The Department of Defenseās upcoming enforcement of the Cybersecurity Maturity Model Certification is reshaping how defense contractors approach cybersecurity.
According to software provider Deltek, Federal Risk and Authorization Management Program standards can simplify one of the most demanding pieces of CMMC compliance: cloud security. Contractors that rely on third-party cloud services to store, process or transmit controlled unclassified information should prioritize FedRAMP status to support CMMC assessments, the company added.
Table of Contents
Where FedRAMP and CMMC Meet
CMMC verifies a contractorās cybersecurity posture for DOD work, while FedRAMP evaluates cloud service providers for use across the federal government. The programs are distinct but connect where contractors use external cloud platforms. Under Defense Federal Acquisition Regulation Supplement 252.204-7012, cloud services handling CUI must have FedRAMP Moderate authorization or an approved equivalency to support CMMC Level 2 or Level 3 requirements.
What FedRAMP Moderate Requires
FedRAMP Moderate authorization entails implementation of extensive security controls, continuous monitoring and an external assessment. Providers unable to secure federal agency sponsorship can pursue FedRAMP Moderate equivalency, which requires the same technical controls and third-party verification but without an agency sponsor. The FedRAMP 20x initiative aims to shorten authorization timelines, though those process improvements remain in rollout.
When FedRAMP Becomes Critical
Deltek explained that FedRAMP requirements apply once CUI leaves internal systems and enters a third-party cloud environment. Contractors pursuing CMMC Level 2 or Level 3 certification must ensure their external providers hold FedRAMP Moderate authorization or equivalency and are listed on the FedRAMP Marketplace, verifying that the providers satisfy 325 security controls and maintain continuous system monitoring.
Deltek highlighted that CMMC and FedRAMP alignment has become a competitive necessity for the defense industrial base. Its Costpoint GovCon Cloud Moderate platform was developed to help contractors meet FedRAMP Moderate equivalency standards, supporting CMMC Level 2 certification and long-term cybersecurity maturity.
Preparing for Implementation
The DOD will finalize CMMC regulations on Nov. 10, setting in motion a phased rollout. Early phases permit self-assessments for some contractors, followed by mandatory third-party certifications. Deltek advises firms to start with a gap analysis against National Institute of Standards and Technology Special Publication 800-171, review their system security plans, confirm FedRAMP authorization for cloud services and ensure accurate reporting to avoid compliance risks.
Deltek has partnered with GovCon Wire for the CMMC Enforcement Starts in November: Why Compliance is Your Ticket to Success Webinar on Oct. 21. Register now!
Related Articles
Federal News Network reported Friday that Yemi Oshinnaiye, chief information officer at the Transportation Security Administration, and Mike Derrios, senior procurement executive at the State Department, are stepping down from their roles. TSA’s Yemi Oshinnaiye Heading to Industry According to sources, Oshinnaiye is leaving his role at TSA to join tech services company Capgemini as chief technology officer. In 2012, he joined federal service as an IT specialist for the U.S. Citizenship and Immigration Service. In 2022, Oshinnaiye assumed the CIO position at TSA, where he led IT modernization efforts, including improving customer service, integrating artificial intelligence and advancing data
Breaking Defense reported Sunday that the Department of Defense is preparing to shift approximately $8 billion in unspent research and development funds for fiscal year 2025 to ensure that service members receive paychecks during the ongoing government shutdown. According to a DOD official, President Donald Trump has directed the secretary of defense to use available funds to ensure that military personnel are paid on Oct. 15. āThe Department of War has identified approximately $8 billion of unobligated research development testing and evaluation funds (RDTE) from the prior fiscal year that will be used to issue mid month paychecks to service
MITRE has proposed the establishment of predefined federal, state and local emergency regulatory waivers to expedite emergency response and recovery for U.S. critical infrastructure. The nonprofit organization published a white paper titled Expediting Emergency Response with Predefined Regulatory Waivers to identify existing rules and regulations that may hamper recovery efforts following natural or manmade disasters and provide steps the government can take to develop prepackaged waiver and streamline regulatory relief. The paper, the second in MITREās series on critical infrastructure readiness to conflict scenarios, is a result of a December tabletop exercise, which simulated a multiregion, multisector cyber attack on