Compliance
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. The governing bodies of FedRAMP include the Office of Management and Budget (OMB), US General Services Administration (GSA), US Department of Homeland Security (DHS), US Department of Defense (DoD), National Institutes of Standards & Technology (NIST), and the Federal Chief Information Officers (CIO) Council.
Cloud Service Providers (CSPs) who want to offer their Cloud Service Offerings (CSOs) to the US government must demonstrate FedRAMP compliance. FedRAMP uses the NIST Special Publication 800 series and requires cloud service providers to complete an independent security assessment conducted by a third-party assessment organization (3PAO) to ensure that authorizations are compliant with the Federal Information Security Management Act (FISMA). For more information, see the FedRAMP website.
Why is FedRAMP Important?
In response to the Cloud First Policy (now Cloud Smart Strategy), the Office of Management and Budget (OMB) issued the FedRAMP Policy Memo (now Federal Cloud Computing Strategy) to establish the first government-wide security authorization program for Federal Information Security Modernization Act (FISMA). FedRAMP is mandatory for all US federal agencies and all cloud services. FedRAMP is important because it increases:
What are the requirements for FedRAMP compliance?
The Cloud First Policy requires all federal agencies to use the FedRAMP process to conduct security assessments, authorizations, and continuous monitoring of cloud services. The FedRAMP Program Management Office (PMO) has outlined the following requirements for FedRAMP compliance:
1. The cloud service provider (CSP) has been granted an Agency Authority to Operate (ATO) by a US
federal agency, or a Provisional Authority to Operate (P-ATO) by the Joint Authorization Board (JAB).
2. The CSP meets the FedRAMP security control requirements as described in the National Institutes of
Standards & Technology (NIST) 800-53, Rev. 4 security control baseline for moderate or high impact
levels.
3. All system security packages must use the required FedRAMP templates.
4. The CSP must be assessed by an approved third-party assessment organization (3PAO).
5. The completed security assessment package must be posted in the FedRAMP secure repository.
What is CMMC?
CMMC is the next iteration of the DoD’s CMMC cybersecurity model. It streamlines requirements to three levels of cybersecurity – Foundational, Advanced and Expert – and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.
What are the new levels in CMMC?
CMMC Level 1 (Foundational) for companies with FCI only; information requires protection, but is not critical to national security; requires 17 basic safeguarding practices; CMMC Level 1 Scoping Guidance
CMMC Level 2 (Advanced) for companies with CUI; will require the 110 practices from NIST SP 800-171r2; may require third-party or self-assessments, depending on the type of information; CMMC Level 2 Scoping Guidance
CMMC Level 3 (Expert) for the highest priority programs with CUI; will use a subset of NIST SP 800-172; will be assessed by government officials.
Why is CMMC being implemented?
Cybersecurity is a top priority for the Department of Defense
The Defense Industrial Base (DIB) is the target of increasingly frequent and complex cyberattacks. To protect American ingenuity and national security information, the DoD developed CMMC to dynamically enhance DIB cybersecurity to meet evolving threats and safeguard information.
Who needs to be CMMC certified?
DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
Will CMMC reciprocity be honored with FedRAMP certification?
Can StormCloud Gov Lower CMMC Audit Expenses?
Yes, StormCloud Gov enclaves hold FedRAMP Impact Level 4 Compliance/Equivalency and RAR, enabling the majority of controls to be inherited. With our FastTrac program everything to become certified is inclusive to the package with several tiers to choose from.
Do I have to adhere to regulations immediately, or can I wait for CMMC?
No, if you’ve been recently awarded a government or military contract, compliance with 800-171 is already required. Utilizing StormCloud Gov enclaves can facilitate achieving this necessary compliance!
Our Focus Is Your Security
How Can We Help?
At Security Centric, we’re here to address your cybersecurity challenges, from compliance to threat mitigation. Whether you’re looking for a CMMC-compliant solution, assistance with risk assessments, or just have a question about our services, we’re ready to help. Reach out to us and let’s discuss how we can secure your organization and ensure your compliance with industry standards.
