December 26, 2023

    Understanding the Draft of CMMC, a Definition for FedRAMP Equivalency, and Its Implications

    In the ever-evolving landscape of cybersecurity threats, the Department of Defense (DoD) has proposed a significant update to its Cybersecurity Maturity Model Certification (CMMC) program. The CMMC, as outlined in the recent Federal Register document, represents a pivotal shift in how defense contractors and subcontractors will manage and secure sensitive unclassified information. This blog post delves into the nuances of CMMC, emphasizing its structure, requirements, and the critical aspect of FedRAMP equivalency, and how Sharetru supports CMMC compliance.

    Evolution of CMMC through the years

    The evolution of the Cybersecurity Maturity Model Certification (CMMC) has been a significant journey, particularly marked by its developments in 2020 leading up to the latest release. Initially, CMMC was conceptualized as a means to fortify the cybersecurity defenses of the Defense Industrial Base (DIB). The year 2020 was pivotal, as it witnessed the introduction of the CMMC 1.0 framework, which marked a departure from the previous self-attestation model to a more structured and verifiable approach. This initial version laid the groundwork for a tiered certification model, aiming to standardize cybersecurity practices across defense contractors. It was designed to encompass various levels of cybersecurity maturity, ensuring that contractors handling sensitive defense information adhered to appropriate security standards. The introduction of CMMC 1.0 was a response to the escalating cyber threats and the need for a more robust and comprehensive approach to protect sensitive government data.

    As the CMMC framework evolved, feedback and insights from industry stakeholders played a crucial role in shaping its trajectory. The transition from CMMC 1.0 to the latest iteration involved a thorough review and consideration of public comments, leading to significant refinements. In this latest release, the CMMC framework, now known as CMMC 2.0, reflects a more streamlined and focused approach. It retains the core objective of safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) but with revisions for greater clarity and feasibility. Key changes include the consolidation of maturity levels and the introduction of more precise assessment requirements. This evolution signifies the DoD's commitment to adapt and refine its strategies in response to the dynamic cybersecurity landscape, aiming to strike a balance between rigorous security measures and practical implementation for defense contractors.

    The journey from CMMC 1.0 in 2020 to the current version exemplifies a proactive and responsive approach to cybersecurity, underscoring the critical importance of continuous improvement in defense sector security protocols.

    Core Features of the proposed CMMC Rule

    Tiered Model of Cybersecurity Standards

    The proposed CMMC rule re-introduces a tiered model, categorizing cybersecurity standards into different levels based on the sensitivity of the information handled by contractors. This model ensures a scalable and appropriate set of requirements for various types of information, from Federal Contract Information (FCI) to Controlled Unclassified Information (CUI).

    Assessment Requirements

    A significant change in in the CMMC Rule is the shift from self-attestation to mandatory independent third-party assessments for higher levels. These assessments verify the implementation of cybersecurity standards, ensuring that contractors not only comply on paper but in practice.

    For CMMC Level 2 (for the sharing of CUI) the frequency of assessments depends on the type of assessment required for your contract. There are two types of assessments for CMMC Level 2: Self-Assessment and Certification Assessment.

    1. Self-Assessment: If your contract requires a CMMC Level 2 Self-Assessment, this needs to be performed on a triennial basis, meaning once every three years. After conducting the self-assessment, the results must be entered electronically in the Supplier Performance Risk System (SPRS).

    2. Certification Assessment: If your contract requires a CMMC Level 2 Certification Assessment, this is conducted by an independent third-party assessor. The certification obtained from this assessment is also valid for up to three years.

    Therefore, regardless of the assessment type, for CMMC Level 2, you are required to undergo an assessment process every three years to maintain compliance.

    For CMMC Level 3, the assessment frequency is set to ensure ongoing compliance and security. Under CMMC, contractors at Level 3 are required to undergo an assessment by the Department of Defense (DoD) assessors. The certification obtained from this Level 3 assessment is valid for a period of up to three years.

    This means that for maintaining compliance with CMMC Level 3, contractors need to be reassessed every three years. This triennial assessment cycle is crucial for ensuring that the advanced cybersecurity practices and controls required at Level 3 are consistently maintained and updated in response to evolving cyber threats and changes in technology.

    Implementation Through Contracts

    CMMC requirements are integrated into defense contracts, making compliance a prerequisite for contract eligibility. This approach ensures that cybersecurity standards are not an afterthought but a fundamental criterion in the defense contracting process.

