Recently, the Department of Defense shook up the entire defense industrial base with the release of a memo titled “Federal Risk and Authorization Management Program Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings.” The memo, aimed at FedRAMP contractors and the CSPs they work with, clarifies the concept of equivalency and what it means to be equivalent to the FedRAMP/CMMC Moderate control standard.
We recently covered this memo in detail, but as it turns out, there are a few tricky elements of the discussion that we didn’t cover, and they definitely need to be discussed. In particular, the guidance surrounding Plan of Action and Milestones documents (POA&Ms) is confusing and potentially very important to CSPs taking advantage of equivalency. What does it mean, and how can we clarify the situation?
The Purpose of the Memo
The core purpose of the DoD memo was to clarify the FedRAMP equivalency clause.
Before the memo, a FedRAMP-certified contractor could work with CSPs that are not themselves FedRAMP-certified. Those CSPs could fall into two categories: the ones that handle Controlled Unclassified Information (CUI) and those that do not. For the CSPs that do not touch CUI, nothing has changed. For those that do, the rules have been updated.
If a FedRAMP-certified contractor wanted to work with a CSP, and that CSP needed to handle CUI, the CSP would need to achieve and maintain FedRAMP Moderate Equivalency.
Before the memo, this meant that the CSP would need to meet or exceed compliance with all of the security controls necessary to meet FedRAMP Moderate security. They don’t need to go through the full C3PAO assessment and authorization, nor do they need to get an Authority to Operate (ATO) or Provisional Authority to Operate (P-ATO) from the Joint Assessment Board (JAB).
After the memo, the same is true. So what’s the difference?
The key difference is where responsibility lies in making sure that the CSP maintains equivalent security, and on whose shoulders the penalties fall if a breach occurs.
Prior to the memo, the responsibility was squarely on the CSP. If the CSP failed to actually meet moderate equivalent security standards and a breach occurred, it would be their burden and their punishment; the certified contractor working with that CSP would suffer the loss of breached data but would otherwise not be penalized.
This loophole allowed certified government contractors to offload the blame for their data being mishandled, and the DoD decided that wasn’t appropriate.
Now, equivalency puts the burden squarely on the shoulders of the contractor. If you’re a certified contractor and choose to work with a non-certified CSP, that CSP needs to be Moderate-Equivalent secure, and it’s your responsibility to make sure that’s true. If they fail to maintain equivalent security, the penalty falls on your head for engaging with an insecure service provider.
Changing C3PAO Assessment Requirements
One important thing to note about the DoD memo is that they slipped in a new requirement, which is that in order for a CSP to be considered FedRAMP Moderate Equivalent, they need to be assessed by a Certified Third-Party Assessment Organization, or C3PAO.
Now, in order for a CSP to be considered FedRAMP equivalent, they either need to be FedRAMP Moderate/High Authorized, or they need to work with a C3PAO to confirm compliance with all FedRAMP Moderate baselines.
This audit/assessment is new. Before, a CSP seeking equivalency could self-certify and would not necessarily need to be assessed on a granular level. Since the responsibility was their own, it was assumed that they would take that responsibility seriously. However, reality worked out to prove otherwise, and this loophole and shedding of responsibility from contractors became a serious issue.
So, now, the DoD requires equivalent CSPs to go through most of the process of receiving ATO, even though they aren’t actually seeking it. They have to put together and present a System Security Plan, a Security Assessment Plan, a Security Assessment Report from a C3PAO, and a POA&M.
All of this dramatically increases the burden on both the CSP and the contractor. It also disincentivizes the use of Equivalent CSPs and instead encourages contractors to work with certified CSPs, to the detriment of CSPs who rely on not having to go through the longer, more detailed, and more stringent assessment requirements.
Many people argue that these new requirements push out smaller players and shuffle more reliance on big companies like Microsoft and Amazon, which can more effectively guarantee their compliance; it also makes contractors more strongly consider working with authorized CSPs rather than equivalent CSPs because authorized CSPs still assume their own responsibility.
The POA&M Confusion
One of the biggest points of confusion from the DoD memo is this particular line:
“DoD requirements for FedRAMP Moderate Equivalency do not allow for POA&M’s resulting from a 3PAO assessment of the CSP’s CSO. All POA&M actions must be corrected and validated by the 3PAO as closed. CSPs are allowed to have operational POA&Ms which are not the result of FedRAMP-recognized 3PAO assessment.”
What does this mean? It seems to imply that a CSP seeking FedRAMP Moderate Equivalency cannot have a POA&M at all in order to achieve equivalency.
While this might make sense on its own, it causes confusion when taken into context because if a CSP is seeking FedRAMP Moderate Authorization, they can have a POA&M in place and still receive it as long as they do follow the timeline and close out the issues in the agreed-upon timeframe.
Essentially, this makes the formerly less stringent equivalency process more stringent than the formerly more stringent authorization process. That can’t be right, can it?
Unfortunately for CSPs working with FedRAMP Equivalency, it’s true.
If a CSP is seeking FedRAMP Moderate Authority to Operate, they need to get an assessment from a C3PAO. That C3PAO can find gaps in their implementation and can work with them to develop a POA&M, which they have 180 days to close out. During that time, they can be awarded FedRAMP Moderate Authority to Operate and can begin working with a federal agency or contractor.
