Managing Director at BCG & Army Veteran, building a business focused on GovTech & FinTech. Follow me for Defense, Government & Finance perspectives on core technology, digital transformation, cloud & IT infrastructure.
Office of the DoD Chief Information Officer released a Memo regarding FedRAMP Moderate Equivalency for Cloud Service Provider's Cloud Service Offerings (CSO) when used to store, process, or transmit covered defense information (CDI). Highlights of the memo: 1️⃣ To be considered FedRAMP Moderate equivalent, CSOs must achieve 100% compliance with the latest FedRAMP moderate security control baseline through an assessment conducted by a FedRAMP-recognized 3PAO (which seems to be an extremely high bar). 2️⃣ Certain supporting documentation must be provided, e.g. System Security Plan, Security Assessment Plan, SAR from a FedRAMP recognized 3PAO, SAR, and POA&M. 3️⃣ Contractors act as approved for the use of the CSO, and they, not the CSO's CSP, will be held responsible for reporting in the event of CSO compromise. 👉 Key to note: the CMMC proposed rule also has a take on the same topic, and does not seem to suggest the same threshold: "The Proposed Rule contains a similar requirement and provides more detail on how equivalency is determined. For CMMC Levels 2 and 3, contractors may use a CSP that is FedRAMP Moderate (or higher) Authorized or meets the security requirements equivalent to those of FedRAMP Moderate or High. To show equivalency, a contractor must have the CSP’s System Security Plan (“SSP”) or other security documentation demonstrating compliance and a Customer Responsibility Matrix (“CRM”) mapped to NIST SP 800-171 Rev 2." Source: https://lnkd.in/eb4XKJ3T #dod #cloud #defenseinnovation #defense #defensetechnology #technology #tech #nationalsecurity #army #navy #airforce
