CMMC vs FedRAMP

If you're a DoD supplier, you've probably heard of CMMC and FedRAMP.

In this article, we present CMMC and FedRAMP, and how they complement each other. 

CMMC (Cybersecurity Maturity Model Certification) 

CMMC is a cybersecurity certification that all DoD contractors and subcontractors must comply with. There are 3 CMMC levels, depending on the type of data you have access to as part of your business relationship with DoD (FCI or CUI).

FedRAMP (Federal Risk and Authorization Management Program)

FedRAMP is a U.S. government program designed to ensure that CUI stored in the Cloud is properly protected to reduce the risk of unauthorized access. 

The U.S. government has identified a number of cybersecurity requirements that all Cloud providers must meet if they are to collect, store or process CUI.

There are three (3) FedRAM levels:

• FedRAMP Low: recommended for cases where the loss of confidentiality, integrity and availability would have a limited and low impact
• FedRAMP Moderate: recommended where loss of confidentiality, integrity and availability could have serious negative consequences 
• FedRAMP High: recommended for systems where the loss of confidentiality, integrity or availability of data or systems could have catastrophic consequences (law enforcement, emergency services, financial systems, healthcare systems, etc.).

To find out more about the cybersecurity requirements for each FedRAM level, please download the following Excel document (available on the FedRAMP website).

Note that Cloud providers interested in storing CUI must be audited by an external auditor (C3PAO) which will ensure that you comply with all FedRAMP controls. If you do, you'll receive FedRAMP authorization from the US government.

The US government maintains a list (Marketplace) of all Cloud service providers who hold FedRAMP authorization. You can consult it here.

CMMC vs FedRAMP

CMMC

• CMMC is mandatory for  DoD contractors and sub-contractors.
• CMMC is based on NIST 800-171.

FedRAMP

• FedRAMP only concerns Cloud service providers (CSP).
• FedRAM is based on NIST 800-53.
• If you offer, for example, a SaaS, PaaS, IaaS, etc. service that stores CUI, make sure you have FedRAMP authorization.

Consideration for DoD providers who store their CUI in the Cloud

If you are a DoD contractor or sub-contractor looking to store your CUI in the Cloud, you need to consider the following:

• You must store your CUI with a FedRAMP-authorized Cloud Service Provider if you want to comply to CMMC. 

Consequences of storing your CUI in an unauthorized FedRAMP Cloud

If you store your CUIs in a Cloud that is not FedRAMP authorized, you risk not obtaining CMMC certification, even if internally you have implemented all the controls and sub-controls required by CMMC. 

For CMMC Level 2, when choosing your Cloud provider, make sure it is authorized FedRamp moderate or high.

Can Canadian DoD contractors use a FedRAM Cloud located in the USA?

Yes. The most important thing for CMMC is that CUIs are stored in a FedRAMP-authorized Cloud.

How can StreamScan help you in your CMMC compliance process?

Streamscan is a CMMC Registered Provider Organization (RPO) and is officially authorized to assist organizations in their CMMC process.

Contact one of our experts or call us at +1 877-208-9040 to discuss your CMMC compliance.