Reciprocity Between DOD’s Coming CMMC and FedRAMP Certifications

In June 2019, the Department of Defense (DOD) announced it is developing a new cybersecurity standard and certification for contractors, the Cybersecurity Maturity Model Certification (CMMC). When fully implemented, all companies that seek to hold a contract with the DOD will be required to have their firm’s cybersecurity assessed and certified to meet specific requirements in those contracts. Pilot implementations are scheduled from Q3 FY 2020 through Q1 FY 2021 with full incremental rollout running from calendar 2022 through 2025.

The driver behind CMMC is to address concerns with the cybersecurity of defense contractor and sub-contractor supply chain, especially beyond tier-one providers. But this is by far not the first federal program aimed at improving the cybersecurity of contractor provided services and products. The Federal Risk and Authorization Management Program (FedRAMP) to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services has been evolving for nearly a decade. The DOD has built on FedRAMP with their DOD Cloud Computing Security Requirements Guide (CC SRG) that addresses specific defense and intelligence requirements around cloud offerings.

The FedRAMP experience has shown that the preparations for these assessments can be time-consuming and costly on the part of vendors, so when DOD announced another program that would require security assessments many in the defense cloud solutions community expressed concern that they would be required to undergo another costly round of assessments. DOD officials have acknowledged this concern and say they wish to limit unnecessary burden to the contractor community, specifically by offering reciprocal certifications for FedRAMP cloud companies.

Comparing FedRAMP, DOD’s Cloud Security Requirements and CMMC

Getting a general understanding of the scope, structure and nuances of the three security-focused programs will help point the way to how the three may eventually align.

FedRAMP currently has three levels of security designation – Low, Moderate and High – by which cloud provider security is assessed. The Department of Defense (DOD) does not currently authorize at the High designation as they are continuing to build out their requirements to align with those from GSA, which is the lead FedRAMP governing agency.

The DOD Cloud Computing Security Requirements Guide (CC SRG) rates their cloud security assessments by Impact Level that map to the sensitivity level of the information processed. The levels progress upward from dealing with public information to CUI and classified/secret information. The original Impact Levels ranged from 1 to 6, although in revised iterations DOD consolidated levels 1 and 3 into levels 2 and 4 respectively, so there are now no levels 1 or 3.

The Cybersecurity Maturity Model Certification (CMMC) has five progressive certification levels moving from Level 1-Basic Cyber Hygiene to Level 5-Advanced/Progressive Cyber Hygiene. Like the other standards, each progressive level builds on the previous one. Level 1 requires protection of basic Federal Contract Information (FCA). CUI comes into play at Level 3-Good Cyber Hygiene where companies have processes and practices in place, including all practices from NIST SP 800-171 r1.

What Reciprocity Across FedRAMP and CMMC Might Look Like

When CMMC was announced last year cloud providers that had gone through the costly process of preparing for and undergoing security assessments for FedRAMP raised questions to DOD of whether they would need to spend addition effort and money to go through another round of assessments for CMMC. DOD’s response has been that they intend to offer certification reciprocity between the two programs. The rationale is to minimize redundant effort and cost associated with re-assessing for the second standard once a firm has been authorized with the first standard.  

One challenge will be in mapping the five CMMC levels to the three FedRAMP levels, but it seems that the most obvious connecting point is around the kind of government information that a contractor needs to keep secured. Processing Controlled Unclassified Information (CUI) requires a FedRAMP Moderate classification and falls under the DOD CC SRG impact level 4. As CMMC has been developing the DOD has said that processing CUI will require CMMC Level 3, so that appears to be the most logical point at which to align all three programs. Still to be determined is whether existing FedRAMP assessment models address all of the requirements that the various CMMC assessment levels will require. Once the DOD knows what CMMC levels will map to which FedRAMP levels then the challenge of operationalizing reciprocity becomes the next hurdle.  Policies and procedures are sure to follow.

The bottom line is that what FedRAMP-CMMC reciprocity will look like it still yet to be formally determined by DOD. One might assume that the DOD and the CMMC Accreditation Body overseeing the governance of third-party assessors is looking at the commonalities between the two assessment schemes and developing policies that would formalize such reciprocity arrangements. Ideally, once defined reciprocity would smooth the way for existing FedRAMP companies to quickly obtain their CMMC certifications. Reciprocity would also mitigate the burden on CMMC assessors and avoid additional bottlenecks due to high demand for assessments. Finally, reciprocity would help smooth the way for CMMC to move from concept to pilot to full implementation and take its place as regular part of the DOD acquisition landscape.