    Understanding the Levels of the Proposed CMMC Rule

    Central to this framework are the CMMC levels, each representing a distinct set of requirements and practices aimed at enhancing the cybersecurity posture of defense contractors. It's important to note that these levels are the same as the CMMC 2.0 requirements, ensuring a standardized approach to protecting sensitive information. This introduction will explore the three pivotal levels of CMMC 2.0 – Level 1: Basic Cyber Hygiene, Level 2: Intermediate Cyber Hygiene, and Level 3: Advanced Cyber Hygiene.

    Each level escalates in complexity and rigor, reflecting the increasing need for comprehensive security measures in the face of evolving cyber threats. From implementing basic security controls to adhering to advanced NIST standards, these levels provide a clear roadmap for contractors to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), ensuring compliance and enhancing overall cyber resilience.

    Level 1: Basic Cyber Hygiene

    Level 1 focuses on basic cybersecurity practices to protect FCI. It requires contractors to implement 15 security controls and conduct annual self-assessments.

    Level 2: Intermediate Cyber Hygiene

    Level 2 aligns with NIST SP 800–171 Rev 2, involving 110 security requirements for protecting CUI. Contractors must undergo either self-assessment or third-party certification, depending on the contract's sensitivity.

    Level 3: Advanced Cyber Hygiene

    This level introduces additional security requirements from NIST SP 800–172. It's designed for contracts involving highly sensitive information, requiring rigorous DoD assessments.

    Delving Deeper into FedRAMP Equivalency in the proposed CMMC Rule

    One "Easter egg" of the Cybersecurity Maturity Model Certification (CMMC) rule , as proposed by the Department of Defense (DoD), is the official definition of FedRAMP Moderate Equivalency. The rule places significant emphasis on FedRAMP equivalency, especially for defense contractors utilizing cloud services. Understanding the intricacies of achieving this equivalency is crucial for contractors to ensure compliance and maintain eligibility for DoD contracts.

    Defining FedRAMP Moderate Equivalency (Finally!)

    Up until this point, organizations have had no government-provided definition for FedRAMP equivalency. Organizations were making their best guess. In this document, a critical aspect of CMMC  is its emphasis on FedRAMP equivalency for cloud services. FedRAMP (Federal Risk and Authorization Management Program) sets standards for Cloud Service Providers (CSPs) handling federal data. Under CMMC, defense contractors using CSPs must ensure these providers meet or exceed FedRAMP's Moderate Baseline standards. FedRAMP equivalency, a vital component of CMMC, is defined as follows: 

    "Equivalency is met if the OSA* has the Cloud Service Provider's (CSP) System Security Plan (SSP) or other security documentation that describes the system environment, system responsibilities, the current status of the Moderate baseline controls required for the system, and a Customer Responsibility Matrix (CRM) that summarizes how each control is MET and which party is responsible for maintaining that control that maps to the NIST SP 800–171 Rev 2 requirements."

    *OSA is the Organization Seeking Assessment (the defense contractor)

    Breaking Down the Three Components of FedRAMP Moderate Equivalency

    1. System Security Plan (SSP)

    • Description of the System Environment: The SSP must provide a comprehensive overview of the cloud environment, detailing how the CSP's infrastructure, software, people, and processes interact to protect data.
    • System Responsibilities: Clearly defined roles and responsibilities are essential. The SSP should delineate the security responsibilities of the CSP and the contractor, ensuring no gaps in accountability.

    2. Status of Moderate Baseline Controls

    • Current Status: The documentation must include a thorough evaluation of the CSP's current security controls against the FedRAMP Moderate baseline.
    • Control Implementation: It's not enough to just list the controls; the documentation must demonstrate how each control is implemented in the CSP's environment.

    3. Customer Responsibility Matrix (CRM)

    • Control Summary: The CRM plays a pivotal role in mapping out how each of the 110 NIST SP 800-171 controls (and, in the case of CMMC Level 3, also each of the 24 NIST SP 800-172 controls) is met. It should provide a clear, concise summary of the implementation status of each control as it relates to the cloud service being provided.
    • Responsibility Allocation: The CRM must specify which party (the CSP or the OSA) is responsible for managing and maintaining each control. This clarity is crucial for ensuring continuous compliance and facilitating audits or assessments.

     

     

    Achieving and Demonstrating Equivalency

    Collaboration with CSPs

    Contractors must work closely with their CSPs to ensure that the necessary security measures are in place and properly documented. This collaboration is key to developing an SSP and CRM that meet the DoD's requirements.

    Continuous Monitoring and Updating

    Achieving equivalency is not a one-time event. Contractors must ensure ongoing compliance by regularly reviewing and updating their SSP and CRM in response to changes in the cloud environment or emerging threats.

