Don’t Be Fooled: Why Empty Claims of “FedRAMP Equivalency” Put CMMC Compliance at Risk
On January 2, 2024, the Department of Defense (DoD) issued the Federal Risk and Authorization Management Program (FedRAMP) equivalency memo. The memo provides critical guidance on the FedRAMP Moderate Equivalency for cloud service providers’ (CSPs) cloud service offerings. The memo clarifies the specific requirements for FedRAMP Moderate equivalency. In short, CSPs must achieve full compliance with FedRAMP’s latest moderate security controls and undergo assessment by a FedRAMP–recognized Third Party Assessment Organization (3PAO) to achieve FedRAMP Moderate Equivalency.
By issuing this memo, the DoD hopes to discourage CSP vendors from claiming to be "FedRAMP equivalent" when they have not completed the necessary requirements to be FedRAMP Moderate Authorized.
The CMMC certification process is arduous but our CMMC 2.0 compliance roadmap can help.
FedRAMP Equivalency vs. FedRAMP Moderate Authorized
There are a few key differences between FedRAMP Moderate authorization and FedRAMP equivalency. Let’s take a closer look at each.
FedRAMP Moderate authorization is a certification process where a cloud service provider goes through a rigorous assessment process and receives an Authorization to Operate (ATO) from a FedRAMP authorized CMMC third party assessment organization (C3PAOs). This indicates the service has implemented security controls and processes that meet FedRAMP Moderate requirements.
FedRAMP equivalency, by contrast, means a cloud service provider has a certification that is equivalent in rigor to FedRAMP Moderate, but is not actually FedRAMP authorized. Common equivalents include ISO 27001, HITRUST CSF, and DoD Provisional Authorization.
FedRAMP Moderate has a defined set of 325 security controls based on NIST SP 800-53. Equivalency certifications may have differences in control sets or rigor that need to be addressed for FedRAMP. So, while FedRAMP equivalency provides a baseline, it does not replace the need for full FedRAMP Moderate authorization for federal government use.
FedRAMP Equivalency: What Defense Contractors and Subcontractors Need to Know
DFARS 7012 mandates that contractors only utilize cloud service providers that meet security requirements equivalent to FedRAMP Moderate Authorized. By achieving FedRAMP Moderate Authorization, CSPs provide a body of audited evidence containing security documentation, reports, and ongoing progress remediating findings. The FedRAMP certification process is so rigorous that the DoD considers it the gold standard for CMMC compliance.
Danger of "Equivalent" Claims
CSP vendors’ vague claims of providing "FedRAMP equivalent" cloud services have become problematic for contractors requiring CMMC compliance. It begs repeating: FedRAMP equivalency is not the same as FedRAMP Moderate Authorized.
While FedRAMP Moderate Authorization provides definitive proof of robust security controls, many CSPs make unsupported assertions of equivalency without undergoing actual FedRAMP assessments. Without proper scrutiny, these equivalency claims can drastically increase the risk of noncompliance with DFARS 7012 and CMMC requirements. Just taking a vendor’s word regarding FedRAMP equivalency introduces potential audit failures and cyber threats to sensitive CUI.
Validating True FedRAMP Equivalency
The DoD defined in its memo the meaning of equivalency to FedRAMP Moderate. This includes:
- 100% compliance with the FedRAMP Moderate control baseline
- Adherence to DFARS 7012 cyber incident/response protocols
- Assessment by an accredited 3PAO with full documentation including Security Assessment Plan/Report
Ultimately, if contractors wish to stay on the right side of CMMC compliance, they must validate any claims of a CSP’s equivalency by requiring evidence of 3PAO assessments, documentation of security controls, and confirmation of DFARS 7012 obligations.
Achieve CMMC Compliance with Kiteworks, Your True FedRAMP Partner
By using cloud services that have previously attained FedRAMP Moderate Authorization, contractors can comply with DFARS 7012 and CMMC requirements, protect sensitive data, and avoid the common pitfall of superficial equivalency assertions.
A FedRAMP Moderate Authorization equips contractors with genuine evidence of security controls, so they can confidently and quickly accelerate procurements without putting programs and information at avoidable risk.
Kiteworks has been FedRAMP Moderate Authorized since 2017 and enables government agencies, contractors, and private sector businesses to share and store sensitive information with the highest levels of security, control, and compliance.
The Kiteworks Private Content Network empowers defense contractors to protect CUI with AES–256 encryption at rest and TLS 1.3 encryption for data in motion. Embedded antivirus and security integrations with DLP, ATP, SSO, LDAP/AD, SIEM, and MFA further protect CUI.
Extensive governance controls give organizations complete visibility into the files entering and exiting the organization. Further, comprehensive audit logs that capture all file activity, namely who sends what to whom and when, enable regulatory compliance with data privacy regulations and standards like FedRAMP, CMMC, HIPAA, Cyber Essentials Plus, ITAR, and many more.
As a FedRAMP Authorized CSP, Kiteworks is deployed on a virtual private cloud in AWS for all processing. It features a dedicated server, isolated from all other customers on Amazon Cloud. Single tenancy provides organizations with sole encryption key ownership and fully encrypted file storage and transfer; no one—not Kiteworks, AWS, or law enforcement agencies—have access to customer content.
To learn more about Kiteworks, FedRAMP Moderate Authorization, and CMMC compliance, schedule a custom demo today.
Additional Resources
- Blog Post FedRAMP: The Short Path to Secure Content Communications
- Brief Meeting the FedRAMP Equivalency Requirement of CMMC
- Brief Kiteworks Comparison: On-premises vs. Hosted vs. FedRAMP
- Blog Post Managed File Transfer With FedRAMP Compliance
- Blog Post FedRAMP Audit Logging [Best Practices, Solutions, and Tips]