The Federal Risk and Authorization Management Program has been around for nearly 15 years. In that time, it changed and was updated periodically to keep up with the times. While changes are occasionally made to the underlying security frameworks like FedRAMP, CMMC and the NIST documentation that reviews each security control, there is also communication directly from the Department of Defense and other organizations to issue additional guidance.
The most recent memo, issued on December 21, 2023, comes from the Department of Defense and issues additional information about the concept of Equivalency. Critically, this memo was made effective immediately, so the cloud service providers and defense contractors to whom it applies will need to make sure they are in compliance as soon as possible if they wish to maintain their contracts, pass their audits, and continue operating with the government.
In order to understand how this memo impacts the current state of affairs, it’s important to understand how things were functioning before it was issued.
DFARS, the Defense Federal Acquisition Regulation Supplement, is a large and complex framework that governs the handling of defense information and controls unclassified information throughout the network of government agencies, the contractors that work with them, and any entity that handles covered information.
Since 2016, part of DFARS – clause 252.204-7012, also known simply as DFARS 7012 – has specified that any contractor working with a government or defense agency and handling controlled unclassified information must:
This is generally known as the “equivalency clause” and has been heavily relied upon by cloud service providers to put some good faith effort into their security while not needing to actively reach, comply, and pass audits with the actual FedRAMP certification process.
It has been eight years since DFARS 7012, and the equivalency clause was first published. The goal of the clause was not, as some believed, to give leeway to cloud service providers. Rather, the entire point was to create an “on-ramp” or runway so that cloud service providers could work with government contractors and agencies while developing their security processes and implementing FedRAMP-equivalent security.
Unfortunately, many took this leeway to simply be the way things would be and failed to fully comply. This has led to a lot of issues with potential risks, compromised data, and more. It’s very likely that, upon surveying the industry at large, the Defense Industrial Base Cybersecurity Assessment Center found shockingly low adherence to FedRAMP Moderate security standards.
The response was to issue clarifications as to what FedRAMP Moderate Equivalency means. Unfortunately for those cloud service providers who have been lax in their adherence, the time for serious security is now.
According to the Oxford English Dictionary, the definition of Equivalent is:
“Having equal or corresponding import, meaning, or significance.”
You may note that this is not “something similar to” or “close enough,” as many cloud service providers have taken it over the last near-decade.
This is important because of what the memo stipulates for government contractors, cloud service providers, and the burden of responsibility.
FedRAMP is largely based on the goal of protecting Controlled Unclassified Information, or CUI, using the security controls and standards outlined in the National Institute of Standards and Technology’s Special Publication 800-171, or NIST 800-171 for short.
Using this framework, an entity – be it a contractor or cloud service provider – is classified according to the FedRAMP impact level. There are three impact levels, low, moderate, and high. The vast majority of both contractors and cloud service providers typically fall in the moderate category; low is only for the least impactful entities, and high is for those who handle very sensitive or even classified information beyond just CUI. You can read more about impact levels here.
The goal of the FedRAMP equivalency clause is not to allow more flexibility to those cloud service providers who do not wish to pursue full FedRAMP certification and authorization. Rather, the goal is to allow contractors to work with cloud service providers who are not authorized as long as those cloud service providers meet the standards.
While in practice, this meant that contractors would use whoever they felt like, it often meant that there would be lax security and a shifting of blame.
The DoD memo clarifies what is meant by the equivalency clause, and really, it comes down to one thing: responsibility.
Imagine this scenario. You have three entities in play. The first is the government defense contractor. This defense contractor is looking for a cloud service to handle CUI for their operations; something simple like a basic data processor or even cloud storage suits the scenario.
The other two entities are cloud service providers. Both of these service providers offer the same service, so the contractor is deciding between them. They have similar pricing structures, similar service offerings, and similar reliability guarantees; in all ways but one, they are essentially the same. There’s only one significant difference between them. One is FedRAMP Authorized, and one is FedRAMP Equivalent.
In practical terms, according to the memo, the only difference between these two is where responsibility lies.
In the event of an unwanted intrusion or breach, the entity responsible differs.
For the FedRAMP Authorized cloud service provider, it is their responsibility to make sure they meet FedRAMP Moderate security standards and maintain their security posture. If an intrusion happens, while there may be some investigation to see whether or not the government contractor was at fault, ultimately, it is the cloud service provider’s responsibility to make sure they adhere to security standards and, with a breach, to identify what went wrong. If there are fines or even charges associated with the breach, they fall squarely on the head of the cloud service provider, barring wrongdoing from the contractor.
