As much as some people dislike it, the world is interconnected, and to operate a business successfully, you will have to use the products or services produced by other businesses.
Under normal circumstances, this is fine. However, when you’re a contractor looking to work with a department of the federal government, you have to adhere to higher standards. To work with the government, you need to comply with one of the security frameworks, most often FedRAMP, the Federal Risk and Authorization Management Program.
In fact, that’s the entire purpose of FedRAMP: to enable the government to work with secondary businesses. Rather than engineer their own office suite, they can use a FedRAMP-authorized suite like GSuite or Microsoft 365.
What happens, then, if that company wishes to work with additional subcontractors? In order to pick which contractors to work with, they need to be vetted and approved.
One of the main tools to do this is FedRAMP equivalency. However, FedRAMP equivalency is also commonly misused, to the extent that the DoD had to issue a memo at the end of 2023 to clarify how it should be used.
Equivalency remains a powerful tool to allow you to vet a potential subcontractor. The question is, how do you use it, and what responsibilities do you have to take on when you do?
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontThe world is interconnected, requiring businesses to use products or services from others. When contracting with the government, businesses need to follow security standards like FedRAMP. FedRAMP ensures third-party apps meet security requirements. Smaller businesses can use FedRAMP equivalency if full authorization is too costly, but they must still meet security standards. It's vital to validate a company's equivalency to ensure they align with FedRAMP standards and avoid misuse or misrepresentation.
What is FedRAMP Equivalency and Why Does It Exist?
First, let’s talk a little about FedRAMP equivalency, and why it’s allowed at all as part of the federal contractor ecosystem.
When the federal government wishes to offload some of its work to a third-party contractor rather than engineer their own versions of an already available app, it makes sense to do so. However, in order to make sure that third-party app is secure, the company providing it needs to adhere to security standards.
Those standards are outlined in the FedRAMP guidelines and stem from the National Institute of Standards and Technology’s Special Publication 800-53. This way, NIST can update, or FedRAMP can update, and they form a complete array of standards and requirements for the security of the companies adhering to them.
Using a framework like this allows the government to require a certain level of security adherence across the board for all contractors that need it. It doesn’t apply to all contractors, though; it focuses on the protection of Controlled Unclassified Information. Contractors that don’t touch sensitive information or CUI don’t need enhanced security; those who handle anything more sensitive than CUI need higher standards.
In a sense, FedRAMP is the least stringent of the possible security levels you might need as a government contractor.
Because of how intense and serious FedRAMP is, the process for implementing it, passing audits, and running continuous monitoring is very intensive. A ton goes into it.
Where Equivalency Comes In
If you’re a contractor handling CUI, and you have a contract with the government, there’s still a pretty good chance you’re going to want to use some other third-party platforms for parts of your operations.
If any of those third-party apps or platforms touch the systems that handle CUI or handle CUI themselves, they need to be secure. But, as is so often the case, these sub-sub-subcontractors are smaller businesses and don’t necessarily have the money, resources, or time to pursue a full implementation of FedRAMP.
What can they do? Essentially, they have three options.
- Knuckle down and pursue full FedRAMP authorization anyway, despite the cost.
- Abandon the idea of working with a government contractor.
- Implement good enough security and use FedRAMP equivalency to validate it.
Equivalency is an alternative way to work with government contractors and subcontractors (and down the chain) without having to go through the full authorization process with FedRAMP. The idea is that a company can be secure in all the right ways but just doesn’t have the money or time to invest in a FedRAMP authorization. By attesting that they’re FedRAMP equivalent and having that attestation validated by a third-party assessor, they can be “good enough” to work with government subcontractors.
Equivalency does not allow these companies to work directly with the government. To do so, they would need to actually apply for authorization and achieve it. Instead, equivalency is a way for contractors to work with subcontractors without forcing those subcontractors to go through the full FedRAMP authorization process (or being limited to just the relatively small number of service providers on the FedRAMP marketplace).
Where FedRAMP Equivalency Goes Wrong
Before we get into how you can use FedRAMP equivalency to vet potential SaaS apps to use as contractors for your business, we need to discuss the memo and the elephant in the room.
In the past, many companies took equivalency very lightly. It was a way to get into government subcontracts without having to go through the whole series of hoops to earn FedRAMP authorization.
Moreover, many authorized contractors used it as a waiver of responsibility. “Our contractors said they were equivalent; it’s not our fault they lied.” They used it to pass the buck if something went wrong.
The memo clarifies that the purpose of equivalency is not to have a lower set of standards for subcontractors; it’s to provide an on-ramp for subcontractors to reach eventual full FedRAMP-authorized status.
The main bulk of the memo, as we discuss here, is a clarification of where the responsibility falls in the event of a problem. Specifically, they clarify that if you choose to work with a FedRAMP equivalent company and that company has an issue, it is your responsibility. You have to be the one to make sure the companies you work with are actually equivalent.
Ideally, the goal of equivalency is to give these companies an on-ramp into government work, which they can use to build their position and eventually pursue full FedRAMP authorization. It’s not meant to be a permanent status, though there’s nothing wrong with using it as such as long as their security stays at parity with FedRAMP standards.
