The Department of Defense has released a memorandum providing guidance on how the Federal Risk and Authorization Management Program Moderate equivalency applies to cloud service offerings that are used for processing, transmitting or storing covered defense information, also known as CDI.
Cloud services must achieve total compliance with FedRAMP’s latest moderate security control baseline through an evaluation performed by a third party assessment organization, or 3PAO, in order to be considered FedRAMP Moderate equivalent, according to the DOD memo published on Jan. 2.
Such cloud offerings should present to the contractor supporting documents as body of evidence.
Documents include system security plans, security assessment plans, plans of action and milestones and security assessment reports performed by a FedRAMP-recognized 3PAO.
The memo states that the Defense Industrial Base Cybersecurity Assessment Center within the Defense Contract Management Agency will assess cloud service providers’ — or CSPs’ — bodies of evidence demonstrating FedRAMP Moderate equivalency.
The CSP should be required to undergo an annual assessment carried out by a 3PAO validating compliance with Defense Federal Acquisition Regulations Supplement clauses that require CDI protection and cyber incident reporting.
“The contractor acts as approver for the use of the CSO by their organization and confirms that the selected CSP has an incident response plan. The contractor, not the CSO’s CSP, will be held responsible for reporting in the event of CSO compromise,” the document reads.
The memo was signed by David McKeown, deputy chief information officer for cybersecurity at DOD and a previous Wash100 awardee.