Will Cyber Maturity Model Certification Boost Defense Cloud Adoption?

Key Takeaways

• DOD is trying to establish a reciprocal process for FedRAMP compliant contractors to achieve CMMC certification.
• DOD wants FedRAMP-CMMC reciprocity to reduce duplication of programs.
• Small businesses and start-ups may find the cost of achieving FedRAMP-CMMC compliance prohibitive.
• Instituting reciprocity could be a boon to the federal cloud market.

Katie Arrington, Chief Information Security Officer for Acquisition and Sustainment in the Office of the Under Secretary of Defense for Acquisition and Sustainment, recently provided an update on the Department of Defense’s Cyber Maturity Model Certification (CMMC) process. Speaking at an online session hosted by Deltek on April 8, Arrington told the audience she believes achieving reciprocity between CMMC and Federal Risk and Authorization Management Program (FedRAMP) is a key goal for the DOD because “the core idea of CMMC is [to ensure the] non-duplication of programs.”

Securing FedRAMP compliance can cost companies hundreds of thousands of dollars, which is a burden  that many small businesses find prohibitive. DOD also adds dozens of its own security controls that contractors must comply with, further adding to the cost. Start-ups and small companies building cutting edge technology can find the time and expense too much to handle, leading them instead to forego pursuing business with the DOD. This presents a problem for the department because it is precisely the types of game-changing new commercial capabilities provided by small companies that it is looking for. If innovative companies will not spend the money on achieving FedRAMP and CMMC certifications it means the DOD loses access to the technology.

Arrington anticipates that many small companies will get over the CMMC hurdle by leveraging the FedRAMP compliance earned by Cloud Service Providers “to get part of the way there.” Solving the challenge of cost vs. security is part of the purpose behind the assessments of CMMC Third-Party Assessor Organizations (C3PAOs) that are currently being conducted. “Assessments are about getting FedRAMP reciprocity right,” confirmed Arrington, who also explained that her office is “using pilot programs to understand how all of this should work” before fully launching CMMC.

Listening to all of this got me thinking about the potential impact that achieving FedRAMP-CMMC reciprocity could have on the federal cloud market. The market has risen substantially over the last few years due in large part to the certification of trusted solutions for federal agencies. Adding CMMC to the mix could foster trust even further, which is sorely needed after the SolarWinds and Microsoft Exchange Server hacks. Security remains the number one concern of agencies still hoping to leverage cloud solutions.

Much like how the roll-out of FedRAMP stimulated cloud adoption by civilian agencies, the institutionalization of FedRAMP-CMMC reciprocity could accelerate the adoption of cloud computing (especially Software-as-a-Service) by the security-conscious DOD. Add to this the General Service Administration’s desire to adopt the CMMC model for the civilian sector and the implications are clear – that the more federal customers trust cloud solutions, the more they will use them.

Standing-up the CMMC program is going to take time, but trends in the market suggest that once it is in place commercial cloud solutions won’t just be an option for both defense and civilian agencies. They will be the preferred option.