The Department of Defense’s upcoming enforcement of the Cybersecurity Maturity Model Certification is reshaping how defense contractors approach cybersecurity.
According to software provider Deltek, Federal Risk and Authorization Management Program standards can simplify one of the most demanding pieces of CMMC compliance: cloud security. Contractors that rely on third-party cloud services to store, process or transmit controlled unclassified information should prioritize FedRAMP status to support CMMC assessments, the company added.
Where FedRAMP and CMMC Meet
CMMC verifies a contractor’s cybersecurity posture for DOD work, while FedRAMP evaluates cloud service providers for use across the federal government. The programs are distinct but connect where contractors use external cloud platforms. Under Defense Federal Acquisition Regulation Supplement 252.204-7012, cloud services handling CUI must have FedRAMP Moderate authorization or an approved equivalency to support CMMC Level 2 or Level 3 requirements.
What FedRAMP Moderate Requires
FedRAMP Moderate authorization entails implementation of extensive security controls, continuous monitoring and an external assessment. Providers unable to secure federal agency sponsorship can pursue FedRAMP Moderate equivalency, which requires the same technical controls and third-party verification but without an agency sponsor. The FedRAMP 20x initiative aims to shorten authorization timelines, though those process improvements remain in rollout.
When FedRAMP Becomes Critical
Deltek explained that FedRAMP requirements apply once CUI leaves internal systems and enters a third-party cloud environment. Contractors pursuing CMMC Level 2 or Level 3 certification must ensure their external providers hold FedRAMP Moderate authorization or equivalency and are listed on the FedRAMP Marketplace, verifying that the providers satisfy 325 security controls and maintain continuous system monitoring.
Deltek highlighted that CMMC and FedRAMP alignment has become a competitive necessity for the defense industrial base. Its Costpoint GovCon Cloud Moderate platform was developed to help contractors meet FedRAMP Moderate equivalency standards, supporting CMMC Level 2 certification and long-term cybersecurity maturity.
Preparing for Implementation
The DOD will finalize CMMC regulations on Nov. 10, setting in motion a phased rollout. Early phases permit self-assessments for some contractors, followed by mandatory third-party certifications. Deltek advises firms to start with a gap analysis against National Institute of Standards and Technology Special Publication 800-171, review their system security plans, confirm FedRAMP authorization for cloud services and ensure accurate reporting to avoid compliance risks.
Deltek has partnered with GovCon Wire for the CMMC Enforcement Starts in November: Why Compliance is Your Ticket to Success Webinar on Oct. 21. Register now!
