CMMC vs FedRAMP: Do They Share Reciprocity? – Source: securityboulevard.com

Throughout this blog, we often write about both FedRAMP and CMMC as cybersecurity frameworks applied to the federal government and its contractors. These frameworks share a lot of the same DNA stemming from the same resources, and they share the same goal of making the federal government more secure. One significant question you may have, though, is one of practicality. Do CMMC and FedRAMP have reciprocity?

What is Reciprocity?

Before we dig into the analysis, let’s take a moment to define reciprocity in this case.

Reciprocity is the concept of two entities agreeing to share behaviors or rules, such that when an individual complies with one, they also meet the requirements to comply with the other.

It’s seen all around the world in various ways:

• Nursing licenses are reciprocal across 43 states and jurisdictions; earning a nursing license in one state allows the nurse to work in any of the states with reciprocal agreements.
• The US Government applies reciprocal fees to foreign immigrants obtaining visas when those countries apply fees to US citizens obtaining their visas.
• US government security clearance may be reciprocal across different agencies, depending on the agencies involved.

With CMMC and FedRAMP, the question would be: if a business complies with one, does it grant reciprocal compliance with the other? In other words, if your business has obtained a FedRAMP Authority to Operate, can it count as having obtained a CMMC certification? Let’s dig in.

What is FedRAMP?

FedRAMP is the Federal Risk and Authorization Management Program. FedRAMP is government-wide, applying to all cloud service providers who wish to work with federal agencies. It does not apply to state-level government departments, though many states have their own version through participation with StateRAMP (which is rebranding to GovRAMP), though this is not a federally-managed program.

FedRAMP is operated by the FedRAMP Program Management Office, which is an office within the General Services Administration, an independent agency of the government. The FedRAMP program deals with the relationship between government agencies and cloud service providers, specifically when those cloud service providers deal with controlled unclassified information.

The overall point of FedRAMP is to allow the government to use established and effective platforms provided by third parties rather than engineer their own solutions. Forcing the government to reinvent the wheel is a significant waste of time and money, after all, not to mention the fact that a business dedicated to making a good cloud product is likely to be more effective and more secure than whatever alternative the government comes up with.

Reciprocity Within FedRAMP?

One aspect of FedRAMP that is worth mentioning is how it works with ATOs and P-ATOs.

The traditional process for a CSP contracting with a government agency is for the agency to sponsor the CSP through the process. The CSP works on their security, undergoes an audit, and receives validation of their security posture. Once all of this has been verified, they are issued an Authority to Operate with the agency that sponsored them.

If the CSP later wants to work with a second government agency, they have to go through the process again and achieve another ATO with that agency. It’s faster and easier because the information is already established, but it still requires another iteration of the process.

A way around this is with a Provisional Authority to Operate. To get a P-ATO, the CSP has to work not with the agency they work with, but with the Joint Authorization Board itself. The JAB essentially performs a more generic version of the validation process.

CSPs that obtain a P-ATO have a form of reciprocity between government agencies. They can work with any agency that is interested. The agencies still need to work with the CSPs for specific ATOs, but most of the work is already done and preapproved by the JAB, so the process is much faster. It’s not full reciprocity because it’s not an automatic approval, but it’s close to the same concept.

What is CMMC?

CMMC is the Cybersecurity Maturity Model Certification. It’s a certification framework developed by public and private teams working under the Office of the Under Secretary of Defense for Acquisition and Sustainment, which is part of the Department of Defense. The program is now under the control of the DoD CIO.

CMMC applies to any contractor that is part of the Department of Defense’s supply chain, collectively known as defense contractors. Anyone within the Defense Industrial Base needs to adhere to CMMC. This includes contractors working directly with the DoD, as well as any contractors working with those contractors, if those contractors handle CUI.

CMMC has officially entered its 2.0 stage, with an extended timeline throughout the coming years leading up to full implementation. The Final Rule for CMMC 2.0 includes a timeline and an additional set of requirements and changes that are worth knowing if they apply to you.

While there is some overlap between FedRAMP and CMMC, both in purpose and in those who must adhere to it, they are not identical.

Differences in Scope and Purpose

One of the major differences between CMMC and FedRAMP is in their scope and purpose.

FedRAMP is meant to be a broad, flat set of standards that apply across the whole of the federal government. It sets the minimum standard for things like security assessments, authentication, and continuous monitoring for any CSP working with the federal government in any way.

CMMC, meanwhile, is aimed at the defense industrial base. It’s a narrower-in-scope but deeper-in-purpose framework meant to enhance security specifically within the Department of Defense contractors list.

This means a CSP working with non-defense agencies can ignore CMMC; a non-CSP working with the DoD can ignore FedRAMP, and defense CSPs may need to adhere to both.

Who Sets Standards and Requirements for FedRAMP and CMMC?

One of the primary differences between FedRAMP and CMMC is where the security requirements come from.

FedRAMP has three levels of impact, each of which has its own list of increasingly stringent security controls. The impact level of a CSP is determined through an analysis according to FIPS 199. The security controls and security objectives in use by FedRAMP come from NIST in their special publication 800-53, Security and Privacy Controls for Information Systems and Organizations.