How to Use FedRAMP Equivalency to Vet SaaS Apps
So, let’s say you’re a FedRAMP-authorized business working on a government contract, and you want to pick up a new SaaS platform to help make your business run smoother. The problem is that the role this app would play is one where it would touch your CUI-handling systems, so they need to be secure.
You have three options.
Option 1: Browse the FedRAMP marketplace for an authorized service provider that can fit the purpose you need and work out a contract with them. This is, of course, the easiest way to ensure that your subcontractor is already secure and authorized. Moreover, since they have their own FedRAMP authorization, if they suffer a data breach later, it’s their responsibility, not yours.
Option 2: Seek out a firm with FedRAMP equivalency and work with them.
Option 3: Pick a firm and work with them to achieve FedRAMP equivalency.
Both the second and third options here have similar processes, but the third has a little more work and a longer timeline. We’ll talk about option two in more detail, but just figure that option three is the same process, but with more establishing of baseline security.
Understand What Equivalency Means
In a practical sense, what does equivalency mean?
Consider, for example, CMMC. CMMC and FedRAMP are different sets of security standards, but they have similar purposes, and they share a lot of the same baseline information. While they don’t share reciprocity, a company that complies with CMMC may be close to, or good enough to be, considered FedRAMP equivalent.
Similarly, there are other security standards out there that can have similar levels of control. SOC1, HIPAA, and ISO 27001; all of these are security standards that a business might adhere to and that prove the business has some competency in information security.
Equivalency does NOT mean that you find a company saying they’re equivalent and take them at their word.
Equivalency means that you find a company that has some level of security that is roughly on par with what the intended level of FedRAMP (generally Moderate) they need, but with a different security standard, and validate that they’re essentially equivalent.
You’re looking for companies that could meet the requirements to be FedRAMP authorized but don’t, usually for small reasons such as a limited budget, a lack of desire, or because they don’t meet all of the same controls in the same ways.
After all, there are plenty of ways to reach a secure status that satisfy security frameworks but don’t meet the specific requirements laid out in FedRAMP’s list of security controls. CMMC is a prime example, though anyone achieving CMMC is probably capable of achieving FedRAMP as well.
One of the most common sources of FedRAMP equivalency is ISO 27001. ISO 27001 is a globally recognized security standard and is, in many ways, effectively the same as what FedRAMP is, just for international standards. The two share a lot of similarities.
However, since ISO 27001 does not share reciprocity with FedRAMP, a company secure under ISO 27001 cannot act as though they have FedRAMP authorization. But they can be assumed to be most of the way to FedRAMP equivalency.
Being Prepared to Work with a FedRAMP Equivalent Business
One of the biggest challenges of working with a FedRAMP equivalent business is that equivalency isn’t actually less work when you get right down to it.
In order to work with a FedRAMP equivalent business, you effectively act as their government contractee and sponsor, the same way a government agency works with you for your FedRAMP authorization. Your responsibility still includes validating the same set of controls, reviewing the same set of documentation, and facilitating the same kind of C3PAO audit that would be required under FedRAMP.
You are, essentially, giving reason to the SaaS platform to get their ducks in a row.
One of the biggest problems that crop up with FedRAMP is a sort of waiting game. Different stakeholders have different perspectives on when to pull the trigger on pursuing FedRAMP ATOs; some wait for a contract, but the contract waits for a government sponsor, but the government sponsor waits for interest, but the companies don’t pursue government interest until they have a contract. Everyone sits and waits, and no one takes that first step.
FedRAMP equivalency is a way for you to initiate that first step in the process. You work with the SaaS firm through the process, achieve authorization from DIBCAC, and get to work.
Validating FedRAMP Equivalency
If your goal is to work with a SaaS app with FedRAMP equivalency, and you’re aware of and accept the responsibility that will fall on your shoulders for doing so, then all you need to do is validate their equivalency.
This is a surprisingly important step, because while many companies have made claims to the effect of being FedRAMP equivalent, many of them were not. Some simply assumed that something like ISO 27001 was good enough as-is. Others lied. A few were equivalent but let their standards slip as the ecosystem evolved over time.
The good news is you don’t have to do a ton of work here. You act as a sponsor; you offer the contract, but that contract must be contingent on the company passing a C3PAO audit, with full documentation of security controls and confirmation of obligations under DFARS 7012.
You’re the impetus for that SaaS app to get their authorization and their foot in the door. You don’t have to be the one doing the work or even helping in any way beyond having a contingent contract. You open the door; it’s up to them to take the initiative to step through it.
Is all of this the right option for you?
It all depends on how much leeway you have and what kind of timeline you’re working on. If the company you want to bring in via equivalency can get everything together in short order, you’re in a great position. On the other hand, if they take months and delay your own operations, it becomes more of a liability.
Sometimes, though, if there’s nothing to suit your needs on the FedRAMP marketplace and you don’t want to spend the resources to develop your own version, equivalency is the way to go.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.