ARTICLE
10 January 2024

No Longer Cloudy: DoD Issues New Guidance On FedRAMP Moderate Equivalency Cloud Security Requirements

CM
Crowell & Moring LLP

Contributor

Crowell & Moring LLP logo
Our founders aspired to create a different kind of law firm when they launched Crowell & Moring in 1979. From those bold beginnings, our mission has been to provide our clients with the best services of any law firm in the world through a spirit of trust, respect, cooperation, collaboration, and a commitment to giving back to the communities around us.
Explore
The Department of Defense (DoD) recently published a memorandum clarifying what it means for a cloud service provider (CSP)...
United States Technology
Photo of Evan D. Wolff
Photo of Michael G. Gruden, CIPP/G
Photo of Nkechi Kanu
Photo of Jacob Harrison
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

The Department of Defense (DoD) recently published a memorandum clarifying what it means for a cloud service provider (CSP) to be Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline "equivalent" and meet incident reporting requirements under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012). The memorandum states, in order to be considered FedRAMP equivalent going forward, CSPs must (1) be FedRAMP Moderate/High-Authorized, or (2) secure a third-party assessment confirming their compliance with all FedRAMP Moderate baseline security controls.

DFARS 7012 states that contractors must ensure that an external CSP meets security requirements equivalent to the FedRAMP Moderate baseline before contractors may use a CSP to process, store, or transmit Covered Defense Information (CDI). See DFARS 252.204-7012(b)(2)(ii)(D).

For CSPs that are not Moderate/High-Authorized, the memorandum requires completion of the following steps to demonstrate FedRAMP equivalency:

  • obtain an assessment against the FedRAMP Moderate baseline conducted by a FedRAMP-recognized third-party assessment organization (FedRAMP 3PAO) showing "100%" compliance with the Moderate baseline controls;
  • prepare and present supporting documentation to the contractor and DoD for review, including a System Security Plan, Security Assessment Plan, Security Assessment Report (prepared by FedRAMP 3PAO), and any Plan of Action & Milestones (POA&Ms) documenting controls not fully implemented;
  • fully close out all POA&Ms resulting from the FedRAMP assessment (i.e., fully implement all controls); and
  • undergo an annual assessment, conducted by a FedRAMP 3PAO, validating continued compliance with DFARS 7012 and DFARS 252.204-7020.

The memorandum explains that the onus is on the contractor to ensure that CSPs conform with the above requirements.

The memorandum also specifies incident reporting requirements for CSPs and the responsibility of contractors to confirm CSPs have incident response plans (IRPs), follow their IRPs, and can provide notification to the contractor following a cyber incident. Notably, the memorandum states that the contractor, not the CSP, bears the responsibility of reporting cloud-related incidents.

Accordingly, contractors should consider re-evaluating any cloud services or products leveraged to process, store, or transmit CDI, to determine whether FedRAMP Moderate equivalent CSPs can meet the listed security and incident response requirements above.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Evan D. Wolff
Evan D. Wolff
Photo of Michael G. Gruden, CIPP/G
Michael G. Gruden, CIPP/G
Photo of Nkechi Kanu
Nkechi Kanu
Photo of Jacob Harrison
Jacob Harrison
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More