform an independent assessment of the Cloud Service Offering (CSO), and the CSO must meet 100% of the requirements of the latest FedRAMP moderate security control baseline.
If you successfully pass this assessment, the CSO will receive a letter of attestation from the FR 3PAO that you have met the requirements. So, if you ask a vendor for a 3PAO letter of attestation and they do not know what you are talking about, that would be an indication that their product is probably not FedRAMP Moderate equivalent.
Can a CSP just use a FedRAMP Authorized Cloud Service Offering and inherit their FedRAMP status?
The most common misunderstanding around FedRAMP authorization is when a vendor hosts their product on a FedRAMP-authorized Infrastructure as a Service (IaaS) and then tries to claim that their product is FedRAMP-authorized because they used that IaaS. It does not work that way. A vendor can inherit the controls from the infrastructure it is built upon, but that does not cover any of the software and services the vendor has configured and built on top of that infrastructure. This means that the environment the vendor built their service on top of has been assessed, but a FedRAMP 3PAO has not assessed anything that vendor has built on top of that infrastructure, so no, they cannot just inherit another CSP’s FedRAMP status.
Is FedRAMP Ready the same thing as FedRAMP Moderate Equivalent?
A vendor can have their Cloud Service Offering (CSO) listed on the FedRAMP marketplace listed as FedRAMP ready. This is not the same as FedRAMP Moderate Equivalent in line with the DoD memo, which has the specific requirements of a 3PAO assessment with no POA&M items and the body of evidence made available to customers. FedRAMP Ready means that the vendor had a partial assessment that indicates that they are ready to be sponsored and can reasonably pass a FedRAMP assessment.
Key Takeaway
There is still a lot of confusion around what FedRAMP Moderate Equivalent means, and there are still vendors out there claiming that they are FedRAMP Moderate Equivalent when they are not. So, to be an informed customer, you should read the DoD’s memo on FedRAMP Moderate Equivalent to be aware of the requirements, and when speaking with a potential vendor, you should ask them if they have had an assessment by a FedRAMP-recognized 3PAO and if they can share the letter of attestation stating that their product has met all of the requirements of the FedRAMP moderate baseline.
[1]https://www.fedramp.gov/program-basics/
[2]https://www.ecfr.gov/current/title-32/part-2002#p-2002.14(g)
[3]https://nvlpubs.nist.gov/nistpubs/SpecialPublications/N
