DoD Releases A Memo Defining FedRAMP Moderate Equivalency 

Members of the DoD supply chain that use Cloud Service Providers (CSP) to store, process, and transmit CUI/CDI must not only require but also ensure the CSP meets requirements equivalent to those in the FedRAMP Moderate Baseline. DFARS 7012(b)(2)(ii)(D) has left some DoD contractors unclear on how to effectively “require and ensure” their CSPs meet the requirements specified therein. While some opt to include contractual clauses mandating CSPs to meet FedRAMP Moderate baseline requirements, others require CSPs to provide either reports from independent 3PAOs or self-attestations of compliance. However, this is about to be a thing of the past as the DoD has released a Memo defining what “FedRAMP Moderate Equivalency” means for the purposes of DFARS 7012.   

DFARS 7012 External CSP Requirements

Under this clause, any contractor intending to use an external CSP to store, process, or transmit CDI in the performance of a DoD contract must require and ensure that the CSP:  

  • Meets security requirements equivalent to those established by the Government for the FedRAMP Moderate baseline and  
  • Complies with the clause’s requirement for cyber incident reporting, malicious software, media preservation, and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.  

Requirements For FedRAMP Moderate Equivalency

The memo states that “to be considered FedRAMP Moderate equivalent, CSOs must achieve 100% compliance with the latest FedRAMP moderate security control baselines through an assessment conducted by a FedRAMP-recognized” 3PAO. The CSOs must present supporting documentation below to a contractor as the body of evidence (BOE):  

However, “DoD requirements for FedRAMP Moderate Equivalency” don’t allow for POA&Ms that result from a 3PAO assessment of the CSP’s cloud service offering (CSO).” The memo requires “all POA&M actions be corrected and validated” by the third-party assessor organization as CLOSED. However, CSPs can have operational POA&Ms that do not result from a “FedRAMP-recognized 3PAO assessment.”   

Assessments

DCMA DIBCAC is the agency responsible for validating compliance with DFARS 7012 and 7020. The agency will also regularly validate that a contractor has implemented the required controls. DIBCAC will assess the CSPs’ BOE, demonstrating FedRAMP Moderate equivalency. Additionally, the CSP must have an annual assessment done by a 3PAO to validate its compliance with DFARS clauses 7012 and 7020. The contractor must confirm that the 3PAO’s BOE aligns with Moderate Equivalent standards as specified in the memo. When using a FedRAMP Moderate Equivalent CSO, the contractor must furnish the CRM to DIBCAC and 3PAO assessors for assessment support.  

Responsibilities of the Contractor

The memo identifies the contractor as the “approver for the use of the use of the CSO by their organization and confirms that the selected CSP has an incident response plan.” Therefore, it only makes sense that the contractor is accountable for reporting in case the CSO is compromised, NOT the CSO’s CSP. The contractor must verify the CSP adheres to the incident response plan and can notify them in case of an incident. Finally, the contractor must report any incidents in accordance with the contract terms and conditions.  

Why Is Achieving FedRAMP Moderate “Equivalency” Hard?

In a regular FedRAMP authorization, a CSP can be authorized with some requirements not fully implemented. However, Equivalency under this memo requires that a provider implements all the requirements 100%. So, why is achieving equivalency harder? In a full FedRAMP authorization, a senior authorizing official (AO) from the Government determines whether risk from a cloud is acceptable. The Senior AO examines reported vulnerabilities and POA&Ms, deciding intelligently whether to accept them. If the POA&M rationale is reasonable, cloud authorization is possible despite vulnerabilities. With equivalency, there’s no Senior AO from the government. Instead of relying on an individual’s judgment, the DoD adheres to strict and objective criteria to assess and manage risks in the equivalency process. In simple terms, NO risks are allowed. To be considered FedRAMP Moderate “Equivalent,” a CSO must implement all FedRAMP Moderate Baseline Controls. Additionally, preparing and adducing all the documentation required in BOE may prove a challenge to some CSOs.  

Don't Settle For Empty Claims!

Remember, DFARS 7012(b)(2)(ii)(D) requires your CSP to meet “FedRAMP Moderate equivalency” standards. However, not every vendor claiming to be “FedRAMP Moderate Equivalent” is, and a good guide should be the DoD memo. Keep the following in mind:  

  • Marketplace Matters: If your CSP isn’t listed on the official FedRAMP marketplace, they likely don’t meet the equivalency definition.  
  • Built on FedRAMP Doesn’t Equal Equivalent: Being built on a FedRAMP-authorized IaaS or PaaS platform doesn’t guarantee a SaaS product’s “equivalence.”  
  • Beware Empty Claims: Many vendors offer vague assurances of being FedRAMP “equivalent” or “compliant,” while in fact, they are NOT.  
  • Demand Proof, Not Promises: Don’t rely on words alone. Request a detailed system security plan and audit report specifically covering your service scope. If they don’t provide concrete evidence, consider looking for another provider.  

Remember, choosing the right CSP matters not only for your DFARS 7012 compliance but also for national security. Don’t settle for empty claims. Protect your data and compliance by demanding verifiable proof of “FedRAMP Moderate equivalence” before entrusting your critical information to any cloud vendor. Let the CSP furnish the required documentation in the BOE.  

What if Your CSP is Not FedRAMP Moderate Equivalent?

If your CSO is not FedRAMP Moderate equivalent and is planning to bid for a contract with a DFARS 7012 requirement, you should start acting NOW! Have your CSPs provide you with a timeline to achieve equivalency and provide the reports to the 3PAO at the time of assessment. Remember, the requirements of the memo are now in effect. Therefore, if you store, process, or transmit CUI/CDI on a cloud and your vendor claims their application is hosted on a FedRAMP environment, contact them and inquire what their plan is. 

Conclusion

Ensuring that your CSP has achieved FedRAMP Moderate Equivalency is crucial. This is particularly in the wake of the recently released DoD memo outlining stringent requirements, emphasizing the need for 100% compliance with FedRAMP‘s moderate security control baseline. The responsibility lies with contractors to ensure CSPs meet these standards, as validated by DCMA DIBCAC. Contractors must be vigilant in scrutinizing CSP claims, demanding tangible proof of FedRAMP Moderate equivalence. The memo clarifies the role of contractors as approvers and emphasizes their accountability in the event of a CSO compromise  

Share in Social Media

case studies

See More Case Studies

microsoft 365 GCC High

What is GCC High? For ITAR & CMMC 2.0

Microsoft 365 Government Community Cloud (GCC) High is a specialized cloud solution tailored for U.S. federal, state, local, tribal, and territorial government organizations, as well as for contractors who hold or process data subject to specific security regulations. In this article, we will explore the features, benefits, and differences between Microsoft 365 GCC High and other Office 365 offerings.

Learn more
Contact us

Partner with Us for Compliance & Protection

We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.

Your benefits:
What happens next?
1

Schedule an initial meeting

2

Arrange a discovery and assessment call

3

Tailor a proposal and solution

How can we help you?