These rules and requirements come from the General Services Administration.

CMMC also has three levels of impact based on the kind of data handled by the service provider. Level 1 applies to companies that only handle Federal Contract Information, level 2 applies to those who handle Controlled Unclassified Information, and level 3 applies to those who handle DoD mission-critical CUI.

CMMC security controls are also governed by NIST but are derived from NIST SP 800-171. NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is currently on its third revision.

CMMC’s rules and requirements are set by the Department of Defense through the CyberAB.

Who Has to Comply with FedRAMP and CMMC?

The difference in application between FedRAMP and CMMC is part of the discussion of reciprocity, because there isn’t necessarily a lot of overlap between the two, and thus there isn’t always even a need for reciprocity.

FedRAMP applies to cloud service providers who provide their services to the federal government or one of its agencies. This can be part of the defense industrial base or it can be part of any other part of the federal government.

In fact, one potential point of contention is what, exactly, constitutes a cloud service. Sometimes it’s obvious, with systems like Google Drive, WordPress.com, or Amazon Web Services, all of which have government-focused products that have ATOs. Other cloud services may be harder to distinguish, like data backup provider Datto, IoT devices, and outsourced security systems.

Like CMMC, FedRAMP requirements have a similar trickle-down effect; if you’re a third-party service provider and you want to work with a FedRAMP-authorized CSP on a government contract, you have to get the same level of ATO, unless you are demonstrably not handling CUI.

CMMC is both broader and narrower. It’s narrower in that it applies only to companies within the defense industrial base. Companies that work with non-defense government agencies are outside of the scope of CMMC. They may still need to comply with CMMC if they sign a contract that includes a DFARS clause, however.

CMMC is broader than FedRAMP, though, in that it applies to all companies handling covered defense information, not just cloud-based companies.

Reciprocity vs Equivalency

One thing worth mentioning here is the difference between equivalency and reciprocity.

With reciprocity, two agencies effectively set the same requirements so that complying with one automatically means you comply with the other. With equivalency, both agencies set similar requirements and assume that if you adhere to one, you’re probably good enough to be qualified for the other. The difference is small and subtle, but it can be important.

In the past, there was a concept of FedRAMP equivalency within the defense industrial base. Formerly, having good enough security would mean you could achieve FedRAMP equivalency, and that being on par with FedRAMP moderate would allow you to meet requirements in DFARS clauses in DFARS 7012.

A memo issued in the last year clarified this situation by calling this equivalency out as a kind of loophole being exploited by companies that did not actually maintain equivalent security. This situation was untenable and plausibly led to data breaches, so the loophole was removed. You can read more about the equivalency memo here.

Is There Reciprocity Between FedRAMP and CMMC?

This is actually a tricky question to answer.

FedRAMP is based on the security controls laid out in NIST SP 800-53. CMMC is built on the guidelines laid out in NIST SP 800-171. NIST SP 800-171 is itself based on the framework created in NIST SP 800-53.

This means that CMMC is, in a way, FedRAMP++. However, that isn’t quite true, once again, because of scope. NIST SP 800-52 encompasses 20 different security control families and encompasses both cybersecurity and other forms of security, as well as auditing, accountability, and more. Meanwhile, NIST SP 800-171 is a tailored and improved subsection of what NIST SUP 800-53 offers. Some controls in NIST SP 800-53 are not present in NIST SP 800-171, and NIST SP 800-171 builds upon the controls it takes to add requirements not present in NIST SP 800-53.

While there’s a lot of overlap between the two, there is no formal reciprocity between FedRAMP and CMMC.

Stakeholders involved in the DoD, in the FedRAMP PMO, and otherwise involved in government cybersecurity keep mentioning reciprocity as a goal. However, any actual, tangible work on what that reciprocity would look like seems to have gone nowhere in the last few years. There are currently no frameworks for what reciprocity would look like, just like there are no such frameworks for ISO 27001 or other similar security frameworks.

Instead, the best you have is the “reuse” of security information.

Effectively, since a lot of the controls and security information is shared between FedRAMP and CMMC, those granular pieces of information (machine-readable records, audit logs, specific implementation validation artifacts, and so on) can be used for both FedRAMP ATO validation and CMMC certification.

Achieving either FedRAMP or CMMC does not reciprocally apply to the other. But, specific implementations of specific bits of security that adhere to standards for both can be validated using the same information.

That’s why it’s important to have a centralized, collaborative platform where you can store all of this information. That’s why we developed the Ignyte Platform: to provide a non-siloed, centralized, collaborative system that is itself secure as a way for you to store and aggregate the information you need to pass audits and adhere to standards.

If you’re in a position where you need to adhere to multiple security frameworks at once – whether it’s FedRAMP, CMMC, HIPAA, FISMA, ISO 27001, or any of dozens of others – you can use the Ignyte Assurance Platform to help. If you want to get started and see what we can do for you, all you need to do is reach out to book a demo today.

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/fedramp/cmmc-fedramp-share-reciprocity/