For the FedRAMP Equivalent cloud service provider, responsibility has shifted. As a contractor, choosing to use an Equivalent cloud service provider means you are shouldering the burden of making sure your choice of cloud service provider meets FedRAMP Moderate security standards. While the cloud service provider might be doing so of their own volition – as advertising “we meet NIST SP 800-171 standards” can be a selling point – if data is breached, it is the responsibility of the contractor. The contractor is responsible for ensuring that their Equivalent service provider is, in fact, truly equivalent.
The memo was initially directed solely at defense contractors; however, it has ripple effects throughout the industry. Who needs to care?
If you are a defense contractor and you work with FedRAMP Authorized cloud service providers only, you do not need to change anything. Since you aren’t working with Equivalent service providers, there are no changes to the way you operate.
If you are a defense contractor and you work with FedRAMP Equivalent cloud service providers, either in whole or in part, the memo is for you. The memo is explicitly clarifying that it is your responsibility if something goes wrong, and you can’t shift the blame to your cloud service provider.
If you are a defense contractor in this position, you essentially have three options.
The idea of the memo is to shift more contractors from 1 to 2. The eventual goal is that all cloud service providers are in #3, with the rare exceptions in #2 who do not have alternatives they can pursue.
This isn’t all.
If you are a cloud service provider and you maintain FedRAMP Equivalent standards, you may want to consider pulling the trigger and finally achieving a full ATO.
Why?
This memo has two implications. The first, which is actually something of a relief to cloud service providers, is that any cloud service provider operating at FedRAMP Moderate Equivalent is relieved of much of the possible responsibility in the event of a breach.
This is not to say that you’re free and clear. If you fail to maintain standards and suffer a breach, you can still be liable for damages or suffer fines. Moreover, even if there isn’t a breach, if you fail to pass muster, you may lose your contract with the contractor. However, the memo makes it clearer that a large portion of the responsibility falls on the contractor’s shoulders and not your own.
The second implication is more of a negative, but stems from the same source. Contractors who worked with FedRAMP Equivalent cloud service providers suddenly find themselves in a much riskier position, with a higher burden of labor and proof necessary to ensure that the service providers they work with are secure.
This means that your contractors are either going to double or triple down on their focus on your security – which is added work for you – or they are simply going to cancel their contracts with you and replace you with an Authorized service provider instead.
Perhaps one of the greatest impacts isn’t even the shift in responsibility. A small note in the memo calls out the Plan of Action and Milestones, or POAM, which many cloud service providers have relied on to delay their authorization and operate as Equivalent providers. These are now no longer allowed in Equivalent service providers unless the POAMs are operational items.
Truthfully, this is likely to be a significant shift. Defense contractors are already faced with a lot of responsibility of their own, and they aren’t necessarily going to want to shoulder your burden as well unless they have no alternative choice, in which case they are going to put a lot of pressure on you to uphold those standards.
If you are a cloud service provider and you are striving to meet the NIST 800-171 standards to maintain FedRAMP Moderate Equivalency, you’re now being put in a difficult position. You stand to lose contracts with defense contractors who are worried about the risk they assume in working with you. So, is it worthwhile to finally initiate the process to gain a full FedRAMP Authority to Operate?
In our view, the answer is almost certainly yes.
If you’re a cloud service provider and you’re using NIST 800-171 as a basic security framework to adhere to, but you don’t have any government contracts, and you don’t particularly care to pursue them, then that’s fine. There’s not necessarily a reason for you to pursue full authorization. By the same token, however, there’s not much reason to pick the NIST standard over the equivalent ISO standard or another standard. At that point, it’s more marketing than security.
If, on the other hand, you intend to pursue contracts with defense contractors and other government agencies, it’s almost always a good idea to go for full FedRAMP Authorization.
Yes, it’s a lot of work, documentation, and auditing.
Yes, the continuous monitoring requirements are steep.
Yes, it requires ongoing investment and constant vigilance.
However, it also alleviates the fears of the contractors you would be working with, opens up more contracts with the contractors who are likely going to be shifting away from Equivalent entities (and retain those who would be seeking to move), and allows you to be listed on the FedRAMP marketplace to find further contracts.
We’re well aware of how much work it is, but if you’ve already been reaching and maintaining NIST 800-171 standards, you’re likely most of the way there already. That’s where we come in. At Ignyte, we can serve as both a cloud-based platform you can use to monitor and maintain your security controls and their implementation and as a certified 3PAO who can work with you to validate your authorization. Simply click here to see what we can do for you with FedRAMP or other frameworks, book a demo, or reach out to us with any questions you may have.
*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/fedramp/fedramp-memo-from-dod/