If a CSP is seeking FedRAMP Moderate Equivalency, they need to get an assessment from a C3PAO. That C3PAO can find gaps in their implementation and can work with them to develop a POA&M, which they have 180 days to close out. During that time, they cannot be considered FedRAMP Moderate Equivalent and cannot work with a federal agency or contractor until the POA&M is closed out.
As if that wasn’t enough, the final line of the memo quote above provides even more confusion.
“CSPs are allowed to have operational POA&Ms which are not the result of FedRAMP-recognized 3PAO assessment.”
What does this mean?
The key is knowing the difference between a POA&M and an Operational POA&M.
What is an Operational POA&M?
POA&Ms can take two forms: assessment and operational.
An Assessment POA&M is a POA&M that is developed by a C3PAO during the assessment process. Previously, this was only for CSPs who were seeking a full FedRAMP ATO. Now, since a C3PAO assessment is required for FedRAMP Moderate Equivalency, it’s required of all CSPs looking to work with government contractors or agencies.
An assessment POA&M outlines any failures to meet the appropriate standards necessary to operate. For those seeking an ATO, the POA&M may be allowed to stand as a plan while an ATO is granted, so long as all critical security controls are implemented. Some controls can be deferred; others cannot. As mentioned above, a CSP seeking equivalency can no longer operate without everything on such a POA&M being addressed.
An operational POA&M is different.
Operational POA&Ms are POA&Ms that are developed over time due to the changing nature of security standards and business practices. Since businesses and CSPs are not static, business processes are not static, and the evolution of cybersecurity (and thus, CMMC, FedRAMP, and NIST security control definitions) is ongoing, maintaining a static security posture is not acceptable.
One can assume that a primary impetus for the DoD issuing this memo in the first place is exactly this; CSPs would achieve equivalency, and then rest on their laurels operating with government contractor partners, all the while letting their security posture slip with no further oversight. As this presented a large threat surface for CUI from DoD contractors, it’s not acceptable behavior and needed to be addressed.
Anyways. An Operational POA&M is a POA&M that is developed as the gap between the current security posture and the required security posture grows due to changing standards and security controls, during the course of operation. It is not developed by a C3PAO, it is developed by the CSP during the course of normal operation, and is addressed on a standard timeline.
Operational POA&Ms are similarly restricted to assessment POA&Ms; that is, certain security controls cannot be deferred and must be addressed immediately, while others can be placed on the POA&M. Operational controls include controls in these families:
- Awareness and Training
- Configuration Management
- Contingency Planning
- Incident Response
- Maintenance
- Media Protection
- Physical and Environmental Protection
- Personnel Security
- System and Information Integrity
Anything else is not acceptable to defer and should be addressed ASAP to maintain FedRAMP Moderate Equivalency.
With New Standards, is Equivalency Worthwhile?
All of this is making CSPs seriously question whether or not it’s worth seeking FedRAMP Moderate Equivalency to continue working with their government contractors and agencies.
On one hand, those government contracts can be lucrative.
On the other hand, with stricter requirements coming from both the government and from pressure from those same contractors – and with the requirement to now go through the same sort of C3PAO assessment that they would have to in order to seek an ATO – it might not seem like a good idea.
Previously, the FedRAMP Equivalency program existed to allow CSPs to maintain roughly the same security standards but bypass all of the official hassle, paperwork, and certification while still working with government contractors. Unfortunately, this was broadly abused by CSPs that either achieved equivalency and then let it slide or simply lied about being secure in the first place, and that has proven to be a significant threat to the government’s cybersecurity efforts.
As it stands today, as a CSP, you have a few options.
The first option is to abandon your government contracts, stop worrying about FedRAMP or CMMC at all, and simply adhere to whatever cybersecurity standards you want to follow, work with private non-governmental clients, and carry on. This is fine and is a path that many CSPs will take, but it does remove the possibility of those lucrative government and contractor relationships.
The second option is to continue to maintain FedRAMP Moderate Equivalency. You will now have to provide the full Body of Evidence, including the System Security Plan, the Security Assessment Plan, and the C3PAO’s Security Assessment Report. If there’s a gap between equivalency and your current posture, you can use a POA&M to bridge that gap, but you cannot work with government contractors until you address all of those issues and the C3PAO marks them as closed. Only then can the contractor consider you equivalent and work with you.
The third option is to take things one step further and pursue a full Authority to Operate. The process, now, is almost the same. You still seek to meet FedRAMP Moderate security, and you work with a C3PAO to provide the Body of Evidence. The difference is, you can use the POA&M to bridge the gap but still achieve an ATO and begin working with contractors and agencies.
So, why would any CSP pursue equivalency rather than a full ATO? Essentially, the only reason is that, in many cases, the full ATO process takes much longer to complete because it’s the government itself doing it rather than the contractors. Otherwise, getting a full ATO is now likely a better option and definitely one to consider.
If you’re a CSP and you’re looking to either maintain your Equivalency status or achieve full Authority to Operate, you need to work with a Certified Third-Party Assessment Organization to do so. Fortunately, we at Ignyte are one such organization. Whether you want to check out our platform and use it to perform internal audits and track your security posture, or you want to work with us as a C3PAO, we’re here for you; simply reach out and ask today.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.