    Documentation and Transparency

    Maintaining detailed and up-to-date documentation is critical. Contractors should be prepared to present their SSP and CRM to the OSA or other DoD entities to demonstrate compliance.

    Alignment with NIST SP 800–171 Rev 2

    The CRM, in particular, must clearly map each control to the NIST SP 800–171 Rev 2 requirements, ensuring that all necessary security measures for protecting CUI are in place and accounted for.

    Meeting the Equivalency

    FedRAMP equivalency is met if the OSA has access to the CSP's System Security Plan (SSP) or other relevant security documentation. This documentation must detail the system environment, responsibilities, the status of the Moderate baseline controls, and a Customer Responsibility Matrix (CRM) that aligns with NIST SP 800–171 Rev 2 requirements.

    Implications for Contractors

    This requirement underscores the importance of transparency and accountability in the use of cloud services. Contractors must diligently select CSPs that not only provide robust security measures but also align with the stringent standards set by FedRAMP and CMMC.

    Achieving CMMC and FedRAMP Moderate Equivalency for File-Sharing and Transfer

    Navigating the Department of Defense's (DoD) CMMC framework can seem like a daunting task, especially when it comes to meeting FedRAMP Moderate equivalency for your cloud services. But don't worry, that's where Sharetru shines! Known for being a go-to expert in CUI file sharing, Sharetru offers solutions that are not just effective but also align seamlessly with the FedRAMP moderate equivalency requirements set by the federal government. Think of Sharetru as your friendly guide in the complex world of cybersecurity compliance, making the journey smoother and more manageable for defense contractors like you.

    Sharetru's Edge in Meeting CMMC Requirements

    Comprehensive Customer Responsibility Matrix (CRM)

    Sharetru has developed a detailed CMMC Customer Responsibility Matrix that crosswalks directly to the NIST 800-171 Revision 2 controls. This CRM is not just a document; it's a testament to Sharetru's commitment to cybersecurity excellence. It meticulously outlines how each control required by the NIST standards is met, ensuring that there is no ambiguity in responsibilities between Sharetru and its clients.

    System Security Plan (SSP) for NIST 800-53

    In addition to the CRM, Sharetru has a fully fleshed out Systems Security Plan (SSP) tailored to NIST 800-53 standards. This SSP is a comprehensive document that describes the system environment in detail, delineates system responsibilities, and provides a current status assessment of the security controls in place. It's a blueprint for security, crafted to meet the stringent requirements of the DoD and Federal agencies.

    What steps has Sharetru taken to prepare to solve this challenge for contractors?

    Ready-to-Use Compliance Framework

    With Sharetru's CRM and SSP, defense contractors are equipped with ready-to-use tools that align with CMMC requirements. This significantly reduces the time and effort needed to achieve compliance, allowing contractors to focus on their core business operations.

    Demonstrated FedRAMP Moderate Equivalency

    Sharetru's comprehensive documentation means that it already meets the requirements for FedRAMP moderate equivalency. This is not just compliance – it's a benchmark of security excellence that Sharetru brings to its clients.

    Streamlined Audit and Assessment Processes

    The clarity and thoroughness of Sharetru's CRM and SSP streamline the audit and assessment processes. Contractors can confidently demonstrate their compliance to the DoD, knowing that their cloud services are backed by Sharetru's robust security framework.

    Enhanced Trust and Reliability

    Choosing Sharetru is more than a compliance decision; it's a strategic move towards enhancing trust and reliability in the defense supply chain. Sharetru's solutions ensure that sensitive unclassified information is protected in line with the highest federal standards.

    Future-Proofing Against Evolving Threats

    In an era where cyber threats are constantly evolving, partnering with Sharetru means staying ahead of the curve. Sharetru's commitment to updating its CRM and SSP in response to new threats and standards ensures long-term resilience and security.

    Conclusion

    Meeting FedRAMP equivalency within the CMMC framework requires a comprehensive approach that encompasses detailed planning, collaboration with CSPs, and meticulous documentation. By understanding and adhering to the components of equivalency – SSP, Moderate baseline controls, and CRM – defense contractors can ensure they meet the DoD's stringent requirements for cloud security. This not only aids in compliance with CMMC but also contributes to a more secure and resilient defense supply chain.

    Want to learn more about Sharetru and our approach to security, compliance, and reliable file sharing?

     

    Arvind Mistry

    Arvind is Director of Compliance and Programs at Sharetru. He came to Sharetru with 11+ years of experience in offering cloud solutions to the Federal Government and public sector channels at companies such at Rackspace, IBM, UNICOM, A10 and Radware Alteon. He is based in the Washington, D.C. area.

    Other posts you might be interested in

    View All Posts