No Longer Cloudy: DoD Issues New Guidance on FedRAMP Moderate Equivalency Cloud Security Requirements

The Department of Defense (DoD) recently published a memorandum clarifying what it means for a cloud service provider (CSP) to be Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline “equivalent” and meet incident reporting requirements under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012). The memorandum states, in order to be considered FedRAMP equivalent going forward, CSPs must (1) be FedRAMP Moderate/High-Authorized, or (2) secure a third-party assessment confirming their compliance with all FedRAMP Moderate baseline security controls.

DFARS 7012 states that contractors must ensure that an external CSP meets security requirements equivalent to the FedRAMP Moderate baseline before contractors may use a CSP to process, store, or transmit Covered Defense Information (CDI). See DFARS 252.204-7012(b)(2)(ii)(D).

For CSPs that are not Moderate/High-Authorized, the memorandum requires completion of the following steps to demonstrate FedRAMP equivalency:

• obtain an assessment against the FedRAMP Moderate baseline conducted by a FedRAMP-recognized third-party assessment organization (FedRAMP 3PAO) showing “100%” compliance with the Moderate baseline controls;
• prepare and present supporting documentation to the contractor and DoD for review, including a System Security Plan, Security Assessment Plan, Security Assessment Report (prepared by FedRAMP 3PAO), and any Plan of Action & Milestones (POA&Ms) documenting controls not fully implemented;
• fully close out all POA&Ms resulting from the FedRAMP assessment (i.e., fully implement all controls); and
• undergo an annual assessment, conducted by a FedRAMP 3PAO, validating continued compliance with DFARS 7012 and DFARS 252.204-7020.

The memorandum explains that the onus is on the contractor to ensure that CSPs conform with the above requirements.

The memorandum also specifies incident reporting requirements for CSPs and the responsibility of contractors to confirm CSPs have incident response plans (IRPs), follow their IRPs, and can provide notification to the contractor following a cyber incident. Notably, the memorandum states that the contractor, not the CSP, bears the responsibility of reporting cloud-related incidents.   

Accordingly, contractors should consider re-evaluating any cloud services or products leveraged to process, store, or transmit CDI, to determine whether FedRAMP Moderate equivalent CSPs can meet the listed security and incident response requirements above.